惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

TaoSecurity Blog
TaoSecurity Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
F
Fortinet All Blogs
Cisco Talos Blog
Cisco Talos Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Secure Thoughts
美团技术团队
雷峰网
雷峰网
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
Engineering at Meta
Engineering at Meta
人人都是产品经理
人人都是产品经理
月光博客
月光博客
T
Tor Project blog
P
Privacy & Cybersecurity Law Blog
Recorded Future
Recorded Future
I
Intezer
博客园 - 【当耐特】
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
GbyAI
GbyAI
罗磊的独立博客
V
V2EX
Google DeepMind News
Google DeepMind News
D
DataBreaches.Net
Last Week in AI
Last Week in AI
T
Tailwind CSS Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
A
About on SuperTechFans
Scott Helme
Scott Helme
Vercel News
Vercel News
Spread Privacy
Spread Privacy
T
Threat Research - Cisco Blogs
Recent Announcements
Recent Announcements
Hacker News: Ask HN
Hacker News: Ask HN
C
CERT Recently Published Vulnerability Notes
G
Google Developers Blog
B
Blog
博客园 - 叶小钗
WordPress大学
WordPress大学
博客园 - 聂微东
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Jina AI
Jina AI
IT之家
IT之家
C
Cybersecurity and Infrastructure Security Agency CISA
P
Palo Alto Networks Blog
小众软件
小众软件
博客园 - Franky
Microsoft Azure Blog
Microsoft Azure Blog
AWS News Blog
AWS News Blog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
The Closed-Loop Budget Brake: How a $5k Daily Cap Stopped 2 A.M. Compute Runaways
Muskan · 2026-05-15 · via DEV Community

Muskan

The 2 a.m. compute runaway is the canonical FinOps incident. A Spark job is misconfigured to provision new EMR nodes every minute it cannot find a leader. A test agent left running on a developer's laptop loops infinite Claude calls against the prod API key. An autoscaling group's max gets bumped from 20 to 2000 in a Terraform plan that nobody reviewed at the right line number. Everything is asleep. The hourly spend goes from $63 to $830 to $4,200. By 9 a.m. the team gets a Slack ping from finance asking why yesterday's bill spiked $47,000.

AWS Budgets fires a soft alert when daily spend crosses a threshold. The alert goes to an SNS topic that emails a distribution list and pings a Slack channel. Nobody reads the channel at 2 a.m. The on-call engineer is paged for production outages, not budget overages. By the time someone sees the alert, the damage is hours old and the runaway has either burned itself out or kept running because the alert did not actually stop anything.

The structural fix is to replace the email with an action. A closed-loop budget brake fires a remediation playbook when a hard daily cap is crossed: stop non-prod EC2 launches, pause non-prod autoscaling groups, freeze agent provisioning, throttle batch jobs, page the on-call. The 5-minute detect-decide-act-verify shape from the closed-loop FinOps work applies directly, with the cap value as the signal and the playbook as the action.

The piece composes with the closed-loop trust score (deciding which playbook tiers auto-fire) and runs alongside cost anomaly detection (which catches longer-horizon structural drift the brake cannot see).

The 2 a.m. runaway and why email alerts fail

Look at how the four common detection mechanisms catch a 2 a.m. runaway, and what they cost in dollars by the time someone acts.

Detection mechanism Time to detect Time to action Spend lost before action
AWS Budgets soft alert (email/Slack) 8-12 hours after threshold crossed Morning when someone reads it $30,000 to $80,000
Hourly cost alarm (custom CloudWatch) 60-90 minutes after spike begins Hours later if on-call is busy $5,000 to $15,000
Cost anomaly detection (AWS or vendor) 24-72 hours after pattern shifts After analyst review $50,000 to $200,000
Closed-loop budget brake 5-15 minutes after cap crossed Automatic playbook $500 to $2,000

The dollar gap between the soft alert and the brake is the case for the brake. Soft alerts are real signals, but they are signals that go to humans who are not actively monitoring at 2 a.m. The brake removes the "wait for a human" step from the loop.

The other detectors are not redundant. Hourly cost alarms catch slower-building issues the brake's daily cap might miss within a single day. Cost anomaly detection catches structural shifts (a new feature with legitimate higher spend, a pricing change, a seasonal pattern) over multi-day windows. The brake handles the within-day catastrophic runaway. Three detectors, three different horizons.

The brake: short-circuit, not email

The brake's shape is the same four-stage loop as any other closed-loop FinOps system, with the cap as the input signal.

diagram

Detect samples live spend at a 5-minute interval from Cost Explorer or the equivalent on GCP / Azure. Five minutes is the floor: the billing APIs are eventually consistent and finer-grained polling produces false negatives (real spend that has not yet shown up in the API). Decide compares the running daily total against the cap. If crossed, the brake fires a tiered playbook. Act runs the playbook. Verify samples spend again 15 minutes after the playbook fires, confirming the runaway has stopped.

The playbook is per-account and lives in version control. A typical Tier 1 payload contains six actions: stop all env=non-prod EC2 instances launched in the last 60 minutes, pause non-prod autoscaling group scale-outs by setting max_size = current_size, freeze agent provisioning by revoking the agent service role's ec2:RunInstances, throttle non-prod batch queues to zero concurrency, snapshot the spend-by-service breakdown to an S3 bucket for postmortem, and notify the FinOps channel with the breakdown.

The brake does not delete anything. Everything Tier 1 does is reversible in seconds. Spend stops; nothing breaks. The on-call wakes up to a "brake fired" page, reads the breakdown, decides whether the spend was legitimate (and reverses the playbook) or a runaway (and starts the postmortem).

Sizing the cap: three inputs, one formula

The cap value is not a guess. It is computed from three inputs that already exist in the cost data.

Input Source Notes
Typical daily spend Cost Explorer 7-day trailing average Smooths weekly seasonality
Variance multiplier Engineering judgement (1.5x to 2x) Absorbs legitimate daily spikes
Emergency floor Largest single-day spend in trailing 90d The "this happened once and was real" line

The formula: cap = max(typical * variance, emergency_floor + 20%).

Worked example for three account profiles:

Account profile Typical daily Variance (1.7x) Emergency floor Cap
Small (dev team of 12) $500 $850 $1,200 $1,440
Mid-market (50-engineer org) $1,500 $2,550 $4,200 $5,040
Large (200-engineer org) $10,000 $17,000 $24,000 $28,800

The 20% buffer on the emergency floor matters. A legitimate spike that happened once (a launch event, a load test, an unusual data migration) might not happen the same day next month, but the cap has to be high enough that the same pattern would not trip the brake if it recurs. Without the 20% buffer, the brake fires on every recurrence of every legitimate pattern, and the on-call learns to ignore it.

Cap recomputation happens monthly. The typical daily spend drifts as the company grows. The emergency floor may shift if a new legitimate workload pattern emerges. A static cap that lasts more than a quarter starts to over-fire or under-fire because the inputs moved.

Tier the action: composing with the trust score

The brake's playbook is tiered by what the trust score allows. Without the trust score, the brake either over-reaches (touches production resources, causes a customer-facing incident, gets disabled forever) or under-reaches (only pages, doesn't actually stop the spend).

Tier Trust threshold Resources touched Actions
Tier 1 Always-on env=non-prod only Stop new EC2 launches, pause ASG scale-outs, freeze agent provisioning, throttle batch queues
Tier 2 Trust > 0.7 ML training, ad-hoc analytics Downscale training jobs, throttle batch ingestion, pause notebook compute
Tier 3 Always pages env=prod Page on-call with breakdown; no auto-action

Tier 1 is always-on because the actions are low-blast-radius and fully reversible. Stopping a non-prod EC2 instance launched in the last 60 minutes affects only the developer who launched it, and they can re-launch in 90 seconds. Pausing a non-prod ASG scale-out blocks new capacity but does not terminate existing capacity.

Tier 2 needs the trust score because the actions have wider blast radius. Throttling a training job interrupts the team running it; downscaling notebook compute kicks people out of their analyses. The trust score asks: is the spend signal high-confidence enough (cap crossed by 2x+, multiple services contributing) to justify the disruption? If yes, fire. If no, page only.

Tier 3 always pages. The brake does not touch production resources, ever. The math is simple: a production-impacting incident caused by the brake costs more than any single-day cost runaway. The brake's job is to give the human enough time to fix the runaway before the bill is catastrophic, not to be the fix itself.

Cap vs anomaly detection: different time horizons

A common mistake is treating the brake as a replacement for cost anomaly detection. They are not the same system. They run on different signals and they fire on different timescales.

diagram

The brake answers "is something burning right now?" The signal is daily-spend-rate exceeds cap. The action is immediate playbook.

Anomaly detection answers "is the spending pattern different from what we expect?" The signal is statistical: spend by service over a multi-day window deviates from forecasted baseline. The action is queued analyst review, often with a recommendation to update budgets or investigate a new workload.

Both run. The brake catches the rare catastrophic runaway. Anomaly detection catches the steady-state drift (a new feature legitimately moving the spend curve, a pricing change at a vendor, a regional capacity shift). Each is useless for the other's job: anomaly detection cannot stop a 2 a.m. runaway because the analyst is not online; the brake cannot tell you that your spend has structurally shifted because it only sees the daily total.

The first-week tuning ritual

The brake gets tuned in its first two weeks. The cap value comes from the formula, but the formula's inputs are estimates. The actual firing rate in week one tells you whether the cap is right.

Week Firings/week Typical action Cap adjustment
1 3-6 Investigate each, classify real vs false positive Raise cap by 10-15% per false positive
2 1-3 Continue classification Raise/lower based on the week's data
3-4 0-1 Each firing produces a postmortem Stable
Steady state 0-2/month Each firing is real Recompute cap monthly

The classification at each firing matters. The on-call writes a one-paragraph postmortem: was this a runaway (which workload, what was the root cause, how long would it have run unchecked) or a legitimate spike (which team, why, was it within budget, why did the cap not anticipate it). False positives raise the cap. Real positives keep the cap and become input to the trust score weights.

The discipline that makes the brake trusted is that every firing produces a postmortem. Without postmortems, the team starts to debate "the brake fires too much," lower the cap to make it stop firing, and the brake silently becomes a $50k cap that catches nothing. With postmortems, the cap value is defensible and the trust accumulates.

The exempt-tag escape valve

Some workloads legitimately spike beyond the cap. ML training that goes from $200/day to $8,000/day during a three-day training run looks identical to a runaway under a daily cap. Ad-hoc analytics that spin up 50 BigQuery slots for a quarterly report look identical. The right fix is not "raise the cap to absorb all training spikes" because that defeats the brake. The right fix is to exempt the workload and route it through a different cap.

The pattern: any resource tagged brake_exempt=true is excluded from the daily-cap calculation. Exempt resources go into a separate weekly cap (typically 3x the equivalent daily cap times 7) that catches truly anomalous training or analytics spend.

Workload type Tag Cap horizon
Steady-state services (web, API, batch) (no tag) Daily
ML training jobs brake_exempt=true, brake_class=training Weekly
Quarterly analytics, BI rebuilds brake_exempt=true, brake_class=analytics Weekly
Disaster recovery test environments brake_exempt=true, brake_class=dr-test Per-event (manual cap)

The exempt tag has to be opt-in and reviewed. A team that wants to exempt their workload submits a one-page rationale to the FinOps team. The exemption is granted with an expiry date and a recompute schedule. Without that discipline, every team eventually tags their workload exempt and the brake erodes back to nothing.

The dollar math

A 2 a.m. runaway on a mid-market AWS account typically costs $30,000 to $80,000 by the time anyone notices. Larger accounts can hit $200,000+ before the morning Slack ping. The frequency is low but not negligible: ZopDev customer audits show one runaway every 4-7 months on mid-market accounts, more frequent during periods of rapid infrastructure change.

Item Cost / value
One prevented mid-market runaway $30,000 to $80,000 saved
One prevented large-account runaway $200,000+ saved
Annual frequency (typical mid-market) 1-2 runaways/year
Brake operating cost (half-time platform engineer) ~$30,000/year
Expected annual savings (mid-market) $30,000 to $160,000

The brake pays back after the first prevented incident. After that, it is one of the highest-ROI items on a FinOps roadmap, ahead of right-sizing and behind only the cost-allocation work that lets you see where the spend goes in the first place.

The brake is not a substitute for budgets, anomaly detection, or right-sizing. It is the layer that catches what those other systems are not designed to catch: the within-day catastrophic spend event. Email alerts go to inboxes. The brake fires a playbook. The 2 a.m. runaway becomes a 5-minute incident with a $1,500 ceiling instead of an 8-hour incident with an $80,000 ceiling. Set the cap, write the playbook, watch the first two weeks of firings, and stop arguing with the morning bill.