Cloud Cost Anomaly Detection with AIOps: Beyond Tag-and-Pray
The $40k overnight surprise nobody saw coming was visible in the metrics by hour two. Static budget alerts could not see it; an anomaly model could have. Here is the playbook.
Why static budget alerts always fire late
The default cost alert in every cloud is "tell me when monthly spend exceeds $X." By the time the alert fires, the damage is done, you spent the budget; the bill is the bill. The alert is a notification, not a control.
Worse, the threshold is calibrated to the wrong thing. Most teams set it 10-20% above expected monthly spend. A bug that doubles compute usage burns the entire 20% buffer in two days; the alert fires on day six; the engineering team finds out on day seven via a finance email.
The anomaly-detection upgrade
Anomaly detection asks a different question. Not "is total spend over a number" but "is the spend curve diverging from its own recent baseline." A 30% jump on a Tuesday, when Tuesdays usually look like other Tuesdays, is detectable in hours, not days.
The model does not need to be sophisticated. A rolling 30-day baseline per service, per region, per resource type, with a 3-sigma deviation threshold, catches most cost incidents. The hard part is not the math; it is the signal granularity.
The four signals every cost agent watches
Compute hours, broken down by instance family. A runaway autoscaler is the most common cost incident. Detect it by watching unexpected scale-out for any service, not just the total bill.
Egress traffic, broken down by destination. Egress is the most expensive surprise in most clouds. A misconfigured CDN that bypasses cache and pulls from origin, or a backup job that suddenly writes to the wrong region, both show up here.
Storage growth rate, broken down by class. A logging service that started writing 10x more data, or a customer that uploaded a 4TB asset by mistake, both show up here within hours.
API call volume on metered services. The "we just shipped a feature that calls Lambda 1000x more" incident. Per-API anomaly is the only way to see this before the bill arrives.
Where to send the alert
Cost anomalies do not page on-call. They go to a different channel, typically platform-engineering-alerts or finops-channel, with a 4-hour SLA. The team confirms whether it is intentional (a load test, a planned migration) or a regression. If a regression, file a ticket and assign to the service owner.
The escalation path. If a cost anomaly persists for 24 hours without acknowledgement, escalate to engineering leadership. Cost incidents that survive the first day usually become the budget incident of the quarter.
Antipatterns
Tagging-only governance. Tags help allocate cost, not catch anomalies. A perfectly tagged $40k spike is still $40k.
One alert per service. Cost incidents often span services (a misconfigured cross-region pipeline). Alert at the resource level too.
No baseline reset after intentional changes. When you intentionally double capacity for a migration, update the baseline. Otherwise the alert fires every day for a week.
What to do this week
Three moves. (1) Enable native cloud anomaly detection (AWS Cost Anomaly Detection, GCP Cost Insights, Azure Cost Management), they are free and you have not turned them on. (2) Pipe alerts to a finops channel, not on-call. (3) Pick the three most expensive services and add per-service compute-hour alerts on top of the cloud-native ones, they catch what the bill-level alerts miss.