Tuning Anomaly Detection
- 04 Nov 2025
- 5 Minutes to read
- Print
- DarkLight
- PDF
Tuning Anomaly Detection
- Updated on 04 Nov 2025
- 5 Minutes to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
In this article we will demystify the anomaly detection algorithm and explain how this works under the hood to help you with tuning the threshold multiplier setting as shown below.
.png)
🔍 Standard Deviation in calculating the anomaly?
Standard deviation is a measure of how much values normally vary from the average. We use this to look for anomalies.
If daily cost changes are usually small and steady, the standard deviation will be low
If daily cost changes jump around a lot, the standard deviation will be high
So in cost anomaly detection, the standard deviation tells us:
“What is a normal amount of fluctuation?”
That way, we don’t flag every tiny cost change as a problem — only the ones that are well outside the usual pattern.
📌 How It Fits Into the Algorithm
Take the last 30 days of cost changes
Compute the standard deviation → this gives the “normal movement range”
Multiply it by a threshold multiplier (1.0, 1.5, 2.0, etc.)
If today’s cost change is outside that range → flag as anomaly
⚙️Threshold Multiplier
In Turbo360 we use a setting called threshold multiplier which allows you to configure the sensitivity of the anomaly detection within the cost management group.
The below table will illustrate how the threshold multiplier will impact the alert being fired or not in a potential anomaly scenario.
Threshold Multiplier | Standard Deviation | Anomaly Threshold (SD × Multiplier) | Today’s Cost Change | Alert Triggered? | Sensitivity Level |
|---|---|---|---|---|---|
1.0 | 50 | 50 | 120 | ✅ Yes | Very sensitive |
1.5 | 50 | 75 | 120 | ✅ Yes | High sensitivity |
2.0 | 50 | 100 | 120 | ✅ Yes | Balanced |
2.5 | 50 | 125 | 120 | ❌ No | Low sensitivity |
3.0 | 50 | 150 | 120 | ❌ No | Very low sensitivity |
✅ Notes for above table:
The standard deviation stays fixed at 50 in this example — only the multiplier changes
The anomaly threshold increases as the multiplier increases
The cost change (120) stays constant — this shows how same event behaves differently based on tuning
This makes it easy to explain why noise vs. signal depends on configuration
Normal Process
When setting up a new cost management group with monitoring we normally recommend that unless you have specific plans, start with the anomaly detection set to 1 and you will get a feel for the kinds of anomalies you might get on a day to day basis for a period of time.
Once you have a feel for the application the threshold multiplier can be tuned to an appropriate setting based on your comfort level for this application.
📊 Understanding: 7-Day Rolling Standard Deviation of Cost Changes
The below table will give you an illustration of how a rolling standard deviation is calculated based on a 7 day rather than 30 day cycle to simplify things.
Day | Daily Cost ($) | Daily Cost Change ($) | 7-Day Std Dev of Change | Interpretation |
|---|---|---|---|---|
1 | 500 | — | — | First day, no change yet |
2 | 510 | +10 | — | Still building sample |
3 | 515 | +5 | — | Small steady changes |
4 | 520 | +5 | — | No volatility yet |
5 | 518 | -2 | — | Slight dip, still stable |
6 | 525 | +7 | — | Still small movement |
7 | 530 | +5 | 4.03 | ✅ Low standard deviation → predictable cost |
8 | 590 | +60 | 23.74 | 🔥 Large spike increases deviation sharply |
9 | 600 | +10 | 20.45 | Still high due to recent big jump |
10 | 605 | +5 | 18.98 | Volatility slowly drops as spike moves out of window |
11 | 608 | +3 | 17.11 | Returning to normal behavior |
12 | 610 | +2 | 15.87 | Still elevated but shrinking |
13 | 612 | +2 | 14.34 | Settling back down |
14 | 615 | +3 | 13.04 | Stable pattern again |
When would an anomaly signal
Consider the below parameters:
The below table shows when we would expect the anomaly to trigger and an alert to be sent.
Day | Cost Change ($) | Std Dev ($) | Threshold (SD × 2.0) | Anomaly? |
|---|---|---|---|---|
7 | +5 | 4.03 | 8.06 | ❌ No (normal behaviour) |
8 | +60 | 23.74 | 47.48 | ✅ Yes – +60 > 47.48 |
9 | +10 | 20.45 | 40.90 | ❌ No |
10 | +5 | 18.98 | 37.96 | ❌ No |
11 | +3 | 17.11 | 34.22 | ❌ No |
12 | +2 | 15.87 | 31.74 | ❌ No |
13 | +2 | 14.34 | 28.68 | ❌ No |
14 | +3 | 13.04 | 26.08 | ❌ No |
🔥 Result
✅ Only Day 8 triggers an anomaly
Because the spike (+60) was outside the tolerated range for that point in time.
Even though the standard deviation stays high for several days afterward, the cost changes return to small values, so no repeated anomalies are fired — this is exactly the benefit of a rolling standard deviation model.
🧠 Why Only One Alert?
Because the system is designed to catch the sudden spike, not punish the user for the next 7 days while the rolling model cools down.
This is the difference between:
Bad model | Good model (yours) |
|---|---|
Alerts every day for 7 days after spike | Alerts only on the true event |
Uses static threshold like “> $50” | Uses statistical threshold that auto-adjusts |
Lots of noise | Signal only |
🔍 How the Cost Anomaly Detection Algorithm Works [Deep Dive]
We review the service level costs within the cost scope on the tree view where the monitoring is configured.
Collect Cost History
Retrieve the last 30 days of daily cloud cost data.
For each day, calculate the day-over-day cost change:
CostChange[day] = Cost[day] – Cost[day-1]
Establish Normal Behaviour
Compute the standard deviation of those 30 daily cost changes.
This gives a baseline of what “normal fluctuation” looks like.
Check Today’s Cost Movement
Compute today’s change:
TodayChange = Cost[today] – Cost[yesterday]
(example: 29-10-2025)
Apply the Anomaly Threshold
An anomaly is detected if:
abs(TodayChange) > (StandardDeviation × ThresholdMultiplier)
Threshold Multiplier Controls Sensitivity
Smaller multiplier (e.g., 1.0 – 1.5) → more sensitive → more alerts (good for early warning)
Larger multiplier (e.g., 2.0 – 3.0) → less sensitive → only large spikes/drops alert
When we identify an area where they looks to be an anomaly we then look for potential resources which cause this cost spike.
📊 Example Scenario
We’ll use 7 days instead of 30 for simplicity — the logic is identical.
Day | Date | Daily Cost ($) |
|---|---|---|
1 | 22-Oct | 100 |
2 | 23-Oct | 102 |
3 | 24-Oct | 101 |
4 | 25-Oct | 105 |
5 | 26-Oct | 104 |
6 | 27-Oct | 160 |
7 | 28-Oct | 158 (“Today” for anomaly check) |
1️⃣ Calculate Daily Cost Change
CostChange[day] = Cost[day] – Cost[day-1]
Day | Cost | Change |
|---|---|---|
23-Oct | 102 | 102 − 100 = +2 |
24-Oct | 101 | 101 − 102 = -1 |
25-Oct | 105 | 105 − 101 = +4 |
26-Oct | 104 | 104 − 105 = -1 |
27-Oct | 160 | 160 − 104 = +56 |
28-Oct | 158 | 158 − 160 = -2 (today’s change) |
So our last 6 changes are:
[ +2, -1, +4, -1, +56, -2 ]2️⃣ Compute Standard Deviation of These Changes
Step A — Mean (average) cost change
Add all 6 changes:
2 + (-1) + 4 + (-1) + 56 + (-2) = 58Divide by 6:
58 ÷ 6 = 9.6667 (mean)Step B — Variance (average squared deviation from mean)
Change | Deviation from mean | Squared |
|---|---|---|
+2 | 2 − 9.6667 = -7.6667 | 58.78 |
-1 | -1 − 9.6667 = -10.6667 | 113.78 |
+4 | 4 − 9.6667 = -5.6667 | 32.11 |
-1 | -1 − 9.6667 = -10.6667 | 113.78 |
+56 | 56 − 9.6667 = +46.3333 | 2146.78 |
-2 | -2 − 9.6667 = -11.6667 | 136.11 |
Sum of squared deviations:
58.78 + 113.78 + 32.11 + 113.78 + 2146.78 + 136.11 = 2601.34Divide by number of samples (6):
2601.34 ÷ 6 = 433.56 (variance)Standard deviation = √variance:
√433.56 ≈ 20.82So:
StandardDeviation ≈ 20.823️⃣ Check Today’s Change Against Threshold
Today’s change was:
-2Assume the ThresholdMultiplier = 2.0
So anomaly threshold is:
20.82 × 2.0 = 41.64Now we check:
abs(-2) = 2 → 2 < 41.64 ✅ No anomaly4️⃣ But What About Yesterday’s Big Spike?
Yesterday (27-Oct) change was +56
abs(56) = 56 → 56 > 41.64 ❗ Anomaly detectedSo the system would have flagged the jump from $104 → $160, but not today’s small drop back to $158.
Was this article helpful?