Anomaly Detection

The Anomaly Detection feature uses your cloud’s billing data to detect and flag abnormal spend events down to an hourly granularity.


While you can preset thresholds to be alerted through Budgets and get notifications of trends on a weekly basis, the unplanned and sudden spikes in spend can become costly if they go unnoticed. Anomaly Detection will alert the channels and emails associated with a View about spikes in spend that have not been seen through historical trends. This can help reduce and prevent unplanned expenses on events such as bugs in new deployments, tests that have been forgotten, and other unplanned and accidental situations.

How It Works

Anomaly Detection is automatically enabled across your CloudZero account and all views using Real Cost data, see Real Cost. It checks globally across the Cloud Provider Dimensions of Accounts, Service, and Usage Family. In addition for each View that is created, Anomaly Detection is enabled for that subset of data.

Anomaly Detection Thresholds

An Anomaly Threshold is the minimum amount that the spend must exceed to be considered an anomaly.

By default, the automatic anomaly threshold is enabled to determine if anomalous spend is found globally or within any Views. To further refine the threshold, a manual threshold can be set as a percentage of the View's daily spend. Note: Setting a manual threshold is only available for View anomalies, global anomalies use the automatic anomaly threshold.

Automatic Anomaly Threshold

Automatic thresholds look at a sliding scale based on the previous 30 days of spend. The following table outlines the default thresholds for various levels of spend in the 30 day window. Note: For Global anomalies the 30 Day Spend is total cloud spend and for View anomalies it is total View spend.

30 Day SpendThreshold
<= $100.00$5.00
Between $100.00 and $1,000.00$10.00
Between $1,000.00 and $10,000.00$25.00
Between $10,000.00 and $50,000.00$75.00
Between $50,000.00 and $250,000.00$100.00
Between $250,000.00 and $1,000,000.00$150.00
Between $1,000,000.00 and $5,000,000.00$250.00
> $5,000,000.00$500.00

Setting a Manual Threshold

Thresholds for each view can be set manually to override the default thresholds noted above. To edit thresholds, a user must have an Organizer permission set on their account.

  1. Navigate to Views under the Settings tab in the left-hand navigation.
  2. On the View you want to adjust the threshold, click the 3 dots then select “Edit”.
  3. Scroll down to Threshold section and select Manual
  4. Enter a percentage of the View’s spend. This percentage represents the percentage of the average daily spend over the last 30 days, and it will trigger the alert if the anomaly is greater than or equal to the percentage indicated.
  5. Click ‘Save’

Disabling Anomaly Detection

Anomaly Detection is enabled by default for all Views. You can disable Anomaly Detection for a specific View by editing the View. See editing Views.
Simply toggle the View Anomalies switch to disable Anomaly Detection.


External Alerts

By default Anomaly Detection alerts are sent via email to all Admin users in your organization and can be updated in the View settings for ‘Global View’. Notifications can also be delivered directly to relevant teams by creating a View, see Creating a View. The notifications can be delivered to an email address or Slack channel. To learn more about enabling Slack notifications, see Enabling Slack Integration.

When an Anomaly is detected, a notification will be sent once. The system will not continue to send notifications on the specific anomaly as to prevent noise and spamming users.

Viewing Anomalies

Anomalies can be viewed in the following areas:

  • Home Page
  • Explorer
  • Notifications


The home page Main Dashboard provides an overview of the total number of Anomalies in the past 30 days and the total cost of detected anomalies in the last 30 days. By clicking on an anomaly next to the pie chart, Explorer will filter to this anomaly, associated Dimensions, and the time it occurred.


The Explorer view of anomalies will provide the most granular details about the anomaly. To access anomalies in the Explorer, select “Events”. Changing your time granularity to “Hourly” will provide a precise view for when the Anomaly was detected.


Anomaly alerts will also be visible in the Notifications tab in the left-hand slideout. Selecting an anomaly next will filter to the anomaly in Explorer similarly to the selecting them on the Home Page.