Anomaly Detection
CLARITY continuously monitors your cloud spend and alerts you when costs deviate from expected patterns. The Anomaly Detection page helps you catch billing surprises before they become expensive problems.
How It Works
Anomaly detection uses a 7-day rolling baseline to establish what normal spending looks like for each service and account. When actual costs deviate significantly from this baseline, an anomaly is flagged.
The detection process evaluates:
- Rolling average — Mean daily cost over the past 7 days
- Standard deviation — How much daily costs typically vary
- Current cost — Today's actual spend
- Deviation score — How many standard deviations the current cost is from the mean
INFO
Anomalies are evaluated at the service level (e.g., "EC2 in us-east-1") rather than at the individual resource level. This reduces noise while still catching meaningful cost spikes.
Actual vs. Expected Cost
Each anomaly displays a clear comparison:
| Field | Description |
|---|---|
| Expected Cost | The predicted daily cost based on the rolling baseline |
| Actual Cost | The real cost recorded for that day |
| Deviation | The dollar and percentage difference |
| Direction | Whether the anomaly is a spike (over) or a drop (under) |
Cost drops can be just as important as spikes — a sudden decrease might indicate a misconfigured service or an unintended resource deletion.
Severity Classification
Anomalies are classified by severity based on both the percentage deviation and the absolute dollar impact:
| Severity | Criteria | Action |
|---|---|---|
| Critical | Large deviation with high dollar impact | Investigate immediately |
| High | Significant deviation or moderate dollar impact | Review within 24 hours |
| Medium | Notable deviation with limited dollar impact | Review at next opportunity |
| Low | Minor deviation, small dollar amount | Monitor for recurrence |
WARNING
A 200% spike on a $5/day service is less urgent than a 20% spike on a $500/day service. CLARITY factors in absolute cost impact, not just percentage change.
Contributing Resource Breakdown
When you click into an anomaly, CLARITY shows which resources contributed most to the cost change. This breakdown helps you pinpoint the root cause:
- Service breakdown — Which sub-services saw cost increases
- Resource list — Specific resources with the largest cost deltas
- Timeline — When the cost change began and whether it is ongoing
Setting Up Anomaly Alerts
Configure alerts to be notified when anomalies are detected:
- Navigate to Anomaly Detection and click Configure Alerts
- Set the sensitivity level (Low, Medium, High)
- High sensitivity catches smaller deviations but may produce more alerts
- Low sensitivity only triggers on major cost spikes
- Choose notification channels:
- Email notifications to specified recipients
- In-app notification bell
- Set minimum cost threshold to avoid alerts on trivially small anomalies
TIP
Start with medium sensitivity and adjust based on your experience. If you receive too many false positives, lower the sensitivity or increase the minimum cost threshold.
Investigating Anomalies
When an anomaly appears, follow this workflow:
1. Assess Severity and Impact
Check the dollar impact first. A critical anomaly on a core production service deserves immediate attention.
2. Review the Timeline
Look at when the cost change started. Correlate with recent deployments, configuration changes, or scaling events.
3. Drill Into Resources
Use the contributing resource breakdown to identify which specific resources are responsible.
4. Check for Known Causes
Common causes of cost anomalies include:
- Auto-scaling events responding to traffic spikes
- New resource deployments (expected cost increases)
- Data transfer spikes (large file uploads, cross-region traffic)
- Spot/preemptible instance interruptions causing on-demand fallback
- Front-loaded billing (e.g., Route 53 zone fees charged on day 1)
5. Resolve or Dismiss
Once investigated, mark the anomaly as:
- Acknowledged — Known cause, no action needed
- Investigating — Still looking into it
- Resolved — Root cause identified and addressed