LLM budget alert cooldown and dedupe: stop notification noise

Why alert noise is expensive

Repeated notifications for the same incident reduce trust and delay containment.

Cooldown and dedupe preserve signal quality so teams act quickly on real spend risk.

Default policy baseline

• Cooldown default: 300 seconds (5 minutes)
• Dedupe by incident key (scope + metric + threshold window)
• Severity transitions allowed: warning -> critical
• Every alert links to investigation window and dominant driver

Tuning strategy by workspace maturity

1. Start with default cooldown and review false-positive rate weekly.
2. Increase cooldown for noisy low-value endpoints.
3. Lower cooldown only when incident ownership is mature.
4. Keep warning/exceeded transitions visible even with dedupe.

What to validate in alerts inbox

• cooldownApplied and dedupeApplied flags are shown
• investigation range opens with correct baseline
• alert type and threshold match policy configuration
• delivery mode aligns with team cadence (immediate/daily/weekly)

What to alert on

• burn-rate acceleration vs baseline
• endpointTag concentration changes in short windows
• unexpected tenant concentration in Top Users
• budget warning, spend-alert, and exceeded state transitions

Execution checklist

1. Confirm alert is real: dataMode, environment, and time window.
2. Identify dominant endpointTag and tenant/user contributors.
3. Contain: cap output, lower max tokens, or throttle non-critical paths.
4. Assign one incident owner and one communication channel.
5. Update policy thresholds or ownership to prevent repeat incidents.

FAQ

Related guides

• Full guide: LLM budget alert policy: thresholds and escalation
• Budget exceeded response playbook
• AI anomaly thresholds guide
• LLM cost attribution pillar
• No-proxy telemetry quickstart
• Quickstart (5-minute setup)
• Alternatives and tradeoffs
• Prompt deploy regressions pillar

Evaluation resources

For security and procurement reviews, use our trust summary before final tool selection.