Anatomy of an IoPA

This is a div block with a Webflow interaction that will be triggered when the heading is in the view.

Every analyst can describe an IOC without thinking. A file hash, a domain, an IP address, a registry key, a C2 callback pattern. They feel solid because they're artifacts, the residue of something that already happened. The malware has already detonated. The domain is already resolved to live infrastructure serving a payload.
Ask the same analyst to describe an IoPA and you usually get a pause. We've used the term - Indicator of Pre-Attack Activity - across this entire series without ever taking one apart. And a term you can't take apart stays a marketing word. So here's what's actually inside one.
The timing isn't incidental. The market just decided this is the direction: the first Magic Quadrant for our category called the future predictive, and every vendor near the top is positioning around getting ahead of the adversary instead of reconstructing what they did. The direction is right. What almost no one said out loud is that you can't predict anything with an indicator that only exists after the fact. Prediction isn't a throughput problem, more automation, more correlation, more AI on top of the same feeds. It's an indicator problem. Whether you can see forward depends on what you're looking at, not how fast you look at it.
Which is why an IoPA has to be a different kind of indicator, built from a different kind of signal. It comes together in three layers.
Layer 1: The raw signal
Start with what's observable. Before an attack, adversaries have to build the thing that delivers it and building leaves traces in places that have nothing to do with your environment yet.
- A domain gets registered
- A TLS certificate gets issued
- A server gets stood up inside a hosting range
- Mail records get configured.
- A code repository is created to manage phishing kits or payloads.
Pieces of infrastructure cluster together, the same registrant, the same provider, the same provisioning pattern showing up across several assets in a short window.
These are the raw materials of an IoPA: domain registrations, certificate issuances, hosting and DNS patterns, infrastructure clustering. None of them is hidden. All of them exist before a single packet is aimed at you.
But a raw signal on its own is close to worthless. Millions of domains are registered; millions of codes are being written every hour. Certificates are issued constantly. Taken alone, a single registration isn't an indicator of anything; it's a fact looking for context. Which is the next layer, and the one most "pre-attack" claims never actually reach.
Layer 2: The correlation
This is where a data point becomes an indicator. Correlation answers three questions about a raw signal, and an IoPA needs defensible answers to all three.
Whose behavior does this match? Infrastructure carries fingerprints - naming conventions, hosting choices, certificate patterns, and reuse of tooling across campaigns. Linking a signal to a known actor's established TTPs is what turns "a domain was registered" into "infrastructure consistent with a group that targets our sector that was just staged."
Is it relevant to us? A lookalike domain spoofing a regional bank is noise to a manufacturer and an alarm to that bank. Target relevance, your brand, your sector, your supply chain, your executives, is what separates the global firehose from the handful of signals that concern you.
How ready is it? Infrastructure that's registered but dormant is a different risk than infrastructure with a live certificate, a cloned portal, and mail records configured to send. Readiness tells you where in the staging process the adversary is, and therefore how much lead time you actually have to work with.
Correlation is the work. It's also where most pre-attack claims quietly collapse, because correlating a signal to behavior, relevance, and readiness at scale is hard, and it's tempting to skip straight from raw signal to alert. Skip it and you've rebuilt the Feed Economy with new labels: high volume, low context, someone downstream left to figure out whether any of it matters.
Layer 3: The validation
Correlation produces a candidate. Validation decides whether it's real. This is the step that separates a credible pre-attack indicator from a coincidence, and it's the hardest part of the whole pipeline, because preparation activity and ordinary internet noise look alike until you do the work to tell them apart.
Plenty of domains resemble yours by accident. Plenty of certificates get issued for entirely legitimate reasons. Validation filters those out: corroborating one signal against others, scoring confidence against the weight of evidence, and watching for the behavioral confirmation that distinguishes an adversary assembling capability from a coincidence that happens to pattern-match. An IoPA that ships without this step isn't intelligence, it's speculation with a confidence score stapled on, and analysts will rightly stop trusting it after the third false alarm.
Done properly, validation is also what makes an IoPA actionable the moment it arrives - already contextual, already weighted, already tied to an actor and a target. The analyst doesn't have to open a second investigation to figure out whether it's worth their time. That decision is built into the indicator.
So what does the SOC do with this?
Here's the reframe that matters. An IoPA is not a lower-confidence IOC. It's a different category of indicator and judging it by IOC standards misses the entire point.
An IOC is high confidence about the past. An IoPA is probabilistic about the future. That probabilistic quality reads like a weakness only if you forget what you're getting in exchange: lead time. A perfect IOC offers certainty and zero room to act. A strong IoPA offers a window, to harden, to block infrastructure before it goes live, to brief the right team, to take down a domain while it's still being assembled rather than after it's phished by your users.
The two aren't competitors. IOCs confirm what's happening now; IoPAs tell you what's being prepared. A SOC that runs only on IOCs is, by construction, a SOC that only ever moves second.
Which brings it back to where the market is heading. The direction is right, intelligence is going predictive. But predictive isn't a feature you bolt onto backward-looking data; however much AI you point at it. It requires an indicator built to face forward. That's what an IoPA is, and now you can take one apart and check the work yourself.







