How ThresholdIQ Detects Anomalies Automatically (No Setup Required)

Published March 14, 2026 · 9 min read · Tutorial

Most monitoring tools ask you to do the hard work first: decide which columns to watch, pick your thresholds, and configure your rules. But here's the problem — if you already knew exactly what was wrong and where to look, you wouldn't need a monitoring tool.

ThresholdIQ takes the opposite approach. Upload your file. Click detect. The engine figures out what's unusual. This post explains exactly how that works, in plain English.

The Problem With Manual Thresholds

Imagine you're a Finance Analyst monitoring daily revenue. You set a rule: "alert me if revenue drops below £50,000." Sensible. But:

Revenue is always lower on Sundays — does that count?
Revenue has been gradually declining for six weeks — should you have noticed sooner?
Revenue and margin both dropped at exactly the same time today — is that more serious?

A static threshold catches the obvious cases. It misses the subtle, the seasonal, and the correlated ones. ThresholdIQ's automatic engine is designed to catch all of them.

What Happens When You Click "Detect Anomalies"

When you upload a file and click the button, nine detection methods run simultaneously across every numeric column in your data. Here's what each one does and what it catches:

Method	What it does	What it catches	Severity
Multi-Window Z-score	Computes local mean and standard deviation over 50, 100, 200 and 500-point rolling windows. Flags values that deviate more than 2–3.5 standard deviations from recent history.	Sudden spikes, abrupt drops, sustained departures from normal range	Warning → Emergency
EWMA	Applies exponential weighting so recent values count more than older ones. Flags residuals between the raw value and the smoothed trend.	Fast, sharp spikes that would be missed by a slow rolling average	Boosts score
SARIMA	Seasonal ARIMA model learns the regular cycle in your data (e.g. daily/weekly patterns). Flags points that deviate from seasonal expectation, not just raw magnitude.	Anomalies that look normal in isolation but are wrong for that time of day or day of week	Boosts score
Isolation Forest	Treats every row as a point in multi-dimensional space (one dimension per metric). Identifies points that are isolated — far from all other points — across all metrics at once.	Global outliers, sensor failures, zero readings when value should be non-zero	Emergency
Correlation Deviation	Monitors whether correlated metrics deviate together in the same direction. Two or more metrics all abnormal simultaneously is a stronger signal than one alone.	Multi-metric failures — e.g. revenue AND margin AND volume all drop together	Emergency
DBSCAN	Groups your data points into "normal behaviour clusters." Points that don't belong to any cluster are labelled noise and flagged.	Behavioural outliers — patterns that don't match any known operating mode	Critical
Seasonal Baseline	Builds a separate mean and standard deviation for every hour-of-day and day-of-week bucket. Sunday overnight readings are compared against Sunday overnight history — not all-time history.	Prevents false alarms from normal seasonal lows; surfaces genuine anomalies within their time context	Warning
Trend Detection	Compares the average of three consecutive 50-point windows. A monotonic rising or falling drift across all three windows is flagged.	Gradual budget drift, slow inventory decline, creeping latency — things that look fine today but signal a problem forming	Critical
Stuck/Zero Detection	Detects when a series that previously had variation becomes constant, or drops to zero from a meaningful non-zero history.	Sensor failures, data pipeline outages, broken integrations that produce zeroes instead of real values	Emergency

How the Results Are Combined

Each method produces a score between 0 and 1 for every data point. These scores are combined using a weighted fusion formula:

      Final score = Multi-Window score + min(0.25, ML composite × 0.25)

      The Multi-Window Z-score is the primary driver of severity. The other eight methods can only boost a score — they can never reduce it. This prevents a single false-positive method from masking a real anomaly.

The final score maps to a severity level:

Warning (0.60–0.79): W50 window breached — short-term deviation, may self-resolve
Critical (0.80–0.89): W50 + W100 both breached — confirmed anomaly, investigate
Emergency (0.90+): W50 + W100 + W200 all breached — structural shift, escalate immediately

A Real Example: IoT Sensor Data

Suppose you upload a CSV of hourly temperature readings from three factory facilities over 10 days. Here's what happens:

Schema detection: ThresholdIQ finds the timestamp column, the three numeric temperature columns, and the facility dimension. No mapping required.

Seasonal baseline: The engine notices temperature is reliably lower overnight (hours 22–06). It builds a separate baseline for each hour slot.

Multi-window scoring: A spike at 03:00 Tuesday gets a high W50 score. But the seasonal baseline confirms this is within normal overnight range — so the SARIMA method returns a low residual. Final score stays at Warning.

Stuck detection: Facility-C's temperature reads exactly 21.4°C for 20 consecutive hours on Thursday. Stuck detection fires — score jumps to Emergency. This is a sensor failure, not a real reading.

Results: The timeline shows Facility-C flagged in red from Thursday 08:00. The Detection Signals tab shows "Stuck/Zero: 1" — exactly one method fired, and it fired confidently.

How Much Data Do You Need?

Data minimums:

Under 10 rows: Detection is blocked — not enough data to learn any baseline
10–49 rows: Basic mode only — Multi-Window and EWMA run. No SARIMA or clustering.
50–99 rows: Reduced mode — SARIMA skipped (needs 40+ points to train). All other methods active.
100+ rows: Full detection — all 9 methods active

For most Finance or Operations exports — weekly KPI reports, monthly actuals, daily ops logs — you'll have well over 100 rows and the full engine runs immediately.

What About False Positives?

This is the most common concern with automated detection. ThresholdIQ addresses it in three ways:

Seasonal awareness: SARIMA and the hourly/daily seasonal baseline prevent routine low periods from triggering alerts.
Multi-window confirmation: A Warning only becomes Critical when it persists into the 100-point window. Transient spikes stay at Warning level.
Fusion capping: ML methods can add at most 0.25 to the base score. A single method can't manufacture a Critical alert on its own.

What You See in the App

After detection completes, ThresholdIQ gives you four views:

Timeline: Your data plotted over time with Warning/Critical/Emergency colour bands and anomaly markers
Distribution: Severity breakdown by metric and dimension group
Alert Log: Every anomaly with its score, reason, and the exact data point value
Detection Signals: Which of the 9 methods fired, how many times, and at what severity — so you understand what the engine saw

Try It Free — Upload Your File and See What the Engine Finds →

No thresholds to configure. No rules to write. Just upload and detect.