The correct answer for the uploaded course-question set is B. 1 Million . IOC files are used to import indicators of compromise so that the gateway can match known malicious or suspicious observables such as domains, URLs, IP addresses, and file hashes. In the Threat Prevention architecture, these indicators complement ThreatCloud intelligence by letting administrators add organization-specific or third-party intelligence into enforcement. The key certification point in this question is scale: R81.20 IOC Files are tested with a maximum of 1 million patterns or observables in this exam context.

Operationally, this limit matters because large IOC files affect memory use, update processing, compilation time, and gateway enforcement behavior. Architects should avoid treating IOC ingestion as unlimited; feeds must be curated, deduplicated, normalized, and prioritized. The current public R81.20 release documentation distinguishes expanded IoC feed scale and states that IoC feeds can support significantly more observables on XFS systems, while EXT3 has a lower limit. For this specific question wording, however, the answer key’s “IOC Files” limit is 1 Million , while later Custom Threat Indicators and external-feed capacities are treated separately in related questions. Reference topics: IOC Files, Threat Indicators, R81.20 Threat Prevention, observable limits, feed sizing and gateway resource planning.