Skip to main content
InfraAudit flags cost anomalies — days where actual spend significantly exceeds the expected range based on recent historical patterns. Anomalies are marked on the Cost trend chart and can trigger Slack or email alerts so your team knows about unexpected spend before it accumulates.

How detection works

After each daily billing sync, InfraAudit runs an anomaly check on the new data point:
  1. Compute the expected value using a 7-day exponentially weighted moving average (EWMA) of the previous 14 days.
  2. Compute the upper bound: expected value × (1 + threshold).
  3. If actual spend > upper bound, flag the day as an anomaly.
The default threshold is 30% above the expected value. You can adjust it per provider under Settings → Cost → Anomaly threshold.

Why EWMA instead of a simple average

Simple moving averages treat all past days equally. EWMA weights recent days more heavily, which means the model adapts faster when your baseline spend genuinely increases (for example, after a new production workload launches) without continuing to flag that new level as an anomaly after it stabilizes.

Day-of-week correction

Cloud billing often varies predictably by day of week — lower spend on weekends for bursty compute workloads, for instance. InfraAudit’s model compares each day against the same day of week from previous weeks to reduce false positives from predictable weekly patterns.

What triggers an anomaly (and what doesn’t)

ScenarioAnomaly?
AWS bill spikes 50% due to accidental EC2 over-provisioningYes
Billing increases 15% after a planned deployment (within threshold)No
Daily spend is 35% above the EWMA baselineYes
Gradual 3-week increase where the trend stays within boundsNo

Configure anomaly alerts

Set up alerts under Settings → Notifications. A common configuration routes all anomalies above $50/day to the FinOps team via email. Each anomaly alert includes:
  • The affected provider and a service-level cost breakdown
  • Actual versus expected spend
  • Percentage over the expected value
  • A link to the Cost Trend chart zoomed to the anomaly date

Investigate an anomaly

In the Cost section, anomalies appear as colored spike markers on the trend chart. Click a marker to open the anomaly detail, which shows:
  • Which services drove the spend increase
  • Comparison to the previous 7-day average
  • Related resources, if resource-level billing attribution is available
To list anomalies from the CLI: 
# List all recent anomalies
infraudit cost anomalies

# List anomalies for a specific provider over the last 30 days
infraudit cost anomalies --provider 1 --days 30

Dismiss false positives

If a cost increase is expected — for example, after a planned migration to larger instances — dismiss the anomaly to prevent alert noise: 
infraudit cost anomaly dismiss <anomaly-id> \
  --reason "planned migration to larger instances"
Dismissed anomalies are hidden from the alert list but remain visible in the Cost chart with a dismissed label, so you retain the full history.

Tune the threshold

Adjust the threshold to match your workload’s natural variance: 
# For high-variance workloads (event-driven compute): reduce false positives
ANOMALY_COST_THRESHOLD=0.5

# For stable, predictable spend (reserved instances): detect smaller deviations
ANOMALY_COST_THRESHOLD=0.15
The default is 0.30 (30%). Changes take effect on the next daily billing sync.