Press Releases

Mandiant Releases OpenIOC Standard for Sharing Threat Intelligence

Open source XML standard, new tools and web portal ( to fill critical need for frontline incident responders

Alexandria, VA

Mandiant, the leader in advanced threat detection and response solutions, today announced it has released its OpenIOC™ threat intelligence standard and a list of over 500 indicator terms to the public. In conjunction with the new standard, Mandiant also announced the general availability of a new free tool, Mandiant IOC Finder, and the launch of a new portal,, to help fill a critical industry need for incident responders to share advanced threat intelligence in a machine-readable format.

First-referenced publicly in Incident Response & Computer Forensics (McGraw-Hill, 2003), co-authored by Mandiant Chief Executive Officer Kevin Mandia, the term Indicator of Compromise (IOC) has been advanced by Mandiant into a format that standardizes how computer security professionals define and search for characteristics of advanced attacks.

The public release of both IOC Finder and represent a new chapter for the OpenIOC standard, which was originally designed to enable Mandiant’s products to codify intelligence in order to rapidly search for potential security breaches. Now, in response to requests from across the user community, Mandiant has standardized and open sourced the OpenIOC schema and is releasing tools and utilities to allow security teams to describe the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of a compromise and share it at machine speed. Released as open source under the Apache2 license, Mandiant maintains the OpenIOC base schema of more than 500 indicator definitions, which it has developed over the course of detecting and responding to hundreds of computer security breaches.

“In the threat landscape that confronts us today defenders must succeed one hundred percent of the time while the attackers only need to get through once to be successful,” said Mandiant Chief Technology Officer Dave Merkel. “By making OpenIOC public and customizable, we are making it possible to automate the intelligence sharing process so incident responders can more rapidly detect, respond and contain targeted attacks.”

With today’s announcement the following tools and resources are now available:

  • OpenIOC Standard: An open format for recording, defining, and sharing threat information in a machine-digestible format. OpenIOC can be easily modified as additional intelligence is gathered so that incident responders can translate their knowledge into a format that can be used by various technologies to sweep an enterprise for signs that it has been compromised.
  • Mandiant IOC Editor™: A free tool that allows for the easy creation of IOCs using a graphical interface rather than having to edit raw XML. IOCs created with IOC Editor can then be shared with other responders inside and outside the organization.
  • Mandiant IOC Finder™: A free tool that can acquire data from a single host and check the IOC against the collected data to see if the host matches conditions in the IOC. Once results are verified, responders can refine the IOC or use it to search other endpoints.
  • OpenIOC Web Site: The newly launched web portal serves as a central source of information for sharing information and promoting adoption of the OpenIOC standard.

Additional information on the OpenIOC standard can be found at and in a blog post published by Mandiant.

About FireEye, Inc.

FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 2,500 customers across 65 countries, including over 150 of the Fortune 500.

About Mandiant

Mandiant, a FireEye company, has driven threat actors out of the computer networks and endpoints of hundreds of clients across every major industry. We are the go-to organization for the Fortune 500 and government agencies that want to defend against and respond to critical security incidents of all kinds. When intrusions are successful, Mandiant’s security consulting services – backed up by threat intelligence and technology from FireEye – help organizations respond and resecure their networks.

Forward-Looking Statements

This press release contains forward-looking statements, including statements related to the features, objectives and benefits of the Industrial Control System Security Gap Assessment and Cyber Defense Center Development offerings. These forward-looking statements involve risks and uncertainties, as well as assumptions which, if they do not fully materialize or prove incorrect, could cause the results of FireEye or Mandiant to differ materially from those expressed or implied by such forward-looking statements. The risks and uncertainties that could cause such results to differ materially from those expressed or implied by such forward-looking statements include the ability of FireEye and Mandiant to retain and recruit highly experienced and qualified personnel; customer demand for and market acceptance of such offerings; changes in the technology or the industries in which such offerings are related; competitive pressures faced by FireEye and Mandiant; and general market, political, economic, and business conditions; as well as those risks and uncertainties included under the captions “Risk Factors” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” in FireEye’s quarterly report on Form 10-Q filed with the Securities and Exchange Commission on August 13, 2014, which is available on the Investor Relations section of the company’s website at and on the SEC website at All forward-looking statements in this press release are based on information available to the company as of the date hereof, and FireEye does not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made. Any future service, feature, objective or benefit that may be referenced in this release are for information purposes only and are not commitments to deliver any service, feature, objective or benefit. FireEye reserves the right to modify future plans at any time.