What are indicators of attack (IOAs)?
Indicators of attack are behavioral patterns that show an active cyberattack is happening right now. Think of IOAs as digital footprints attackers leave behind as they move through your environment—suspicious process executions, unusual API calls, or abnormal data access patterns that don't match normal behavior.
IOA Quick Definition: Indicators of attack (IOAs) are real-time behavioral signals that reveal active malicious activity in your cloud environment. Unlike static signatures, IOAs detect attacker techniques as they happen:
AWS examples: Unusual sts:AssumeRole chains across accounts, S3 GetObject API spikes on sensitive buckets, Lambda function invocations from unexpected sources
Azure examples: Privileged role assignments outside change windows, service principal consent grants to unknown apps, Storage account access key regeneration anomalies
GCP examples: Service account key creation bursts, IAM policy binding changes on production projects, Cloud Storage object enumeration patterns
In cloud environments, IOAs look different than in traditional infrastructure. You might see unusual IAM role assumptions, suspicious Lambda function invocations, or unexpected cross-account API calls. These behaviors form a chain of events that reveal an attacker's tactics and methods in real-time.
The power of IOAs lies in their focus on behavior rather than static signatures. While traditional security tools look for known malware hashes or specific IP addresses, IOA detection examines how entities interact with your cloud resources, addressing critical gaps where, according to CardinalOps' 5th Annual Report, enterprise SIEM deployments miss detection coverage for a significant portion of MITRE ATT&CK techniques used by adversaries. This behavioral approach can surface both known and unknown threats, including zero-day exploits (which Wiz's 2025 Cloud Attack Report found in 35% of cloud breaches) and insider threats that can bypass signature-based defenses.
Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025
In this report, we examine how threat actors approached cloud environments in 2024. Drawing from detection data across thousands of organizations, we highlight eight commonly observed MITRE ATT&CK techniques and offer practical guidance on how Wiz can help to detect and mitigate them.
IOAs vs IOCs: Understanding the critical difference
The difference between indicators of attack and indicators of compromise changes how you approach threat detection. IOCs are forensic artifacts—file hashes, malicious domains, or registry keys—that prove a breach already happened. IOAs capture the active techniques attackers use while they're still attacking.
IOA vs IOC: Key differences explained
Indicators of compromise are forensic artifacts that prove a security breach has already happened. Think of IOCs as digital fingerprints left behind at a crime scene—they're specific pieces of evidence that confirm an attacker was in your system.
Read moreTiming matters: IOCs become visible after an attacker has successfully compromised a system. You might find a suspicious executable or unauthorized configuration change after the initial breach is complete, often during a forensic investigation days or weeks later. IOAs emerge during the attack itself—unusual command sequences, privilege escalation attempts, or reconnaissance activities that signal malicious intent happening now.
Static vs dynamic: IOCs remain relatively fixed—a malicious file hash stays the same unless the malware is modified. IOAs adapt to the attacker's tactics, evolving as they progress through different attack stages. An attacker might start with discovery commands, move to credential harvesting, then attempt lateral movement—each phase generates distinct behavioral patterns.
Response capabilities: When you detect an IOC, you're typically in damage control mode—the attacker has already achieved at least partial success. IOA detection enables intervention during the attack, potentially stopping attackers before they reach critical assets or steal data.
In practice, teams benefit most from a unified platform that correlates IOA detections with cloud posture, identity permissions, and data context in a single view. This horizontal approach eliminates the blind spots that emerge when runtime detection, configuration management, and vulnerability scanning operate in silos—each tool sees part of the attack, but none see the complete path.
Why IOAs matter for modern cloud security
Cloud environments present unique challenges that make IOA detection essential for effective security. The ephemeral nature of cloud resources means traditional perimeter-based security fails to protect dynamic workloads that spin up and down automatically.
API-driven attack surfaces: Cloud platforms operate through APIs, creating attack vectors that don't exist in traditional infrastructure. Attackers exploit misconfigured API permissions, chain API calls to escalate privileges, or abuse legitimate cloud services for malicious purposes. IOAs help identify these API abuse patterns before attackers achieve their objectives.
Identity as the new perimeter: In cloud environments, identity and access management becomes the primary security boundary. Attackers target service accounts, assume roles across accounts, and exploit identity federation weaknesses. According to Thales' 2025 Global Cloud Security Study, 68% of organizations report experiencing identity and access-based attacks on cloud resources, including credential theft, privilege escalation, and unauthorized role assumptions. IOA detection monitors these identity-based attack patterns—unusual role assumptions, privilege escalations, or suspicious authentication flows that indicate compromise.
The speed and scale of cloud attacks demand real-time behavioral detection. Attackers can compromise a misconfigured S3 bucket, exfiltrate data, and cover their tracks in minutes. Traditional security tools that rely on periodic scans or signature updates cannot match this velocity.
Types of indicators of attack in cloud environments
Cloud environments generate distinct IOA patterns that you must recognize and respond to effectively. These behavioral indicators span across different layers of the cloud stack, from initial reconnaissance to final data exfiltration.
Reconnaissance and discovery patterns
Attackers typically begin by mapping your cloud environment to identify valuable targets and weak points. Research on cloud attack patterns shows discovery activities—such as API enumeration and resource mapping—consistently appear as early-stage tactics in successful cloud breaches. Watch for excessive DescribeInstances API calls, unusual metadata service queries, or systematic enumeration of storage buckets. These discovery activities often precede more destructive actions and serve as an early warning.
Cloud-specific reconnaissance patterns include:
AWS: Excessive DescribeInstances, ListBuckets, or GetCallerIdentity API calls from a single principal; EC2 metadata service queries (169.254.169.254) from unusual processes; systematic enumeration of IAM roles via ListRoles
Azure: High-frequency Azure Resource Manager (ARM) API calls for resource enumeration; Microsoft Graph API queries listing all users, groups, or applications; Azure AD PowerShell module usage from non-administrative workstations
GCP: Rapid-fire projects.list or instances.list API calls; service account enumeration via iam.serviceAccounts.list; Cloud Asset Inventory API usage from unexpected sources
Privilege escalation behaviors
Cloud attackers seek to elevate their permissions through various techniques to gain deeper access. Monitor for attempts to attach administrative policies to roles, creation of new high-privilege users outside normal procedures, or exploitation of confused deputy vulnerabilities. These activities indicate an attacker is establishing persistence and expanding their control.
Lateral movement indicators
Once inside your environment, attackers move between resources to find valuable data. Look for unusual cross-account role assumptions, unexpected network connections between isolated VPCs, or service accounts accessing resources outside their normal scope. These patterns reveal attackers navigating through your infrastructure.
Data staging and exfiltration signals
Before stealing data, attackers often consolidate it in staging locations. Watch for unusual data aggregation in temporary S3 buckets, large-scale database dumps to unexpected locations, or encrypted archives being created in compute instances. End-to-end investigation is faster when detections are automatically visualized on a security graph that shows blast radius, data sensitivity labels, and identity permission chains—revealing not just what happened, but what else the attacker could reach and what data is at risk.
Persistence mechanisms
Attackers establish backdoors to maintain access even if their initial entry point is closed. Monitor for creation of new IAM users with programmatic access, modifications to Lambda functions that add unauthorized code, or changes to EC2 user data scripts. These techniques ensure attackers can return.
Mapping IOAs to MITRE ATT&CK Cloud Matrix
| Attack Stage | MITRE Technique | Cloud IOA Example |
|---|---|---|
| Discovery | T1580 (Cloud Infrastructure Discovery) | Systematic API enumeration of compute, storage, and network resources |
| Privilege Escalation | T1098.001 (Additional Cloud Credentials) | Creation of new access keys or service principals with elevated permissions |
| Lateral Movement | T1550.001 (Application Access Token) | Cross-account role assumption chains or service account impersonation |
| Collection | T1530 (Data from Cloud Storage) | Bulk download operations from S3, Azure Blob, or Cloud Storage buckets |
| Exfiltration | T1537 (Transfer Data to Cloud Account) | Data replication to attacker-controlled cloud accounts or regions |
Map your detection rules to these techniques to identify coverage gaps and prioritize new detection development.
Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025
In this report, we examine how threat actors approached cloud environments in 2024. Drawing from detection data across thousands of organizations, we highlight eight commonly observed MITRE ATT&CK techniques and offer practical guidance on how Wiz can help to detect and mitigate them.
Cloud-native IOA detection challenges and solutions
Detecting IOAs in cloud environments requires overcoming several technical and operational challenges that don't exist in traditional infrastructure. The dynamic and distributed nature of the cloud demands a new approach to security monitoring.
Ephemeral resource complexity: Cloud resources constantly change—containers spin up and down, serverless functions execute and disappear, and auto-scaling groups adjust capacity. This dynamism makes it difficult to establish behavioral baselines. Solutions must adapt by learning normal patterns for resource groups rather than individual instances, using machine learning to distinguish between legitimate scaling events and malicious activity.
Multi-cloud visibility gaps: Organizations typically use multiple cloud providers, each with different logging formats, API structures, and security models. Correlating IOAs across AWS, Azure, and GCP requires normalization of diverse data sources. Effective solutions aggregate and standardize telemetry from all cloud platforms into a unified detection framework.
API-level attack detection: Cloud attacks often occur entirely through API calls without traditional network traffic or file system changes. Detecting these requires deep API monitoring and understanding of normal API usage patterns. Modern platforms analyze API call sequences, parameter anomalies, and timing patterns to identify malicious behavior.
False positive management: Cloud environments generate massive volumes of events, making it challenging to separate legitimate administrative actions from malicious behavior. Advanced IOA detection uses context enrichment—combining identity information, resource tags, and historical patterns to reduce noise. Risk scoring that factors in effective exposure (internet-facing), data sensitivity (PII, financial records), and identity criticality (admin privileges) focuses analysts on toxic combinations instead of isolated alerts. For example, a single IOA showing unusual S3 access might be low-priority, but the same IOA on an internet-exposed bucket containing customer PII and accessed by a recently compromised service account becomes critical—the combination of factors creates an immediate breach risk.
Implementing effective IOA monitoring strategies
Building a robust IOA monitoring program requires careful planning, the right tools, and well-defined processes that align with your cloud architecture. A successful strategy moves beyond simple alerting to create a cycle of continuous detection, investigation, and improvement.
Establish comprehensive telemetry collection
Modern IOA monitoring combines agentless collection via cloud provider APIs with optional lightweight runtime sensors for complete visibility. Agentless collection through CloudTrail, Activity Logs, and Cloud Audit Logs provides comprehensive API-level visibility without deployment overhead or performance impact. For runtime behavioral detection—process execution, network connections, file access—lightweight eBPF sensors add kernel-level visibility with minimal footprint. This hybrid approach gives teams full-stack coverage without slowing deployments or requiring agent management across ephemeral workloads.
Start by ensuring you're capturing all necessary data sources. In AWS, enable CloudTrail (including Data Events for S3, Lambda, and RDS), VPC Flow Logs, and GuardDuty findings. In Azure, configure Activity Logs and Diagnostic Settings to stream resource logs to Log Analytics or Event Hub. In GCP, enable Cloud Audit Logs (both Admin Activity and Data Access logs) and VPC Flow Logs for network visibility.
Don't forget application-level logs and runtime telemetry from your workloads. These provide crucial context for understanding normal behavior patterns.
Define behavioral baselines
Understanding normal behavior in your environment is crucial for detecting anomalies. Document typical access patterns, common administrative actions, and expected data flows. Baselines are most reliable when learned across services and projects rather than individual resources, then enriched by a unified security graph that connects identity permissions, data sensitivity classifications, and network topology. This graph-based approach distinguishes between a developer accessing their assigned S3 bucket (normal) versus the same developer accessing a production database they've never touched (IOA), even if both actions use valid credentials. Use automated baseline learning to capture patterns that manual documentation might miss.
Update these baselines regularly as your environment evolves. What's normal today might be suspicious tomorrow as your infrastructure changes.
Implement detection rules and analytics
Deploy detection logic that identifies known attack patterns while remaining flexible enough to catch novel techniques. Use a combination of rule-based detection for known IOAs and machine learning for anomaly detection.
Map your detections to the MITRE ATT&CK Cloud Matrix to ensure coverage across the attack lifecycle—from initial access through impact—and regularly assess gaps in your detection coverage for cloud-specific techniques like credential access via metadata services or defense evasion through CloudTrail manipulation. This helps identify gaps in your detection capabilities.
Create investigation workflows
When IOAs are detected, your team needs clear procedures for investigation and response. Build runbooks that guide analysts through triage, investigation, and containment steps. Integrate with ticketing systems to track incidents and ensure nothing falls through the cracks.
Enable automated response
For high-confidence IOA detections, implement automated response actions. This might include:
Isolating compromised instances: Automatically quarantine affected resources to prevent spread
Revoking suspicious credentials: Disable potentially compromised accounts immediately
Blocking malicious IP addresses: Apply targeted controls through AWS Security Groups, Azure Network Security Groups, or GCP Firewall Rules to block specific source IPs, or use AWS WAF and Azure Application Gateway for application-layer filtering. Implement blocks with appropriate scope to avoid disrupting legitimate traffic from shared IP ranges.
Start with low-risk response actions and gradually expand automation as you gain confidence in your detections.
Aligning IOA Monitoring with Compliance Frameworks
IOA detection and response capabilities satisfy multiple compliance control families:
NIST SP 800-53: AU-2 (Event Logging), AU-12 (Audit Record Generation), SI-4 (System Monitoring), IR-4 (Incident Handling)
SOC 2 Trust Services Criteria: CC7.2 (System monitoring for anomalies), CC7.3 (Security event evaluation and response)
ISO/IEC 27001:2022 Annex A: 8.16 (Monitoring activities), 5.24 (Information security incident management planning), 5.23 (Information security for use of cloud services)
CIS Controls v8: Control 8 (Audit Log Management), Control 13 (Network Monitoring and Defense)
Document your IOA detection rules, retention policies (typically 90-365 days depending on compliance requirements), and response playbooks to provide audit-ready evidence of continuous monitoring and incident response capabilities.
Platforms that provide evidence-ready investigation timelines, graph-based attack path queries, and automated policy mapping to control frameworks simplify audits against SOC 2, ISO/IEC 27001, and NIST families. Look for capabilities like exportable incident reports with full API call chains, retention-compliant log archives with tamper-proof storage, and pre-built compliance dashboards that map detections to specific control requirements—reducing audit preparation from weeks to days.
Real-World IOA Detection Scenario: From Compromise to Containment
Here's how IOA monitoring stops an attack in progress:
1. Initial compromise (T0): A developer's AWS access key leaks in a public GitHub repository. Automated scanners discover it within minutes.
2. First IOA detected (T+8 minutes): The compromised key makes unusual sts:AssumeRole API calls from a foreign IP address—an IOA for reconnaissance. Alert triggers with context: the assumed role has read access to production S3 buckets containing customer data.
3. Escalation IOA (T+12 minutes): The attacker attempts to create a new IAM user with administrative permissions—a privilege escalation IOA. Automated response immediately revokes the compromised access key and isolates the assumed role.
4. Investigation (T+15 minutes): Security team reviews the automatically generated attack timeline showing all API calls, affected resources, and potential blast radius. CloudTrail logs confirm no data was exfiltrated.
5. Root cause remediation (T+2 hours): Team traces the leaked key back to a CI/CD pipeline configuration file. They implement secrets scanning in the pipeline and rotate all keys that were stored in code.
Total time from compromise to containment: 15 minutes. Without IOA detection, this breach might have gone unnoticed until the monthly CloudTrail review—or until customer data appeared on the dark web.
How Wiz Defend enables proactive IOA detection in cloud environments
Wiz Defend transforms IOA detection by combining real-time signals with deep cloud context. Using lightweight eBPF sensors, it detects behavioral IOAs like privilege escalation and lateral movement with minimal performance overhead—typically less than 1% CPU utilization in production workloads.
Unified policy and analytics across code, CI/CD pipelines, cloud infrastructure, and runtime enable consistent detection rules and faster root-cause remediation. A single policy that flags unusual privilege escalation applies identically whether the behavior occurs in a Kubernetes pod, an EC2 instance, or a Lambda function—eliminating the policy drift and coverage gaps that emerge when teams manage separate rule sets for each layer.
The Wiz Security Graph automatically correlates IOAs with cloud context, showing attack paths and potential blast radius for accurate prioritization. Automated investigation workflows generate instant attack timelines from cloud logs and runtime signals, reducing mean time to response.
Precise detections powered by Wiz Research minimize false positives while catching unknown threats through behavioral analytics. Attack path analysis reveals how detected IOAs could chain with misconfigurations and permissions to reach critical assets.
Cloud-to-code traceability enables teams, in supported scenarios, to trace IOAs back to source vulnerabilities in infrastructure-as-code templates, container images, or application code for durable remediation that prevents recurrence.
Ready to catch attacks in motion before they become breaches? See how a unified, agentless platform correlates IOAs across cloud logs, runtime signals, and infrastructure context for faster, low-noise response—without the agent sprawl and blind spots of traditional tools. Get a demo and discover how graph-based detection reveals complete attack paths in minutes, not days.