Skip to main content

Anomaly Detection

Guardian Pro's anomaly detection engine continuously monitors your AWS spending patterns and automatically flags unusual changes. Whether it is a sudden cost spike, a new service appearing on your bill, or a gradual but significant increase, the anomaly detector catches it before it becomes a budget-breaking problem.

How Anomaly Detection Works

The anomaly detection engine analyses your historical spending data to establish baselines for each service, region, and overall account. When actual spending deviates significantly from these baselines, an anomaly is raised.

Guardian Pro uses multiple detection methods to catch different types of anomalies:

MethodWhat It Catches
Statistical deviationSpending that is statistically unusual compared to recent history
Day-over-day changeSudden large increases compared to the previous day
Service-level analysisIndividual services with abnormal cost changes
New service detectionAWS services appearing on your bill for the first time
info

Anomaly detection runs automatically on a daily schedule. You do not need to manually trigger it -- anomalies are detected and surfaced as part of the regular analysis cycle.

Viewing Anomalies

Anomaly Banner

When anomalies are detected, a banner appears at the top of the Cost Dashboard with a summary of active anomalies. Click the banner to navigate to the full anomaly view.

Anomaly List

The anomaly view shows all detected anomalies with the following details:

FieldDescription
DateWhen the anomaly was detected
TypeThe detection method that triggered the anomaly
ServiceThe AWS service involved (if service-specific)
Expected CostThe baseline cost that was expected based on historical patterns
Actual CostThe actual cost recorded
ImpactThe cost difference between actual and expected
SeverityThe significance of the deviation (Critical, High, Medium, Low)
StatusActive, Acknowledged, or Resolved

Anomaly Details

Click on any anomaly to see a detailed view including:

  • A chart showing the spending trend with the anomalous period highlighted
  • The historical baseline used for comparison
  • The specific metric or threshold that was breached
  • Related resources and operations that contributed to the anomaly
  • Suggested investigation steps

Types of Anomalies

Spending Spikes

The most common type of anomaly. A sudden increase in daily or hourly spend that significantly exceeds the recent baseline.

Common causes:

  • Auto-scaling responding to a traffic spike
  • A large data processing job
  • New resources launched without cost awareness
  • A misconfigured service (e.g., expensive instance type selected accidentally)
  • An attack generating excessive API calls or data transfer
warning

Not every spending spike is a problem. Legitimate traffic surges, planned data migrations, or seasonal business events can cause expected increases. Guardian Pro highlights the anomaly so you can investigate and determine whether action is needed.

Cost Drops

A significant decrease in spending can also be anomalous. While a lower bill sounds good, it might indicate:

  • A production service that went down unexpectedly
  • Resources that were accidentally terminated
  • A scaling policy that is too aggressive in scaling down

New Service Charges

Guardian Pro flags any AWS service that appears on your bill for the first time. This is particularly useful for:

  • Detecting unauthorized service usage
  • Catching test or experiment resources that were not cleaned up
  • Identifying shadow IT where team members deploy services outside normal processes

Gradual Drift

Over time, costs can drift upward gradually enough that day-to-day changes seem insignificant, but the cumulative effect is material. Guardian Pro's statistical analysis catches these slow-burn increases.

Anomaly Severity

Anomalies are classified by severity based on the cost impact and the degree of deviation from the baseline:

SeverityTypical Indicators
CriticalLarge cost impact; extreme deviation from baseline; immediate investigation recommended
HighSignificant cost impact; substantial deviation; investigate within 24 hours
MediumModerate cost impact; notable deviation; review at your next cost review
LowSmall cost impact; minor deviation; informational awareness

Managing Anomalies

Acknowledging Anomalies

When you investigate an anomaly and determine it is expected (e.g., a planned migration), you can acknowledge it to remove it from active alerts. Acknowledged anomalies remain in your history for audit purposes.

Resolving Anomalies

When the underlying cause of an anomaly has been addressed (e.g., an accidentally launched resource has been terminated), mark it as resolved.

Anomaly Lifecycle

Detected --> Active --> Acknowledged or Resolved
                    --> Auto-resolved (if spending returns to normal)

Anomalies are automatically resolved when spending returns to baseline levels.

Notifications

Anomaly alerts can be delivered through Guardian Pro's notification system:

  • In-app alerts -- Anomaly banner and notification bell
  • Email notifications -- Instant alerts for critical and high severity anomalies
  • Webhook integration -- Send anomaly alerts to Slack, Microsoft Teams, or other tools

Configure notification preferences in Settings > Notifications.

tip

For critical infrastructure accounts, configure instant email alerts for anomalies to ensure your team is notified immediately when unusual spending is detected.

Best Practices

Investigate Promptly

Cost anomalies compound quickly. An unexpected $100/day increase becomes $3,000/month if not addressed. Treat critical anomalies with the same urgency as security alerts.

Build Context Over Time

Anomaly detection becomes more accurate as Guardian Pro accumulates more historical data. In the first few weeks, you may see more false positives as the system establishes baselines. Acknowledge expected anomalies to help refine future detection.

Combine with Budgets

Use anomaly detection alongside Budgets for comprehensive cost governance. Budgets set absolute spending limits, while anomalies catch relative deviations from normal patterns. Together, they provide layered protection.

Review Regularly

Even if no critical anomalies are flagged, review the anomaly view during your regular cost reviews. Medium and low severity anomalies can reveal trends that are worth understanding.

Integration with AI Assistant

You can ask the Guardian Pro AI Assistant about cost anomalies in natural language:

  • "Are there any cost anomalies this month?"
  • "What caused the spending spike last Tuesday?"
  • "Which services have unusual spending patterns?"

The AI Assistant has access to anomaly data and can provide contextual explanations.

Next Steps

  • Budgets -- Set spending limits to complement anomaly detection
  • Service Breakdown -- Investigate which services are driving anomalous costs
  • Cost Dashboard -- Return to the overview for a complete picture