Anomaly Detection vs Static Thresholds

Static thresholds are simple and lying. Anomaly detection is correct and noisy. Where each works and how to combine them.

When static wins

Hard SLAs: response time must be under 200ms. The threshold IS the policy.

Cost: tuning required as workloads shift. The threshold rots without maintenance.

When anomaly wins

Workloads with strong daily/weekly patterns. Static thresholds either fire all night or miss daytime issues.

Cost: noise during pattern changes (holidays, launches). Tune or override during these.

Combine

Anomaly detection for novelty; static threshold for absolutes. Both fire; either alone is incomplete.

Most mature stacks have both layered.