How Anomaly Detection Works
Anomaly detection runs on every Cost Report in your account. For each report, Vantage:- Groups the report’s filtered cost data into time series by provider, service, and cost category (for example, AWS > Amazon EC2 > Data Transfer or Azure > Virtual Machines > Compute).
- Trains a machine learning forecast on each series using up to the most recent 6 months of daily cost data for that report. (Newer accounts train on whatever history is available. Each series needs more than 12 days of data before it can be evaluated.)
- Flags days where the actual cost exceeds the forecast’s upper bound as candidate anomalies.
- Applies noise filters to remove tiny or expected fluctuations (see Noise Filters Applied to Candidates).
- Records each surviving anomaly on the Cost Report and, when configured, sends an external notification the first time the anomaly’s trend exceeds your Alert Threshold.
Anomaly detection workflow diagram
Anomaly detection workflow diagram
What Counts as an Anomaly
Two things determine whether a daily cost spike becomes a recorded anomaly: whether the underlying line item is in scope for detection at all, and whether the candidate survives Vantage’s noise filters. Both rules are intentional and uniform across all accounts to keep the anomalies list actionable rather than noisy.Excluded from Detection
To keep the model focused on usage signals, Vantage excludes a few categories of line items from detection entirely:| Excluded | Why | Matched by |
|---|---|---|
| Marketplace charges across AWS, Azure, and GCP | Marketplace purchases are not usage-driven and would skew the forecast. | The AWS Marketplace and Marketplace category labels. |
| Datadog commitment line items | These are flat, predictable charges that obscure usage spikes. | The Datadog Commitment cost subcategory. |
| Reservation and Savings Plan fees, upfront purchases, and amortized fees | These are commitment-driven charges rather than usage signals. | The Purchase, SavingsPlanRecurringFee, SavingsPlanUpfrontFee, Fee, RIFee, and AmortizedFee charge types. |
Noise Filters Applied to Candidates
After the model identifies a candidate anomaly (a day where cost exceeds the forecast’s upper bound), Vantage applies several noise filters before recording it:| Filter | A candidate is suppressed when… |
|---|---|
| Static floor | The cost on the anomalous day is below $5. |
| Report-level threshold | The cost on the anomalous day is below 0.5% of the report’s total daily cost. The threshold scales with the report’s size, so the same dollar increase that surfaces on a narrow report may be suppressed on a broad one. |
| Recent average | The cost on the anomalous day is not more than 20% above the trailing 7-day average for that series (a series gradually trending up will not be flagged). |
| Not increasing day-over-day | The cost on the anomalous day is not greater than the previous day. |
| Back-to-back suppression | Another anomaly was already detected for the same (provider, service, cost category) series in the previous 7 days. |
| Insufficient history | The series has 12 days or fewer of data in the training window. |
These filters mean that the same underlying cost spike can surface as an anomaly on a narrower Cost Report and be suppressed on a broader one. See the FAQ for examples.
Anomaly Detection vs. Other Alert Types
Vantage offers several ways to notify you about cost changes. Choose based on whether you want unsupervised outlier detection, fixed thresholds, or scheduled summaries.| Feature | What it does | When it fires | Best for |
|---|---|---|---|
| Cost Anomaly Alerts | ML forecast per provider, service, and cost category on a Cost Report; flags days that exceed the forecast’s upper bound. | After Vantage refreshes the report and detects the anomaly. | Catching unexpected, single-day spikes you didn’t know to set a threshold for. |
| Cost Alerts | Fixed-threshold comparisons (day-over-day, week-over-week, month-over-month, quarter-over-quarter) per binned grouping on a Cost Report. | Whenever a grouping crosses your configured % or $ threshold. | Gradual ramps, recurring patterns, or any case where you know the exact threshold you want to monitor. |
| Report Notifications | Scheduled digests of Cost Reports or dashboards. | Daily, weekly, or monthly on a fixed schedule. | Routine spend reviews regardless of whether anything is anomalous. |
| Budget Alerts | Notify when a percentage of a budget is reached for a designated period. | When actual spend crosses the configured percentage. | Tracking spend against a target. |
| FinOps Agent | On-demand AI investigation of a specific anomaly, cost report, or question. | When you trigger it (for example, by clicking Investigate Anomaly in a Slack notification). | Root-causing an alert after it fires, not scheduled detection. |
View Cost Anomalies
To view cost anomalies for a Cost Report, navigate to that report and select the Anomalies tab on the top left of the report.
Take Action on an Anomaly
From the Anomalies tab, click the link in the Category column to open the anomaly in its Cost Report.
The bar for the anomalous day is visually highlighted. Hover over it to view details. If Vantage identified a single resource as the likely cause, the resource is shown alongside the anomaly category (for example, Compute for production-cluster). When the Cost Report is grouped so that the attributed resource appears as a row, that row is also marked. In the top right of the report header, click Manage Anomaly.
Select one of the following actions:
- Create an Issue: Open a new issue pre-populated with a link back to this Cost Report and anomaly. Assign it to yourself or a teammate.
- Mark as Archived: Move the anomaly out of the Active list.
- Ignore: Remove the anomaly from the list entirely. You can provide optional feedback about why you ignored it.
Ignoring, archiving, or creating an issue for an anomaly does not train, tune, or suppress the detection model. The model has no feedback loop from these actions. Detection always re-runs on the report’s filtered cost data within the last 6 months, with the excluded charge types and categories listed above removed.
Resource Attribution
Vantage attempts to identify the resource responsible for an anomaly. When one is identified, the resource is appended to the anomaly’s category (for example, Compute for production-cluster) and, if the Cost Report is grouped so that the resource appears as a row, that row is also marked. Attribution is best-effort:- Vantage attributes at most one resource per anomaly. The resource is selected when a single resource accounts for more than 50% of the cost change in the affected (provider, service, cost category) series.
- When no single resource exceeds the 50% threshold, no resource is attributed. The anomaly may instead be caused by multiple resources, by a category without resource-level granularity, or by a provider that does not expose per-resource identifiers.
- When a resource is attributed, it is a directional starting point for investigation rather than a definitive root cause. Inspect groupings and drilldowns on the Cost Report to confirm.
Configure Cost Anomaly Alerts
Anomaly alerts can be delivered to email, Slack, Microsoft Teams, and Jira. To use Slack, Teams, or Jira, first configure the Slack, Microsoft Teams, or Jira integration. (Slack and Microsoft Teams are mutually exclusive: you can connect one or the other, not both.)
Enter an Alert Threshold (dollar amount). See Understanding the Alert Threshold below.
(Optional) If you have Slack, Microsoft Teams, or Jira configured, select channels or a Jira project in the corresponding fields.
At this time, you cannot configure an anomaly alert for a specific resource. To monitor a particular workload, create a Cost Report filtered to its tag, account, region, or service and configure an alert on that report.
Understanding the Alert Threshold
The Alert Threshold is a notification threshold, not a detection sensitivity. It does not change which anomalies Vantage detects. It only controls which detected anomalies are sent externally. Vantage compares the threshold against an anomaly’s trend value, where:trend >= threshold, the alert is delivered to the configured recipients. Anomalies below the threshold are still recorded on the Anomalies tab. They just don’t fire an external notification.
Alert Notifications
When an anomaly fires above your Alert Threshold, Vantage sends a single notification per delivery channel. Notifications include the report title, the affected service and cost category, and the trend amount. Notifications also display amounts in your workspace’s configured currency.Delivery Channels
Cost Anomaly Alerts support email, Slack, Microsoft Teams, and Jira. The matrix below also covers the other Vantage alert types so you can quickly compare.| Alert Type | Slack | Microsoft Teams | Jira | Configured From | |
|---|---|---|---|---|---|
| Cost Anomaly Alerts | Yes | Yes | Yes | Yes | A Cost Report’s Anomalies tab > Configure Alert |
| Cost Alerts | Yes | Yes | Yes | Yes | A Cost Report’s … menu > Create Cost Alert, or Notifications > Cost Alerts > Configure Cost Alert |
| Budget Alerts | Yes | Yes | Yes | Yes | A Budget’s Manage tab > Manage Alerts > Configure Alert |
| Report Notifications (Cost Reports) | Yes | Yes | Yes | — | The Notifications page > New Notification > Cost Report Notification, or a Cost Report’s … menu > Create Report Notification |
| Dashboard Notifications | Yes | — | — | — | The Notifications page > New Notification > Dashboard Notification |
Slack and Microsoft Teams are mutually exclusive at the integration level: you can connect either Slack or Microsoft Teams, not both. See the Slack and Microsoft Teams integration docs for setup. Jira delivery requires the Jira integration.
Detected On vs. Occurred On
Slack notifications surface two dates:- Occurred On: the date the costs were accrued in your cloud provider.
- Detected On: the date Vantage detected the anomaly.
- The cloud provider released or updated the billing data for Occurred On after the fact. Some providers refine the previous day’s data over the next 24–48 hours.
- A series only became anomalous once additional history filled in around it. The model evaluates each day in the context of the surrounding days; a spike on day N may not look anomalous until day N+2’s data is available.
Investigate Anomalies with the FinOps Agent
If the FinOps Agent is enabled for your account, anomaly notifications sent to Slack include an Investigate Anomaly button. Clicking it starts a guided investigation: the Agent fetches the anomaly, queries the surrounding daily costs, gathers resource details, and posts a structured summary back in the Slack thread. Vantage Slack notifications also include the report token and anomaly tokens as metadata, so the Agent has full context when responding to follow-up questions in the same thread. See Investigate Cost Anomalies for details.Frequently Asked Questions
Why don't I see anomalies on my All Resources report?
Why don't I see anomalies on my All Resources report?
The default All Resources Cost Report covers your full account spend. The detector’s report-level noise threshold is 0.5% of the report’s total daily cost, which means a service-level spike that is significant on its own can fall below the threshold once it’s compared to your entire daily cloud bill.If you want anomaly coverage for a specific provider, service, tag, account, or team, create a narrower Cost Report scoped to those filters and configure an alert on that report. Each report runs its own detection, so the same spike that’s suppressed on All Resources can surface on a focused report.
Why did a tightly scoped report miss an obvious spike?
Why did a tightly scoped report miss an obvious spike?
A few reasons a narrow Cost Report can fail to flag a spike that looks obvious by eye:
- The series has limited history in the report’s scope: Each (provider, service, cost category) series needs more than 12 days of data within the report’s 6-month training window to be evaluated.
- Prior spikes have widened the forecast’s upper bound: If the same series spiked previously, the forecast’s upper bound is wider in response to that volatility, so a new spike of similar size can fall inside the widened range without being flagged. Recurring monthly or quarterly spikes can become “expected” to the model.
- One of the noise filters suppressed it: Most commonly, the new value is not more than 20% above the trailing 7-day average, the day-over-day change wasn’t positive, or another anomaly was already detected in the previous 7 days.
Why didn't a gradual cost increase trigger an anomaly?
Why didn't a gradual cost increase trigger an anomaly?
Anomaly Detection is built around daily outliers. If costs ramp up smoothly over weeks or months without any single day standing out, no day on its own is anomalous and the detector does not flag the trend.For gradual ramps and sustained growth, Cost Alerts are the right tool. Cost Alerts let you compare day-over-day, week-over-week, month-over-month, or quarter-over-quarter changes against a percentage or dollar threshold you choose.
Why does the same anomaly show different amounts on different reports?
Why does the same anomaly show different amounts on different reports?
The anomaly amount is the net cost change within the Cost Report’s filters. A spike that contributes $3,000 to one report can contribute $8 to another report whose filters exclude most of the underlying costs. Both numbers are correct for their respective scope.If you follow an anomaly link and the amount looks unexpected, check whether you’re viewing it on the report it was detected on or on a different report. Anomalies are scoped to the report that detected them.
Why do anomaly counts differ between two workspaces with the same integrations?
Why do anomaly counts differ between two workspaces with the same integrations?
Anomaly detection is not perfectly deterministic. Detection runs on its own schedule per Cost Report, and two runs that fall on different days see slightly different cost windows—one extra day at the end and one fewer day at the start—which can shift what each run considers anomalous.For two workspaces with the same integrations, expect minor day-by-day differences in counts. The underlying anomalies surface in both reports over time.
Why didn't multiple days of cost accumulation cross my dollar threshold?
Why didn't multiple days of cost accumulation cross my dollar threshold?
Each anomaly is evaluated in isolation against your Alert Threshold. Vantage does not sum across consecutive days. If a $60 anomaly is detected on day 1 with a $100 threshold, no alert fires. If costs continue to climb on day 2, back-to-back suppression typically prevents a new anomaly from being detected in the same series for 7 days.For threshold-based monitoring of sustained cost growth, use Cost Alerts with a comparison interval (day-over-day, week-over-week, month-over-month, or quarter-over-quarter).
I lowered my Alert Threshold, but I'm still not getting notifications for past anomalies. Why?
I lowered my Alert Threshold, but I'm still not getting notifications for past anomalies. Why?
The Alert Threshold is evaluated when an anomaly is first processed for alerting. Once a detected anomaly has been evaluated against the threshold—even if it was below the threshold and no notification was sent—it is marked as processed and will not be re-evaluated.Lowering the threshold only affects anomalies that are newly detected after the change. To monitor sustained cost growth that may have already been detected, use a Cost Alert with a comparison interval instead.
Does ignoring, archiving, or creating an issue for an anomaly affect future detection?
Does ignoring, archiving, or creating an issue for an anomaly affect future detection?
No. The detection model has no feedback loop from these actions. Ignoring or archiving an anomaly only changes what you see on the Anomalies tab; the model will still evaluate the same (provider, service, cost category) series with the same logic the next time detection runs.
Why did a recurring monthly spike eventually stop alerting?
Why did a recurring monthly spike eventually stop alerting?
A series’s recent variance directly affects how wide the forecast’s expected range is. When the same series has spiked repeatedly at a similar magnitude, the forecast’s upper bound widens to reflect that variability, and a new spike of similar size can fall inside the wider range without being flagged as an outlier.If you want to monitor a recurring increase regardless of whether the model considers it expected, use a Cost Alert with a month-over-month threshold.
How far back does the model train?
How far back does the model train?
Anomaly detection trains on up to the most recent 6 months of the Cost Report’s filtered data, regardless of how much history you have imported. Newer accounts train on whatever is available, and each (provider, service, cost category) series needs more than 12 days of data to be evaluated.
How long does Vantage keep anomaly history?
How long does Vantage keep anomaly history?
Vantage preserves anomaly history within your account’s cost retention window so older anomalies remain searchable on the Cost Report. Two cleanup rules apply:
- Recent anomalies that are no longer detected are removed. When detection re-runs, anomalies from roughly the last 3 months that are no longer present in the report’s data (for example, after a backfill correction or filter change) are deleted. Older anomalies are preserved as history.
- Anomalies past your account’s cost retention window are deleted. Anything outside the retention window is removed during cleanup.
Troubleshooting
The Anomalies tab is empty even though I see a clear spike on the chart
The Anomalies tab is empty even though I see a clear spike on the chart
A few common causes:
- The spike is suppressed by a noise filter: Most commonly, the spike is below $5, below 0.5% of the report’s total daily cost, or not more than 20% above the trailing 7-day average for that series.
- The series doesn’t have enough history: A series needs more than 12 days of data within the 6-month training window before it is evaluated.
- The report is broad and the spike is small relative to the total. Create a narrower Cost Report scoped to the affected provider, service, tag, or account, and check the Anomalies tab on that report.
- The series is already volatile: Past spikes or high variance widen the forecast’s expected range, so a new spike can fall inside the wider range and not register as an outlier.
My Slack or Microsoft Teams alert arrived days after the costs occurred
My Slack or Microsoft Teams alert arrived days after the costs occurred
In Slack, compare the Detected On and Occurred On dates in the notification (see Detected On vs. Occurred On for why they can differ). Microsoft Teams notifications show a single date, so this comparison isn’t available there. In both cases, the delay is most often caused by the underlying provider releasing or updating billing data after the fact, or by a series only becoming anomalous once additional surrounding days were available to evaluate.If you believe the delay is not explained by either case, contact support with the report token, anomaly date, and the date the alert was received.
The attributed resource doesn't look like the actual cause
The attributed resource doesn't look like the actual cause
Vantage attributes at most one resource per anomaly, and only when that resource accounts for more than 50% of the cost change in the affected (provider, service, cost category) series. When multiple resources contribute, or when the cost category contains resources moving in opposite directions, the heuristic can attribute a misleading resource (or none).Treat the attributed resource as a starting point. Use the Cost Report’s groupings and drilldowns (for example, group by resource ID, region, or a tag) to confirm what actually drove the spike.
The anomaly link returns 'This anomaly is no longer valid' or shows no data
The anomaly link returns 'This anomaly is no longer valid' or shows no data
Anomalies are point-in-time records. The link can become stale when:
- The Cost Report’s filters were changed after the anomaly was detected.
- A Virtual Tag that the report depends on was updated.
- The underlying provider data was reprocessed or corrected.
The alert amount doesn't match the spike I see on the report
The alert amount doesn't match the spike I see on the report
The alert amount is the anomaly’s trend value: the cost on the anomalous day minus the trailing 7-day average for that series. It is not the day-over-day delta and it is not the total cost for the day. Use it as a measure of how much the day deviated from recent normal, not as the spike’s absolute size.If you want to monitor the day-over-day or week-over-week dollar increase directly, use a Cost Alert instead.