Threat IntelligenceAugust 28, 2026

Threat Intelligence Practice for Beginners: How to Pivot on a Single IOC

Free threat intelligence practice for beginners. Learn how to pivot from one IOC to infrastructure and campaign attribution like an analyst.

ET

EpicDetect Team

5 min read

Threat Intelligence Practice for Beginners: How to Pivot on a Single IOC

Threat Intelligence Practice for Beginners: How to Pivot on a Single IOC

Every SOC job posting wants "threat intelligence experience." Most training gives you a definition of IOCs and TTPs and calls it a day.

Knowing that IOC stands for "indicator of compromise" isn't the skill. Taking one indicator and turning it into a full picture of who you're dealing with — that's the skill. Let's actually practice it.

The Indicator That Starts Every Lookup

An investigation hands you one thread: a domain pulled from a phishing email, a hash from an EDR alert, an IP a process reached out to. Say it's this:

Domain: secure-verify-portal.net

Registered: 6 days ago

Registrar: privacy-protected

Resolving IP: 185.212.44.19

One domain. That's it. Where do you actually go from here?

Step 1: Registration Age and Privacy — Before You Check a Single Feed

This alone tells you more than most people expect.

- Registered 6 days ago — legitimate business domains are almost never this fresh. Attackers burn domains fast, so newly-registered infrastructure is a strong lean toward malicious.

- Privacy-protected WHOIS — not damning on its own (plenty of legitimate sites use it), but combined with the age, it's another point in the same direction.

You haven't touched a threat feed yet and you already have a working hypothesis.

Step 2: Check the Indicator Against Threat Intel Feeds

Now you pivot to actual sources — VirusTotal, AbuseIPDB, urlscan.io, or whatever feed your org subscribes to.

- Has this exact domain or IP been flagged before?

- If it's brand new and unflagged, that's not a clean bill of health — it just means you're early. Fresh attacker infrastructure often hasn't been reported yet.

💡 Pro tip: A hit is useful, but a miss isn't proof of innocence. Absence of a flag on a 6-day-old domain tells you almost nothing.

Step 3: Pivot on the Infrastructure, Not Just the Indicator

This is the step most beginners skip. One domain is a data point. The infrastructure around it is the actual picture.

- What else resolves to 185.212.44.19? Shared hosting for unrelated malicious domains is common with cheap bulletproof providers.

- Does the registration pattern match a known naming convention — "secure," "verify," "portal" combos are common in phishing kit templates?

- Are there passive DNS records showing other domains that flipped to this IP recently?

Pulling on this thread is how one indicator turns into a cluster of related infrastructure.

Step 4: Look for Campaign Attribution, Not Just "Bad or Not"

Once you have a cluster of related indicators, the real question becomes: does this match a known pattern?

- Similar infrastructure, lure themes, or targeting to a previously reported campaign?

- Overlapping TTPs with a tracked threat actor, even if the specific domain is new?

You're rarely the first to see a given campaign — most of the work is recognizing the pattern, not discovering it cold. This is exactly where IOCs (fast, disposable) hand off to TTPs (durable, harder to change) — the domain will get burned in a week, but the behavior pattern usually won't.

Step 5: What You'd Actually Do Next

In a real investigation this is where it gets interesting — not "is this malicious," but "what else does this touch."

- Extract and share the full indicator set (domain, IP, related infrastructure) for blocking

- Check internal logs for any other systems that touched the same indicators

- Write up the attribution reasoning, not just the verdict — the "why" is what makes the report useful to the next analyst

This is exactly the kind of multi-step follow-through that a "spot the malicious domain" quiz never tests.

Why This Is Harder to Practice Than It Sounds

Most free threat intel exercises give you one indicator and ask "malicious, yes or no?" Binary, low-stakes, forgettable.

The real job is messier: one lead comes in, you pivot outward, and it either dead-ends or connects into a bigger campaign — and you don't know which going in.

That's the exact gap Adventures on EpicDetect is built to close. For the full picture on getting hands-on SOC experience without a job or home lab, see our complete guide. Adventures are full investigations, not single-indicator quizzes — Season 0's threat intel specialist Eli shows up right when a lead needs this exact kind of pivoting, connecting indicators from the phishing report into the bigger picture of what your team is actually facing.

TL;DR – Pivot on the Infrastructure, Not Just the Indicator

Threat intel practice starts with registration details and feed checks, but the real skill is pivoting from one indicator to the infrastructure and pattern around it. A single IOC is a data point; the cluster around it is the actual picture. Practice full pivots, not single-indicator quizzes, if you want the skill to actually stick.

---

FAQs

Do I need paid threat intel platforms to practice this?

No — free tools like VirusTotal, AbuseIPDB, and urlscan.io are enough to practice the actual pivoting workflow. The skill is the process, not the specific paid feed.

What's the fastest way to tell if a domain is worth investigating further?

Registration age and WHOIS privacy are quick first signals. Neither proves malice alone, but together with a fresh registration date, they're usually enough to justify digging further.

How is this different from OSINT research?

OSINT is the general skill of gathering open-source information. Threat intel pivoting is OSINT applied specifically to indicators — turning one IOC into infrastructure, and infrastructure into attribution.

---

Final thought: One indicator rarely tells you the whole story — the pivot is where the actual answer lives. Learn to follow the infrastructure, not just the flag.

How EpicDetect Can Help

Reading about this stuff only gets you so far. If you want to actually practice it — not multiple choice, not flashcards, an actual case — Adventures drops you into a story-driven SOC investigation where you make the calls a real analyst makes. Season 0 is completely free, no credit card required.

Want the fuller skill tree too? Head to the EpicDetect Atlas for structured lessons on top of the Adventures scenarios.

New here? Sign up and start for free.

Tags

Threat IntelligenceIOCsOSINTHands-On TrainingAdventures

Want to Learn More?

Explore more cybersecurity insights and detection engineering tutorials.