Anomaly detection is the identification of behavior or events that differ meaningfully from an expected baseline.
Anomaly detection is the identification of behavior or events that differ meaningfully from an expected baseline. In plain language, it looks for activity that appears unusual enough to deserve attention even if it does not match a known static signature.
Anomaly detection matters because not every security issue arrives in a form defenders already know how to label precisely. Unusual behavior can be one of the earliest signs that a compromise, misuse pattern, or system problem is developing.
It also matters because modern environments produce too much activity for humans to review manually without some way of highlighting what stands out.
Anomaly detection appears in SIEM, User and Entity Behavior Analytics, network monitoring, endpoint security, and cloud activity review. Teams connect it to Detection Engineering, False Positive, False Negative, and Threat Hunting.
It is most effective when unusual activity can be interpreted in the context of normal business behavior.
A service account that normally connects to one internal API suddenly begins making requests to many unfamiliar systems. An anomaly-detection rule flags the behavior because it departs sharply from the account’s normal pattern.
Anomaly detection is not the same as certainty of compromise. Unusual behavior may be malicious, accidental, or simply new but legitimate activity.
It is also different from a Detection Rule based only on a fixed known pattern. Anomaly detection depends more on deviation from baseline than on one static signature.