Catch AWS Cost Spikes Before They Hit Your Bill
CostPatrol scans your AWS costs daily, compares every service against rolling baselines, and sends dollar-prioritized alerts to Slack. Deterministic rules. No ML black box. Read-only.
The problem with AWS cost surprises
AWS bills are a black box until month-end. By then, a misconfigured Lambda has been running for three weeks, a forgotten NAT Gateway has been processing gigabytes of cross-AZ traffic, or a CloudWatch log group has been ingesting at 10x the normal rate. The damage is done. You find out when the invoice arrives.
AWS Cost Explorer shows you what happened. It does not tell you when it is happening. The built-in budgets feature sends alerts when you hit a threshold you defined — but you have to guess the right threshold for every service, and the alert arrives via email or SNS with no context about which resource caused the spike or how to fix it.
AWS Cost Anomaly Detection adds ML-based detection, but it operates as a black box. You cannot inspect the model, explain why an alert fired, or understand why a legitimate spike was missed. It delivers via SNS or email — not where your engineering team actually works.
The result: 30-40% of cloud spend is wasted, and most teams discover cost anomalies days or weeks after they start. Every day of delay compounds the damage.
How CostPatrol detects anomalies
CostPatrol runs daily scans against AWS Cost Explorer. For every monitored service, it compares yesterday's cost to a rolling baseline — a 7-day, 14-day, or 30-day average depending on the rule. When the deviation exceeds a service-specific threshold, CostPatrol fires an alert with the dollar impact, the affected service, the severity level, and a suggested fix command.
This is not machine learning. Every rule is deterministic, every threshold is explicit, and every alert is fully explainable. You can read the detection logic and understand exactly why an alert fired.
Daily cost ingestion
CostPatrol pulls up to 60 days of daily cost data from AWS Cost Explorer, broken down by service. This happens automatically — no manual exports, no CSV uploads, no data pipeline to maintain.
Rolling baseline comparison
Each rule computes a rolling average over a service-specific window. CloudWatch Logs uses a 30-day baseline. NAT Gateway uses 7 days. Lambda uses 14 days. The baseline adapts as your usage patterns change — no manual threshold tuning required.
Deviation detection
When yesterday's cost exceeds the baseline by more than the rule's threshold — 200% for CloudWatch Logs spikes, 100% for NAT Gateway, 50% for S3 storage growth — the rule fires. Each rule also has minimum-data requirements (3-14 days) to avoid false positives on new accounts.
Dollar-impact prioritization
Alerts are ranked by dollar impact, not percentage deviation. A 500% spike on a $2/day service is low severity. A 100% spike on a $500/day service is critical. Severity thresholds vary by rule — critical starts at $500-$1,000/day impact depending on the service.
Slack delivery
Critical anomalies trigger immediate Slack alerts — within 1 hour of detection. All anomalies appear in the daily digest delivered to your team channel every morning at 9am in your timezone. Each alert includes the resource, the dollar impact, and a suggested CLI command to investigate or fix.
14 anomaly detection rules, live today
Each rule is purpose-built for a specific AWS service with its own baseline window, deviation threshold, and severity calculation.
CloudWatch Logs Spike
30-day rolling baseline. Fires at 200% deviation. Catches runaway log ingestion before it compounds.
NAT Gateway Spike
7-day rolling baseline. Fires at 100% deviation. Detects unexpected data processing surges through NAT Gateways.
Idle EC2 Instance
7-day cost window with low variance detection. Flags instances costing $3+/day with flat usage patterns — likely idle.
Lambda Duration Spike
14-day rolling baseline. Fires at 200% deviation. Catches Lambda functions with sudden execution time increases.
Lambda Invocation Spike
7-day rolling baseline. Fires at 500% deviation. Detects recursive loops and runaway invocation patterns.
S3 Storage Growth
7-day rolling baseline. Fires at 50% deviation. Flags unexpected storage cost acceleration before it becomes entrenched.
RDS Storage Growth
Week-over-week comparison. Fires at 50% deviation. Catches RDS storage auto-scaling or snapshot accumulation trends.
Idle RDS Instance
7-day cost window with low variance detection. Flags RDS instances costing $3+/day with flat patterns — likely unused.
Internet Data Transfer Spike
14-day rolling baseline. Fires at 200% deviation. Catches unexpected egress surges that drive up transfer costs.
Cross-AZ Data Transfer
30-day baseline with projected monthly threshold. Flags when cross-AZ transfer exceeds $100/month projected cost.
CloudWatch Metrics Growth
Week-over-week comparison. Fires at 50% deviation. Detects custom metric proliferation driving up monitoring costs.
Over-Provisioned ECS Tasks
7-day cost window with low variance. Flags Fargate tasks costing $3+/day with flat usage — likely over-provisioned.
Idle Kubernetes Nodes
7-day cost window with low variance. Flags EKS nodes costing $5+/day with flat patterns — likely underutilized.
More rules shipping
Bedrock/GenAI token spikes, DynamoDB on-demand surges, auto-scaling runaway, EBS snapshot accumulation, and more. New rules every release.
Slack-first delivery — not another dashboard to ignore
Cost anomaly tools are only useful if your team sees the alerts. Dashboards go unchecked. Email alerts get filtered. SNS topics require configuration and routing infrastructure you have to maintain.
CostPatrol delivers anomaly alerts directly to your team's Slack channel. Critical anomalies arrive immediately. Every anomaly appears in the daily digest — a single message at 9am with yesterday's costs, active anomalies ranked by dollar impact, and top savings opportunities.
Each alert includes the affected service, the dollar impact, the severity level, and a suggested CLI command. Your team can investigate and resolve without leaving Slack. No context switching, no dashboard login, no ticket to file first.
The daily digest format is designed for engineering teams, not finance dashboards:
How CostPatrol compares
Four approaches to AWS cost anomaly detection. One is built for engineering teams.
| Capability | CostPatrol | AWS Cost Anomaly Detection | CloudZero | Vantage |
|---|---|---|---|---|
| Detection method | Deterministic rules, fully explainable | ML-based (black box) | ML + anomaly scoring | Budget threshold alerts |
| Alert delivery | Slack (immediate + daily digest) | SNS / Email | Slack / Email | Slack / Email |
| Fix commands included | Yes — exact CLI commands per alert | No | No | No |
| Dollar-impact ranking | Yes — severity by dollar impact | Partial (impact estimate) | Yes | No (threshold-based) |
| Service-specific rules | 14 rules across 9+ services | Account-level / service-level monitors | Per-unit cost tracking | Budget-based only |
| Baseline approach | Rolling averages (7-30 day windows) | ML model (opaque) | ML model | Static budgets |
| False positive control | Minimum data day requirements per rule | Adjustable sensitivity | Configurable thresholds | Manual budget setting |
| AWS access | Read-only (zero write) | Native (no extra IAM) | Read access required | Read access via CUR |
| Pricing | $99-499/mo flat | Free (included with AWS) | Custom (enterprise pricing) | Free tier + paid plans |
| Setup time | 2 minutes (CloudFormation) | Minutes (native) | Days (enterprise onboarding) | Hours (CUR setup) |
| Optimization rules included | Yes — 111 rules across 30+ services | No (anomaly only) | Limited | Limited (Autopilot) |
Why deterministic rules beat ML for cost anomalies
Machine learning anomaly detection sounds sophisticated. In practice, for AWS cost monitoring, it creates problems that deterministic rules avoid.
Every alert is explainable
When CostPatrol fires a CloudWatch Logs spike alert, you know exactly why: yesterday's CloudWatch cost exceeded the 30-day rolling average by more than 200%. No model interpretation required. No "the algorithm detected an anomaly" hand-waving. Your team can validate the alert in Cost Explorer in 30 seconds.
No training period black hole
ML models need weeks of data to calibrate. During that period, you get either no alerts or noisy false positives. CostPatrol rules have explicit minimum data requirements — some rules fire with just 3 days of history. You get useful alerts from day one, not day thirty.
No false positive fatigue
ML models for cost data are notoriously noisy. Seasonal patterns, one-time events, and legitimate infrastructure changes all look like anomalies to a model that cannot distinguish intent. CostPatrol rules use dollar-impact thresholds — a 200% spike that costs $5 is not an alert. A 100% spike that costs $500 is. This keeps the signal-to-noise ratio high.
Service-specific intelligence
A generic ML model treats all AWS services the same. CostPatrol has purpose-built rules for each service. CloudWatch Logs gets a 30-day baseline because log ingestion patterns are seasonal. NAT Gateway gets a 7-day baseline because traffic patterns change faster. Lambda invocation spikes use a 500% threshold because Lambda costs are inherently bursty. This service-specific tuning reduces false positives without sacrificing detection sensitivity.
Frequently asked questions
How does CostPatrol detect AWS cost anomalies?
CostPatrol pulls daily cost data from AWS Cost Explorer and compares each service against its rolling baseline (7-30 days depending on the rule). When a service exceeds its deviation threshold — for example, CloudWatch Logs spiking 200% above the 30-day average — CostPatrol fires an alert with the dollar impact, affected service, and suggested fix command. Every rule is deterministic and fully explainable.
How is CostPatrol different from AWS Cost Anomaly Detection?
AWS Cost Anomaly Detection uses ML models and delivers alerts via SNS or email. CostPatrol uses deterministic, expert-encoded rules with explicit thresholds — every alert is fully explainable. CostPatrol delivers to Slack with exact CLI fix commands and dollar-impact prioritization. AWS Cost Anomaly Detection is free but limited to anomaly detection. CostPatrol includes 100+ optimization rules alongside anomaly detection for $99-499/mo flat.
Does CostPatrol require write access to detect anomalies?
No. CostPatrol connects via a read-only IAM role deployed through CloudFormation in under 2 minutes. It reads cost data from Cost Explorer and resource metadata from describe/list APIs. Zero write permissions. It will never modify, terminate, or delete any resource in your AWS account.
What AWS services does CostPatrol monitor for anomalies?
CostPatrol currently monitors EC2, Lambda, CloudWatch Logs, NAT Gateway, S3, RDS, ECS/Fargate, EKS, and cross-AZ/internet data transfer for cost anomalies. Each service has purpose-built rules with service-specific baselines and thresholds tuned to that service's cost behavior. More services — including Bedrock, DynamoDB, and API Gateway — are shipping soon.
How quickly does CostPatrol detect a cost spike?
CostPatrol runs daily scans against Cost Explorer data. Cost spikes are detected within 24 hours of the cost occurring in AWS. Critical anomalies trigger immediate Slack alerts. All anomalies appear in the daily digest delivered to your team channel every morning at 9am in your timezone.
Can I use CostPatrol alongside AWS Cost Anomaly Detection?
Yes. CostPatrol is read-only and does not interfere with any AWS-native tools. Many teams run AWS Cost Anomaly Detection for broad coverage and CostPatrol for service-specific, actionable alerts with CLI fix commands delivered to Slack. The two are complementary — CostPatrol adds the fix recommendations and Slack workflow that AWS native tools lack.
See what CostPatrol finds on your account
14 anomaly detection rules. 100+ optimization rules. Read-only access. Alerts to Slack. Results in minutes.