IoAs are behavioral patterns indicating an attack in progress — unusual admin tool usage, new scheduled tasks, lateral movement patterns. More proactive than IoCs (IoCs are post-compromise).
IoC (Indicator of Compromise) = evidence something happened (malware hash, C2 IP). IoA = evidence something is happening (attacker behavior pattern). IoAs enable detection during the attack, not after.