Collecting Indicators of Compromise When to Use - During active incident response to identify and block adversary infrastructure - Post-incident to document all observed adversary artifacts for future detection - When sharing threat intelligence with ISACs, sector partners, or law enforcement - When building detection rules in SIEM, EDR, or network security tools - When enriching IOCs with threat intelligence context for risk scoring Do not use for behavioral TTP analysis without accompanying technical indicators; use MITRE ATT&CK mapping for behavioral characterization. Prerequisites - Acces…