Catching a cost anomaly the same day, not at month-end
The expensive anomalies are the quiet ones. How continuous detection separates a real regression from normal variance — and routes it before it compounds for thirty days.
%22%2F%3E%3Ctext%20x%3D%22120%22%20y%3D%22118%22%20fill%3D%22%2360a5fa%22%20font-size%3D%2229%22%20font-weight%3D%22800%22%20letter-spacing%3D%228%22%3EANOMALY%20DETECTION%3C%2Ftext%3E%3Ctext%20x%3D%22120%22%20y%3D%22180%22%20fill%3D%22%23f1f5f9%22%20font-size%3D%2256%22%20font-weight%3D%22800%22%3ECaught%20the%20same%20day%3C%2Ftext%3E%3Cline%20x1%3D%22170%22%20y1%3D%22720%22%20x2%3D%221470%22%20y2%3D%22720%22%20stroke%3D%22rgba(255%2C255%2C255%2C.12)%22%2F%3E%3Cpath%20d%3D%22M170%20508.79999999999995%20L213.33333333333334%20499.14081270502163%20L256.6666666666667%20491.4431998174264%20L300%20487.2703819247368%20L343.33333333333337%20487.4697691179889%20L386.66666666666663%20492.00087012151937%20L430%20499.94351520527107%20L473.3333333333333%20509.6847229819471%20L516.6666666666667%20519.2462624380893%20L560%20526.6863893544812%20L603.3333333333333%20530.4941730388005%20L646.6666666666666%20529.896334042589%20L690%20525.0142806830161%20L733.3333333333334%20516.8394536096065%20L776.6666666666666%20507.0319854072538%20L820%20497.5835631650942%20L863.3333333333334%20490.4129594148503%20L906.6666666666666%20486.97637045673014%20L950%20487.9716940271662%20L993.3333333333333%20493.1968011909584%20L1036.6666666666665%20501.59058440610295%20L1080%20511.4484457770287%20L1123.3333333333333%20520.7684644395661%20L1166.6666666666667%20527.6579438834954%20L1210%20530.717778144236%20L1253.3333333333335%20529.3265803086447%20L1296.6666666666667%20523.7668729106119%20L1340%20515.1677136453114%20L1383.3333333333333%20505.2754078927614%20L1426.6666666666667%20496.0988714345513%20L1470%20489.50166261313086%20L1470%20559.9016626131308%20L1426.6666666666667%20566.4988714345513%20L1383.3333333333333%20575.6754078927614%20L1340%20585.5677136453114%20L1296.6666666666667%20594.1668729106119%20L1253.3333333333335%20599.7265803086447%20L1210%20601.1177781442361%20L1166.6666666666667%20598.0579438834953%20L1123.3333333333333%20591.1684644395662%20L1080%20581.8484457770287%20L1036.6666666666665%20571.990584406103%20L993.3333333333333%20563.5968011909584%20L950%20558.3716940271662%20L906.6666666666666%20557.3763704567301%20L863.3333333333334%20560.8129594148503%20L820%20567.9835631650942%20L776.6666666666666%20577.4319854072538%20L733.3333333333334%20587.2394536096066%20L690%20595.414280683016%20L646.6666666666666%20600.296334042589%20L603.3333333333333%20600.8941730388004%20L560%20597.0863893544813%20L516.6666666666667%20589.6462624380893%20L473.3333333333333%20580.0847229819472%20L430%20570.343515205271%20L386.66666666666663%20562.4008701215193%20L343.33333333333337%20557.8697691179889%20L300%20557.6703819247368%20L256.6666666666667%20561.8431998174264%20L213.33333333333334%20569.5408127050216%20L170%20579.2%20Z%22%20fill%3D%22rgba(255%2C255%2C255%2C.06)%22%2F%3E%3Ctext%20x%3D%22186%22%20y%3D%22552%22%20fill%3D%22%2364748b%22%20font-size%3D%2222%22%3Eexpected%20range%3C%2Ftext%3E%3Cpolyline%20points%3D%22170%2C544%20213.33333333333334%2C534.3408127050217%20256.6666666666667%2C526.6431998174263%20300%2C522.4703819247368%20343.33333333333337%2C522.6697691179888%20386.66666666666663%2C527.2008701215194%20430%2C535.1435152052711%20473.3333333333333%2C544.8847229819471%20516.6666666666667%2C554.4462624380892%20560%2C561.8863893544813%20603.3333333333333%2C565.6941730388005%20646.6666666666666%2C565.096334042589%20690%2C560.2142806830161%20733.3333333333334%2C552.0394536096065%20776.6666666666666%2C542.2319854072538%20820%2C532.7835631650942%20863.3333333333334%2C525.6129594148503%20906.6666666666666%2C522.1763704567302%20950%2C498.97169402716617%20993.3333333333333%2C479.9968011909584%201036.6666666666665%2C464.19058440610297%201080%2C449.84844577702876%201123.3333333333333%2C434.9684644395661%201166.6666666666667%2C417.65794388349536%201210%2C396.51777814423605%201253.3333333333335%2C370.92658030864465%201296.6666666666667%2C341.1668729106119%201340%2C308.36771364531137%201383.3333333333333%2C302%201426.6666666666667%2C302%201470%2C302%22%20fill%3D%22none%22%20stroke%3D%22%233b82f6%22%20stroke-width%3D%225%22%20stroke-linecap%3D%22round%22%20stroke-linejoin%3D%22round%22%2F%3E%3Cline%20x1%3D%22906.6666666666666%22%20y1%3D%22274%22%20x2%3D%22906.6666666666666%22%20y2%3D%22720%22%20stroke%3D%22%23f59e0b%22%20stroke-dasharray%3D%224%206%22%2F%3E%3Ccircle%20cx%3D%22906.6666666666666%22%20cy%3D%22522.1763704567302%22%20r%3D%2212%22%20fill%3D%22%23070b16%22%20stroke%3D%22%23f59e0b%22%20stroke-width%3D%224%22%2F%3E%3Crect%20x%3D%22756.6666666666666%22%20y%3D%22216%22%20width%3D%22300%22%20height%3D%2250%22%20rx%3D%2225%22%20fill%3D%22rgba(245%2C158%2C11%2C.12)%22%20stroke%3D%22rgba(245%2C158%2C11%2C.5)%22%2F%3E%3Ctext%20x%3D%22906.6666666666666%22%20y%3D%22250%22%20fill%3D%22%23f59e0b%22%20font-size%3D%2224%22%20font-weight%3D%22700%22%20text-anchor%3D%22middle%22%3Ecaught%20%C2%B7%20day%201%3C%2Ftext%3E%3Ctext%20x%3D%221470%22%20y%3D%22304%22%20fill%3D%22%2364748b%22%20font-size%3D%2222%22%20text-anchor%3D%22end%22%20opacity%3D%22.55%22%3Evs.%20noticed%20at%20month-end%3C%2Ftext%3E%3C%2Fsvg%3E)
A cost anomaly is rarely a dramatic spike. The dramatic ones get noticed. The expensive ones are quiet — a logging change that doubles egress, a retry loop that quietly triples API calls, a new environment that was meant to be temporary. Left alone, each compounds every day until the invoice makes it obvious.
Variance is not anomaly
The first job of detection is to not cry wolf. Infrastructure spend is naturally noisy: weekday peaks, batch windows, end-of-quarter loads. A detector that flags every Tuesday is worse than none, because people learn to ignore it. Good detection models the expected shape of each service's spend and reacts to deviation from that shape, not to absolute change.
Same-day, not month-end
The value of detection collapses with time. An anomaly caught on day one costs one day; the same anomaly caught at month-end costs thirty. This is the entire argument for continuous, granular detection over the monthly review: not that the monthly review is wrong, but that it is too late to be cheap.
Attribution is half the work
Knowing spend rose is not actionable. Knowing it rose in egress, in one account, traceable to a deploy that landed at 14:00, is. Detection that lands on the responsible dimension — service, account, region, resource — turns an alert into a lead. Without attribution, every anomaly becomes a manual investigation, and investigations do not scale.
From signal to disposition
A flagged anomaly has three honest endings: it is a real regression to fix, an expected change to acknowledge so it stops alerting, or noise to suppress. An operator that detects without routing to one of those endings just generates a backlog. The work is not the detection — it is closing the loop on each finding so the next one is easier to trust.