How We Built Real-time AWS Cost Anomaly Detection

Traditional cost monitoring tools wait for AWS to export billing data, which can take 24-48 hours. By the time you see a spike, it's already burned through your budget.

We built Sonar's anomaly detection by streaming CloudWatch metrics in real-time and correlating them with Cost Explorer data as it becomes available.

Our approach

• Streaming metrics: We poll CloudWatch every 5 minutes for service-level usage metrics.
• Baseline calculation: We maintain rolling 7-day and 30-day baselines for each service.
• Alert thresholds: Any service that exceeds 150% of its baseline triggers an immediate alert.

This approach caught a runaway Lambda function that would have cost $2,400 before AWS even generated the bill.