> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lectr.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Anomaly Detection

> Lectr tells you when something changes before your users or your finance team does.

## Overview

Anomaly detection watches your AI traffic continuously and alerts you when
something deviates from normal. Cost spikes, latency degradation, elevated error
rates — Lectr surfaces them automatically so you don't have to watch a dashboard
all day.

```
Your costs spiked 4.4x above their 7-day baseline at 3pm yesterday.
Feature: chat  |  Detected: Mar 14, 15:02
```

***

## How it works

Lectr builds a rolling 7-day baseline for each org and feature. Every 5 minutes,
it compares current metrics against that baseline. When something deviates by
more than 2 standard deviations, an anomaly is recorded and an alert is sent.

```
Build baseline (7-day rolling window)
        ↓
Compare current metrics every 5 minutes
        ↓
Deviation > 2σ → record anomaly → send alert
```

**Baseline requirements:**

Anomaly detection activates automatically after 48 hours of traffic. Before that,
the dashboard shows:

```
⏳ Building baseline — anomaly detection active in ~X hours
```

No configuration required. It starts watching as soon as you have enough data.

***

## What Lectr detects

| Anomaly type            | What it means                                                   |
| ----------------------- | --------------------------------------------------------------- |
| **Cost spike**          | Spend for an org or feature is significantly above its baseline |
| **Latency degradation** | P95 latency has increased significantly vs baseline             |
| **Error rate spike**    | Error rate is elevated above normal levels                      |
| **Traffic anomaly**     | Request volume is unusually high or low                         |
| **Model drift**         | `model_actual` is diverging from `model_requested` unexpectedly |

Each anomaly includes:

* The anomaly type
* Which feature it affects (if feature-tagged)
* The baseline value vs the observed value
* How many standard deviations above baseline
* When it was detected

***

## Alerts

When an anomaly is detected you receive:

* **An in-dashboard notification** — visible in the anomaly feed immediately
* **An email alert** — sent once per anomaly, not once per continued spike

The email fires once when the anomaly is first detected. If the spike continues,
you won't be flooded with repeat emails — just the one alert until it's dismissed.

<Note>
  Email alerts require a verified email address on your account. Alerts are sent
  to all Auth0-authenticated members of the org.
</Note>

***

## The anomaly feed

The dashboard shows a chronological feed of detected anomalies with severity
indicators. Anomaly markers also appear on your time-series charts — vertical
indicators at the point where the anomaly was detected.

Each anomaly in the feed shows:

```
⚠️  Cost spike — feature: chat
    4.4x above 7-day baseline ($0.42 → $1.87 per request)
    Detected Mar 14 at 15:02
    [Dismiss]
```

***

## Dismissing anomalies

If an anomaly was expected — a deliberate traffic spike, a planned test run,
a known provider issue — you can dismiss it.

Dismissed anomalies:

* Are removed from the active anomaly feed
* Do not trigger repeat alerts
* Are excluded from future baseline recalculation
* Remain visible in the anomaly history

Dismissing tells Lectr "this was intentional" — it won't keep alerting on the
same event and won't let it skew your baseline going forward.

***

## Degradation indicator

If the anomaly detection pipeline itself falls behind — the event worker is
overloaded or the database is unavailable — the dashboard shows:

```
⚠️ Observability degraded — data may be incomplete
```

Anomaly detection runs on the cold path. It never affects your proxy or request
performance. If detection is degraded, your requests continue uninterrupted.

***

## Feature tagging and anomaly detection

Anomaly detection works at two levels:

* **Org level** — aggregate metrics across all traffic
* **Feature level** — per-feature metrics when `X-Lectr-Feature` is present

Without feature tagging, you'll know *something* spiked but not *which feature*
caused it. With feature tagging, the anomaly feed tells you exactly:

```
Without tagging:  Cost spike detected for your org
With tagging:     Cost spike detected for feature "chat"
```

See [Feature Tagging](/guides/feature-tagging) to add feature-level visibility.

***

## What anomaly detection is not

Anomaly detection is observational — it tells you what happened, not why.
It does not automatically take action on your traffic.

Automated responses to anomalies — switching models, enforcing budgets,
triggering fallbacks — are coming in Phase 3.2.

***

## Reference

|                     |                                                |
| ------------------- | ---------------------------------------------- |
| Baseline window     | 7 days rolling                                 |
| Check frequency     | Every 5 minutes                                |
| Detection threshold | 2 standard deviations from baseline            |
| Minimum data        | 48 hours before detection activates            |
| Minimum sample      | 100 requests per group for meaningful baseline |
| Alert frequency     | Once per anomaly — no repeat emails            |
| Runs on             | Cold path — zero hot path impact               |

***

## FAQ

<AccordionGroup>
  <Accordion title="Why hasn't anomaly detection activated yet?">
    You need at least 48 hours of traffic before Lectr has enough data to build
    a meaningful baseline. The dashboard shows a countdown. If you've had traffic
    for longer than 48 hours and detection still isn't active, check that your
    `X-Lectr-Key` header is present on requests so events are being attributed
    to your org.
  </Accordion>

  <Accordion title="I'm getting too many alerts. Can I adjust the sensitivity?">
    Sensitivity adjustment is not available yet — the 2 standard deviation
    threshold is fixed. If you're seeing false positives, dismiss them. Dismissed
    anomalies are excluded from baseline recalculation which helps Lectr learn
    what's normal for your traffic over time.
  </Accordion>

  <Accordion title="Will anomaly detection catch a gradual cost increase?">
    Gradual increases are harder to detect with a deviation-based approach — if
    costs creep up slowly over weeks, the baseline moves with them. Anomaly
    detection is best at catching sudden, unexpected changes. For gradual trends,
    use the cost trend charts in the dashboard which show period-over-period
    comparisons.
  </Accordion>

  <Accordion title="Does anomaly detection affect my request latency?">
    No. Detection runs on the cold path every 5 minutes against stored event data.
    It has zero impact on request performance.
  </Accordion>

  <Accordion title="What happens to anomaly detection when I add a new feature tag?">
    A new feature tag starts with no baseline. Detection for that specific feature
    activates after 48 hours of tagged traffic. Org-level detection continues
    unaffected.
  </Accordion>

  <Accordion title="Can I get alerts in Slack or via webhook?">
    Not yet — email and in-dashboard notifications only for now. Slack and webhook
    integrations are on the roadmap.
  </Accordion>
</AccordionGroup>