IoPA vs IoC: What's the Difference?

Category: Concepts & Methodology

Indicators of Compromise (IoC) - Traditional

• When detected: After the attack
• What it shows: Evidence of compromise
• Action: Incident response
• Example: Malware hash found on endpoint

Indicators of Pre-Attack (IoPA) - Malanta

• When detected: During attacker's preparation phase
• What it shows: Evidence of intent
• Action: Pre-emptive prevention
• Example: Phishing domain registered mimicking your brand

Key Insight

IoCs tell you what happened. IoPAs tell you what's about to happen.

IoPAs are derived from AI/ML analysis of diverse datasets including OSINT, malicious identity registries, domain/hosting records, and internet resource databases. They highlight behaviors like suspicious domain registrations, allocations at bulletproof hosting providers, and phishing kit distribution.

Unlike traditional IOCs (which appear after compromise), IoPAs reveal staging infrastructure at the Reconnaissance and Resource Development phases of the MITRE ATT&CK framework.

Updated on: 26/02/2026