Cost Intelligence

How does Cognocient detect AI spend anomalies?

Cognocient detects statistically significant deviations in your AI spend and call frequency — automatically, with no thresholds to configure. When something unusual happens, you get a root-cause analysis before you even know to look.

Cognocient automatically detects statistically significant spikes and drops in your AI spend and call frequency — no thresholds to configure. When something unusual happens, the dashboard surfaces a root-cause analysis before you even know to look.

MetricValueDetail
Detection latency< 5 minFrom anomaly occurring to alert appearing
Avg projected cost$340Prevented per anomaly if unaddressed
False positive rate< 4%Alerts confirmed as non-issues

How anomaly detection works

Cognocient builds a rolling baseline for each feature's spend and call frequency using the past 14 days of data. An anomaly is triggered when either metric deviates more than 2.5 standard deviations from the expected value for that time-of-day and day-of-week. This means weekday morning patterns are compared to other weekday mornings — not to Sunday night patterns that would produce false positives.

Normal baseline (Mon 9am):  180 calls/hr  ·  $4.20/hr
Today    (Mon 9am):         4,200 calls/hr ·  $98/hr
                            ───────────────────────────
Deviation:                  +2,233%            flagged ✓

Cognocient root-cause analysis:
  "Likely eval harness left running. ticket-resolver feature
   is executing at 23× normal rate. Projected extra cost
   if unaddressed: $340 by end of day."

No thresholds to set. Detection is automatic from day one. Baseline accuracy improves over the first 14 days as Cognocient learns your usage patterns.

Types of anomalies Cognocient detects

Spend spike (Most common)

A feature's hourly or daily cost is significantly higher than normal. Most common causes: eval harness left running, rate-limit backoff loop, new code deployment with higher token usage.

Call frequency spike

Call volume has increased dramatically without a corresponding change in users. Often caused by infinite retry loops, polling patterns, or a background job that started triggering AI calls on every execution.

New untagged feature

A significant number of calls with no X-Cost-Feature header have appeared — indicating a new code path reached production without attribution headers.

Model change detected

A feature that was consistently using one model has switched to a more expensive model. Often happens when developers change the model in code and the cost impact isn't visible until the invoice.

Budget approaching limit

A budget is projected to be exhausted before the end of the billing cycle based on current spend rate. Cognocient alerts at 70%, 85%, and 95% consumption.

Anomaly investigation workflow

When an anomaly appears in your dashboard, follow this workflow to resolve it in under five minutes.

  1. Read the root-cause hypothesis — Cognocient prepares a plain-English hypothesis for every anomaly: "Likely eval harness left running" or "New code deployment detected at 14:23 UTC." Start here before investigating.

  2. Check the call frequency graph — The anomaly detail view shows calls/hour for the past 48 hours with the anomaly window highlighted in red. A sharp vertical line confirms a one-time event (deployment, manual trigger). A gradual rise suggests a growing backlog or user growth.

  3. Drill into Live Calls — Click "View calls" to open the Live Calls feed filtered to this feature and time window. Examine the pattern — are calls coming from one user? One session? Randomly? This tells you whether it's a code bug, a runaway agent, or a legitimate usage spike.

  4. Take action — Three options: Dismiss (false positive — won't affect your anomaly score), Snooze for 24h (expected spike, e.g., product launch), or Escalate to Slack (send to your engineering channel with full context included).

  5. Apply a budget cap if needed — If the root cause is a runaway process, click "Cap feature spend" to immediately apply an hourly budget to the affected feature. Choose Degrade mode to avoid a hard outage while the engineering team investigates.

Notification channels

Configure where anomaly alerts are delivered in Settings → Notifications. Available channels:

ChannelDetail
EmailImmediate alert with full anomaly context. Delivered within 5 minutes of detection.
SlackRich formatted message to a channel of your choice. Includes one-click acknowledge and view links.
PagerDutyAvailable on Business plan. Triggers a PD incident for anomalies above a configurable cost threshold.
WebhookPOST to any endpoint. Full anomaly JSON payload — build your own alerting workflow.

Enable the Nightly Anomaly Digest to receive a single email each morning summarising all anomalies from the past 24 hours — with projected costs and recommended actions. Most FinOps teams subscribe their finance lead to this digest.


Next steps: Budget Enforcement · Waste Detection · Live Calls

On this page