What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS Cost Anomaly Detection vs Vigilare: Why the 24-Hour Delay Matters

AWS Cost Anomaly Detection is a genuinely useful service. It's free. It uses machine learning to detect unusual spending patterns. And for the majority of billing anomalies — the slow kind, where a forgotten resource quietly bleeds money over days or weeks — it works well.

But it has a critical architectural limitation: it relies on Cost Explorer data, which has up to a 24-hour lag. For fast-moving incidents — compromised credentials, misconfigured auto-scaling, accidental resource provisioning in the wrong region — 24 hours is the difference between a $500 problem and a $10,000 crisis.

This comparison breaks down exactly when AWS Cost Anomaly Detection is sufficient, when it's not, and what the detection gap costs in real-world scenarios.

How AWS Cost Anomaly Detection Works

Cost Anomaly Detection analyzes your historical spending data from Cost Explorer. It builds a baseline of your normal spend patterns, segmented by AWS service, linked account, cost allocation tag, or cost category. It runs detection approximately three times per day. When it identifies a deviation from the baseline, it generates an alert with the estimated dollar impact, the probable root cause, and a confidence score.

The service does several things well. It adapts to your spending patterns automatically — you don't need to set static thresholds. It can detect subtle anomalies that budget alerts miss. And it's free to use with no setup beyond creating a monitor and subscription.

The 24-Hour Gap in Practice

Cost Explorer data — the input to anomaly detection — refreshes with a lag of up to 24 hours. The detection algorithm runs roughly every 8 hours. In the worst case, a billing anomaly that starts at 1 AM may not generate an alert until after midnight the next day — a 24-32 hour window where charges accumulate undetected.

Here's what that looks like for the most common fast-moving scenarios:

Compromised Credentials

An attacker with a valid access key can provision dozens of GPU instances across multiple regions in minutes. A single p4d.24xlarge instance costs $32.77/hour. Ten instances across ten regions is $327/hour — $7,862 in a single day. With a 24-hour detection delay, the first alert arrives around the same time as a four-figure bill.

Auto-Scaling Runaway

A traffic spike or DDoS event triggers your auto-scaling group. Without a max-instance cap, the group scales to 50 instances. At $0.40/hour per instance (a moderate t3.xlarge), that's $20/hour. Not catastrophic per hour, but over 24 hours of undetected over-provisioning, you're looking at $480 in unnecessary spend. If the instances are larger, multiply accordingly.

Cross-Region Data Transfer

A misconfigured service starts routing traffic across regions. At $0.02/GB, a high-throughput application processing 10 TB/day incurs $200/day in transfer costs. Detected at hour 24, that's already $200 you didn't need to spend.

How Vigilare Differs

Vigilare's billing monitoring operates at 5-minute intervals, using a combination of the Billing CloudWatch metrics, the Cost Explorer API with hourly granularity, and resource-level event monitoring through CloudTrail and EventBridge.

The key architectural differences:

Detection latency: 5-15 minutes for resource-level events (a new instance launches in an unexpected region), 1-6 hours for cost-based anomalies (the CloudWatch billing metric updates approximately every 6 hours). This is still not real-time, but it's an order of magnitude faster than 24 hours.

Signal correlation: Cost Anomaly Detection tells you that spending increased. Vigilare tells you that spending increased and simultaneously a GuardDuty finding fired for an unfamiliar IP in ap-southeast-1 and a new IAM role was created with AdministratorAccess. The correlation makes triage immediate — you know this is a credential compromise, not a traffic spike.

Resource-level detection: Vigilare monitors CloudTrail for resource provisioning events — RunInstances, CreateDBInstance, CreateFunction — and can alert on the event itself, before the cost shows up in any billing data. If someone launches a p4d.24xlarge in a region you've never used, you know within minutes, not when the billing data refreshes.

When AWS Cost Anomaly Detection Is Enough

For many scenarios, it genuinely is sufficient. If the most likely billing anomaly in your account is a forgotten resource accumulating costs over days or weeks, Cost Anomaly Detection will catch it. If your account has no long-lived access keys that could be compromised, the fast-moving credential compromise scenario is unlikely. And if you have a mature tagging strategy and cost allocation setup, the ML model has good segmentation to work with.

Cost Anomaly Detection should be enabled on every AWS account regardless of whether you use additional monitoring. It's free, and it catches the slow-bleed scenarios that threshold-based alerts miss.

When You Need More

You need faster detection if any of these apply: your account has active IAM access keys (credential compromise risk), you run auto-scaling groups in production (runaway scaling risk), your monthly bill is high enough that 24 hours of anomalous spend would be painful (anything above ~$1,000/month), or you don't have someone checking billing dashboards daily.

For a startup spending $500-5,000/month on AWS, the math is straightforward. Vigilare's Solo plan costs $29/month. A single undetected billing anomaly can cost more than a year of Vigilare subscription in a single day. Start a free 14-day trial to see the detection speed difference on your own account.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO