In today’s modern enterprises, the rate of innovation often outpaces the speed of oversight. As organizations adopt increasingly complex multicloud and hybrid environments, the challenge of managing cloud costs in real time has become a strategic imperative. Dynamic scaling, ephemeral workloads, and decentralized ownership across engineering teams make it difficult to maintain visibility into where spend is coming from—and why it’s happening.
Cloud cost anomalies—those sudden, unexpected spikes in usage or spend—are among the most disruptive challenges FinOps teams face. Left unchecked, they can quickly spiral into major budget overruns. These anomalies can arise from common causes like misconfigured infrastructure, unplanned autoscaling events, prolonged development environments, or, as you’ll see below, security breaches that lead to unauthorized usage. Without early detection, these issues often remain unnoticed until they show up on a monthly invoice—long after the opportunity to mitigate them has passed.
Traditional cost monitoring methods, like manual reviews and delayed reporting, are too slow to keep up with the real-time nature of cloud operations. By the time anomalies are discovered, tens of thousands of dollars can already be lost. That’s why real-time cost anomaly detection is becoming a critical capability for FinOps professionals; the ability to identify and respond to abnormal patterns as they emerge isn’t just a nice-to-have, it’s a fundamental part of cloud cost governance.
The risk of delays in your anomaly detection solution
In DoiT’s role as a managed FinOps provider, our cloud experts are often tasked with helping customers detect and mitigate the effects of cloud cost anomalies, and when applicable, working with hyperscalers like AWS, Google Cloud, and Microsoft Azure to secure refunds on their behalf.
However, when the size and scope of an anomaly is exceedingly large, traditional anomaly detection that’s based solely on cloud billing data can be too delayed to prevent a serious impact on the monthly cloud bill. This is because cloud providers typically only update their cost reporting data once a day, which can lead to a 24-48 hour delay until the anomaly shows up. In that time, as you’ll see in the cases below, costs can balloon to well beyond what a company typically spends in total monthly cloud costs.
Cost anomalies resulting from security breaches
Over a weekend in March of 2025, DoiT account teams became aware of a major cost spike in several of our customers’ accounts:
The cause of these spikes was a malicious actor who had gotten access to the customers’ environments through a misconfigured Jenkins plugin and spun up several new EC2 metal instances for the purpose of mining cryptocurrency. Upon detection, the team quickly alerted the customers to the situation and helped them shore up the security breach and turn off the unauthorized EC2 workloads to stop the accumulation of exorbitant costs.
But because the source of the cost spike was the updated AWS Cost and Usage Report (CUR), the instances had been running for over 24 hours before anyone was aware, and racked up over $90,000 in pirated AWS costs on the customers’ cloud bills, an increase of 26.7% over their average monthly spend, a rate which could be catastrophic for companies with limited resources and tight operating budgets.
| Average monthly AWS spend | Cost of anomaly | Cost as percentage of monthly cloud spend | |
| Company 1 | €62,798 | €25,532 | 40.6% |
| Company 2 | $274,148 | $48,971 | 17.9% |
| Company 3 | $8,856 | $17,773 | 200.7% |
Benefits of DoiT’s real-time anomaly detection
Had those customers enabled real-time anomaly detection within DoiT Cloud Intelligence,™ their AWS CloudTrail data would have triggered an alert for these anomalies in less than 30 minutes of the costs exceeding the customers’ normal range of spend (as determined by DoiT’s advanced ML models). Given the rate at which the malicious actor racked up costs, this would have led to an average of $29,220 in costs avoided compared to the actual incursion that was caught from the CUR data.
| Cost of EC2 anomaly | Potential savings from real-time anomaly detection | |
| Company 1 | €25,532 | €24,255 |
| Company 2 | $48,971 | $46,522 |
| Company 3 | $17,773 | $16,884 |
This capability, which is available to any customer with an Enhanced or Enterprise subscription to DoiT Cloud Navigator, can be enabled by granting additional permissions for DoiT to read the real-time CloudTrail data. This can be done from the ‘Link AWS’ screen in the DoiT console (located under the Integrate tab on the top-screen dropdown menu), and copying and pasting the CloudShell command into your AWS console. Within a few minutes, DoiT will begin monitoring the data and triggering alerts in real-time that can be sent to both the customer’s email and Slack or MS Teams channels.
Mitigating the damage of cost anomalies
While detection is a vital part of the process of dealing with cloud cost anomalies, the follow-up process is equally important to ensure that the source of the spike is brought under control and that further spikes are prevented. From there, you can also work with the cloud provider to see if any of the incurred costs qualify for reimbursement.
In situations such as the ones described above, as a customer's authorized cloud reseller, DoiT can work with AWS on their behalf to refund at least some of the costs incurred from the security breach. DoiT cloud experts also work with customers’ internal cloud operations teams to ensure that security vulnerabilities like those found in the Jenkins plugins are rectified, thereby preventing any further access breaches.
To learn more about DoiT’s real-time anomaly detection, reach out to us to speak with a certified cloud expert, or get in touch with your DoiT account manager.
