Enhancing Indicators of Compromise (IOC) Intelligence

What’s New

We’re excited to introduce significant enhancements to our Indicators of Compromise (IOC) intelligence. These enhancements will make it easier to prioritize threats, track IOC activity, and uncover relationships between malicious indicators. With new risk scoring, sightings data, and relationship mapping, security teams can investigate threats faster and more confidently.

1. Maliciousness Scoring

Security teams require a straightforward method for prioritizing threats, and our updated IOC scoring system accomplishes this. Each IOC receives a risk level:

• Malicious – Confirmed high-risk threats that require immediate attention.
• Suspicious – Potentially malicious IOCs that require further investigation.
• Informational – IOCs with minimal risk but still useful for monitoring.

With scoring built directly into our intelligence workflows, analysts can immediately assess threat severity and focus on what matters most.

2. Sightings Data for Historical Context

Understanding how an IOC behaves over time is crucial for tracking active threats. Flashpoint provides sightings data, allowing teams to see:

• When an IOC was first and last observed.
• How often has it been seen across intelligence sources?
• Trends that indicate ongoing or persistent threats.

This helps analysts detect patterns, identify emerging threats, and confirm whether an IOC is still active.

3. Relationship Mapping

IOCs don’t operate in isolation. Relationship mapping surfaces connections between IOCs, malware families, domains, threat actors, and command-and-control (C2) infrastructure. With this added context, security teams can:

• Pivot between related threats to uncover larger attack patterns.
• Strengthen attribution to specific malware families or advanced threats.
• Build more complete intelligence reports with enriched context.

Why It Matters

Effective threat intelligence is more than just knowing an IOC exists—it’s about understanding its relevance, risk, and impact. These enhancements bring actionable context to IOCs, helping teams:

• Faster Prioritization & Incident Response
  • IOC scoring immediately identifies the highest-risk threats.
  • Sighting data verifies whether an IOC is actively being used.
  • Relationship mapping connects related threats for better visibility..
• Improved Threat Hunting & Triage
  • Filtering by source, score, and related threats enhances investigation efficiency.
  • Expanded IOC datasets provide a more comprehensive view of the threat landscape.
• Stronger Automation & Security Integrations
  • The new IOC API offers structured, contextualized IOC data.
  • It supports SIEM, SOAR, and Threat Intelligence Platform (TIP) integrations.

How It Works

Flashpoint has launched a new IOC API to power these enhancements and has updated the Ignite UI, making intelligence easier to access, filter, and analyze. 

• The new IOC API provides:
  • Structured and enriched threat data with scoring, sightings, and relationships.
  • Expanded data sources, incorporating community sources, infostealer data, and external feeds.
  • Faster and more efficient threat intelligence integration for security teams.

• The updated UI in Ignite ensures that these insights are delivered in an intuitive, easy-to-use format. Users can:
  • Prioritize IOCs based on risk score
  • Filter by source, malware association, or attack type
  • Quickly surface the most relevant intelligence
  • See full IOC sightings data and historical trends.
  • View extracted configurations for deeper investigation.
  • Pivot to linked malware reports and related threats.

These updates extend to Malware and APT pages, which have been enriched with deeper intelligence powered by the new IOC API.

With these improvements, Flashpoint delivers contextualized threat intelligence that enables security teams to detect, investigate, and respond to threats confidently.