Anomaly Detection

CostBeacon runs an automated scan every 6 hours, comparing recent cost data against historical baselines for each resource. When the cost for a resource exceeds its expected value by more than 50%, the system flags it as an anomaly.

The baseline is calculated using a rolling window of prior spend for the same resource. This means seasonal patterns and gradual growth are accounted for — only true deviations trigger an alert.

Each detected anomaly is automatically classified into a severity level based on the magnitude of the deviation, helping you prioritize which spikes to investigate first.

Anomalies are categorized into four severity levels based on how far the actual cost deviates from the expected baseline:

• Low — 50% to 100% above baseline. Worth monitoring, but typically caused by normal workload variation.
• Medium — 100% to 200% above baseline. A noticeable spike that warrants investigation. Could indicate a misconfigured autoscaler or an unexpected batch job.
• High — 200% to 500% above baseline. A significant cost surge that should be investigated promptly. Triggers a real-time notification.
• Critical — More than 500% above baseline. A severe spike that likely indicates a runaway process, compromised credentials, or a major misconfiguration. Triggers an immediate notification.

For High and Critical anomalies, CostBeacon sends real-time email notifications to the tenant administrators. This ensures that serious cost spikes are surfaced immediately, even if no one is actively looking at the dashboard.

Notification emails include the affected resource name, the expected vs. actual cost, the severity level, and a direct link to the anomaly in the CostBeacon dashboard. Low and Medium anomalies are visible in the dashboard but do not trigger email notifications by default, to reduce alert fatigue.

You can adjust notification preferences in Admin → Notifications to include additional recipients or to opt in to notifications for lower severity levels.

The Anomalies page provides a summary view of all detected anomalies across your connected subscriptions. At the top, summary cards show the total number of open anomalies broken down by severity level, so you can gauge the overall health of your cloud spend at a glance.

Below the summary cards, a table lists each anomaly with its resource name, subscription, severity, detected date, expected cost, and actual cost. You can sort and filter the table by severity, date range, or subscription.

To manage an anomaly, click on it to open the detail view. From there you can acknowledge it to indicate that you have reviewed the spike and determined whether it is expected or requires action. Acknowledged anomalies are moved to a separate tab so they no longer clutter the active view, but they remain available for auditing purposes.