// GLOSSARY -- SECURITY & COMPLIANCE

What is Anomaly Detection?

1 min read Updated

Anomaly detection is the identification of patterns in data that deviate significantly from expected behavior — used in crypto security to flag suspicious transactions, unusual agent behavior, and potential compromises in real-time.

WHY IT MATTERS

Fixed rules catch known threats. Anomaly detection catches unknown ones. If an agent normally makes 5-10 transactions per hour and suddenly starts making 100, that's anomalous regardless of whether each individual transaction passes policy checks.

Approaches include statistical (transactions outside normal distributions), machine learning (models trained on historical behavior), rule-based (velocity checks, time-based patterns), and comparative (this agent vs. fleet baseline). Each catches different types of anomalies.

For agent wallets, anomalies worth detecting include: spending velocity changes, new recipient addresses, unusual token interactions, gas price anomalies (suggesting unusual contract calls), and temporal patterns (activity outside normal hours).

HOW POLICYLAYER USES THIS

PolicyLayer uses anomaly detection to identify unusual agent spending patterns — sudden velocity increases, new recipients, or amounts that deviate from historical norms. Anomalies trigger alerts and can automatically pause agent spending for review.

FREQUENTLY ASKED QUESTIONS

How is anomaly detection different from policy enforcement?
Policies define explicit rules (max $1,000 per transaction). Anomaly detection finds implicit violations (this agent never spent more than $100 before, but is now spending $999 repeatedly — technically within policy but suspicious).
Can anomaly detection generate false positives?
Yes, and it's the main challenge. Legitimate changes in agent behavior (new trading strategy, market volatility) can trigger false alarms. Tuning sensitivity and combining multiple signals reduces false positives.
What data is needed for effective anomaly detection?
Transaction history (amounts, recipients, frequencies), temporal patterns (time of day, day of week), gas usage patterns, and contextual data (market conditions, agent task type).

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.