Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Security Indicator

Training Camp • Cybersecurity Glossary

What is Security Indicator?

A measurable signal (a log event, metric, or data point) revealing a system's security posture or flagging a possible threat or breach.

Glossary > Security Operations > Security Indicator

Security Indicator — A measurable signal (a log event

Understanding Security Indicator

A Security Indicator is a measurable, observable attribute, such as a log event, a metric, or a data point, that reveals information about the security posture of a system, network, or organization. Indicators flag potential threats, vulnerabilities, or incidents that warrant analysis or response, helping defenders protect confidentiality, integrity, and availability.

Indicators are derived from telemetry: authentication logs, firewall denies, EDR alerts, NetFlow records, file hashes, registry changes, and DNS queries. Tools normalize and correlate these into SIEM rules or detection logic. A specific subclass, the Indicator of Compromise (IoC), points to confirmed malicious activity (for example, a known-bad IP or malware hash), while broader security indicators may simply measure exposure or trend, such as the percentage of unpatched hosts.

Indicators matter because they convert raw, high-volume data into actionable signal. Without well-defined indicators, security operations centers drown in noise and miss the early evidence of intrusion, slowing detection and increasing dwell time, the window during which an attacker operates undetected. Strong indicators drive alerting, threat hunting, metrics reporting, and the measurement of control effectiveness. Frameworks like MITRE ATT&CK map adversary behaviors to observable indicators so teams can build detections that generalize beyond a single signature.

For example, a SOC analyst monitoring a SIEM sees a spike in failed Kerberos authentications from one workstation followed by a successful login to a domain controller. That sequence, anomalous failures plus privilege escalation, is a behavioral security indicator suggesting a pass-the-ticket or credential attack. The analyst pivots to EDR telemetry, confirms a suspicious process, and isolates the host, demonstrating how a single indicator triggers a full investigation and containment workflow.

Learn More About Security Indicator:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →