Anomaly Detection

NodeLoom automatically scores every workflow execution from 0 to 100 based on how much it deviates from established baselines. High scores indicate potential issues that need investigation.

How Scoring Works

After each execution completes with a status of SUCCESS or FAILED, the anomaly detection engine compares the execution's metrics against the workflow's baseline and produces a composite score from 0 (normal) to 100 (highly anomalous). Executions with other statuses (e.g., CANCELLED, PENDING) are not scored.

Score threshold

Executions exceeding the configured threshold are flagged as anomalous and appear in the monitoring dashboard. The threshold is configurable per team from the workspace monitoring settings.

Scoring Criteria

The anomaly score is composed of four independent detectors, each contributing a weighted score:

Detector	What It Measures
Duration spike	Execution took significantly longer than the baseline average.
Token overuse	AI nodes consumed more tokens than expected compared to the baseline.
Output size anomaly	The total output payload size deviates significantly from the baseline.
Data exfiltration pattern	Output contains patterns consistent with credential leaks, PII exposure, or unusually large data transfers to external endpoints.

Each detector contributes a weighted score to the composite total. The final score is capped at 100.

Baselines

Baselines are auto-learned from successful executions of each workflow. A minimum number of successful executions is required before scoring becomes active for a workflow.

Baseline Updates

Baselines are refreshed through two mechanisms:

Immediate update: After each successful execution, the rolling average is updated in real time.
Scheduled recalculation: A periodic background job recalculates full baselines from recent successful executions to maintain accuracy over time.

Configurable Thresholds

Each team can customise anomaly detection thresholds from the workspace monitoring settings:

Setting	Description
Alert threshold	Minimum score to flag an execution as anomalous.
Duration sensitivity	How much the execution duration can deviate from the baseline before the duration detector fires.
Token sensitivity	Multiplier over the baseline average before the token detector fires.
Output size sensitivity	Multiplier over the baseline average for output size detection.
Exfiltration patterns	Toggle data exfiltration pattern matching on or off.

Notifications

When an execution exceeds the alert threshold, NodeLoom can notify your team through:

Email: Sends a summary email to workspace admins with the workflow name, execution ID, score breakdown, and a link to the execution inspector.
Webhook: Posts a JSON payload to a configured URL so you can integrate with Slack, PagerDuty, Opsgenie, or any alerting system.

Webhook payload

The webhook payload includes the execution ID, workflow ID, team ID, anomaly score, individual detector scores, and a timestamp. See the API reference for the full schema.

Bulk Acknowledge

After investigating anomalous executions, you can acknowledge them individually or in bulk from the monitoring dashboard. Acknowledged anomalies are moved to a resolved state and no longer appear in the active alerts view. This helps teams focus on unresolved issues without losing historical data.

Next Steps

Drift Alerts -- detect gradual performance degradation across executions.
Token Usage -- monitor and control AI token consumption.
Sentiment Tracking -- monitor user sentiment in AI agent conversations.

Encryption

Drift Alerts