How does Cognocient detect AI spend anomalies?
Cognocient detects statistically significant deviations in your AI spend and call frequency — automatically, with no thresholds to configure. When something unusual happens, you get a root-cause analysis before you even know to look.
Cognocient automatically detects statistically significant spikes and drops in your AI spend and call frequency — no thresholds to configure. When something unusual happens, the dashboard surfaces a root-cause analysis before you even know to look.
| Metric | Value | Detail |
|---|---|---|
| Detection latency | < 5 min | From anomaly occurring to alert appearing |
| Avg projected cost | $340 | Prevented per anomaly if unaddressed |
| False positive rate | < 4% | Alerts confirmed as non-issues |
How anomaly detection works
Cognocient builds a rolling baseline for each feature's spend and call frequency using the past 14 days of data. An anomaly is triggered when either metric deviates more than 2.5 standard deviations from the expected value for that time-of-day and day-of-week. This means weekday morning patterns are compared to other weekday mornings — not to Sunday night patterns that would produce false positives.
No thresholds to set. Detection is automatic from day one. Baseline accuracy improves over the first 14 days as Cognocient learns your usage patterns.
Types of anomalies Cognocient detects
Spend spike (Most common)
A feature's hourly or daily cost is significantly higher than normal. Most common causes: eval harness left running, rate-limit backoff loop, new code deployment with higher token usage.
Call frequency spike
Call volume has increased dramatically without a corresponding change in users. Often caused by infinite retry loops, polling patterns, or a background job that started triggering AI calls on every execution.
New untagged feature
A significant number of calls with no X-Cost-Feature header have appeared — indicating a new code path reached production without attribution headers.
Model change detected
A feature that was consistently using one model has switched to a more expensive model. Often happens when developers change the model in code and the cost impact isn't visible until the invoice.
Budget approaching limit
A budget is projected to be exhausted before the end of the billing cycle based on current spend rate. Cognocient alerts at 70%, 85%, and 95% consumption.
Anomaly investigation workflow
When an anomaly appears in your dashboard, follow this workflow to resolve it in under five minutes.
-
Read the root-cause hypothesis — Cognocient prepares a plain-English hypothesis for every anomaly: "Likely eval harness left running" or "New code deployment detected at 14:23 UTC." Start here before investigating.
-
Check the call frequency graph — The anomaly detail view shows calls/hour for the past 48 hours with the anomaly window highlighted in red. A sharp vertical line confirms a one-time event (deployment, manual trigger). A gradual rise suggests a growing backlog or user growth.
-
Drill into Live Calls — Click "View calls" to open the Live Calls feed filtered to this feature and time window. Examine the pattern — are calls coming from one user? One session? Randomly? This tells you whether it's a code bug, a runaway agent, or a legitimate usage spike.
-
Take action — Three options: Dismiss (false positive — won't affect your anomaly score), Snooze for 24h (expected spike, e.g., product launch), or Escalate to Slack (send to your engineering channel with full context included).
-
Apply a budget cap if needed — If the root cause is a runaway process, click "Cap feature spend" to immediately apply an hourly budget to the affected feature. Choose Degrade mode to avoid a hard outage while the engineering team investigates.
Notification channels
Configure where anomaly alerts are delivered in Settings → Notifications. Available channels:
| Channel | Detail |
|---|---|
| Immediate alert with full anomaly context. Delivered within 5 minutes of detection. | |
| Slack | Rich formatted message to a channel of your choice. Includes one-click acknowledge and view links. |
| PagerDuty | Available on Business plan. Triggers a PD incident for anomalies above a configurable cost threshold. |
| Webhook | POST to any endpoint. Full anomaly JSON payload — build your own alerting workflow. |
Enable the Nightly Anomaly Digest to receive a single email each morning summarising all anomalies from the past 24 hours — with projected costs and recommended actions. Most FinOps teams subscribe their finance lead to this digest.
Next steps: Budget Enforcement · Waste Detection · Live Calls
Related articles
Waste Detection
Automatically identify retry waste, model mismatches, and context bloat.
Context Tax Analyser
Identify features paying static prompt overhead on every call — prime caching candidates.
Token Maxing Detector
Detect frontier models used for short outputs — tasks a cheaper model could handle.