'Just because the security industry touts indicators of compromise (IOCs) as much needed intelligence in the war on attackers, the fact is that not every IOC is valuable enough to trigger an incident response (IR) activity. All too often our provided indicators contain information of varying quality including expired attribution, dubious origin, and incomplete details. So how many IOCs are needed before you can confidently declare an incident? Using actual investigations and research, this session will help attendees better understand the true value of an individual IOC, how to quantify and utilize your collected indicators, and what constitutes an actual incident. After completing this session, the attendee will: '- Know how to quickly determine the value of an IOC, '- Understand when more information is needed (and from what source), and '- Make intelligent decisions on whether or not an incident should be declared.