The Incident Response Problem

Every incident follows a predictable pattern. First, something changes in the infrastructure. Then, the change causes a symptom. Then, someone notices the symptom and pages the on-call engineer. Then, the on-call engineer spends 30 minutes figuring out what changed.

The gap between "something changed" and "someone noticed" is where incidents grow from minor blips to major outages.

According to the 2025 Incident Management Benchmark Report:

67% of P1 incidents were preceded by an infrastructure change in the previous 2 hours
43% of incident response time is spent on detection and diagnosis — not remediation
The average time between a change occurring and someone noticing is 23 minutes
Every minute of delay multiplies incident impact by an average of 2.3x

How Knowledge Tree's AI Changes the Game

Knowledge Tree's AI anomaly detection module monitors your knowledge graph in real-time and correlates changes with historical incident patterns. Instead of waiting for an alarm to fire, it predicts which changes are likely to cause problems.

Real-Time Graph Monitoring

Every change to your infrastructure creates an event in the knowledge graph:

Event: Security group sg-web-prod modified
  ├── Rule added: port 443 from 0.0.0.0/0 → OK (expected)
  ├── Rule added: port 3306 from 0.0.0.0/0 → WARN (MySQL exposed!)
  └── Rule added: port 22 from 0.0.0.0/0 → ALERT (SSH exposed!)

The AI engine evaluates each change against:

Historical patterns: "Port 3306 exposure has caused 3 incidents this year"
Resource criticality: "This security group is attached to the payment-processing service"
Dependency impact: "This change affects 12 downstream services"
Compliance violations: "SSH from 0.0.0.0/0 violates SOC 2 CC6.6"

Anomaly Scoring

Each change receives an anomaly score from 0 (normal) to 100 (critical):

$ kt-discover ai anomalies --since 1h

Anomalous Changes (last 1 hour):
  Score │ Change │ Impact
  92    │ IAM policy 'admin-policy' attached to user 'ci-bot'       │ 200 resources affected
  78    │ Security group 'sg-payments' opened port 3306 to 0.0.0.0/0 │ Database exposure risk
  45    │ EC2 instance 'worker-07' terminated in auto-scaling group   │ Normal scaling event
  12    │ Route53 A record updated for 'api.example.com'              │ Expected change

The high-scoring anomalies are automatically surfaced to the on-call team through PagerDuty, Slack, or email — before they cause an incident.

Automated Blast Radius Analysis

When a critical change is detected, Knowledge Tree automatically generates a blast radius report:

Change: IAM policy 'admin-policy' attached to user 'ci-bot'
Score: 92

Blast Radius:
  Policies granted:
    - ec2:Describe* (all resources)
    - s3:GetObject (all buckets)
    - iam:CreateUser (all accounts)
    - kms:Decrypt (all keys)

  Resources accessible:
    - 1,247 EC2 instances across 12 accounts
    - 3,892 S3 buckets including 'secure-payments-data'
    - 47 KMS keys for production encryption

  Recommended action: Detach policy immediately and rotate credentials.

This kind of analysis normally requires a senior security engineer and 30-45 minutes. Knowledge Tree generates it in milliseconds.

Machine Learning Models

The anomaly detection system uses several ML models working in concert:

1. Baseline Model

Establishes normal behavior patterns for every resource type:

"This security group typically sees 1-2 changes per week"
"This deployment typically rolls out every Tuesday at 14:00 UTC"
"This EC2 auto-scaling group maintains 6-8 instances"

When behavior deviates significantly from the baseline, the anomaly score increases.

2. Correlation Model

Learns which types of changes have historically led to incidents:

# Simplified correlation logic
patterns = {
    "security_group_wide_open": {
        "precedes_incidents": 0.87,
        "typical_lag": "12-45 minutes",
        "incident_types": ["security_breach", "data_exposure"]
    },
    "iam_policy_escalation": {
        "precedes_incidents": 0.93,
        "typical_lag": "immediate",
        "incident_types": ["privilege_escalation", "data_exfiltration"]
    },
    "terraform_state_mismatch": {
        "precedes_incidents": 0.61,
        "typical_lag": "2-6 hours",
        "incident_types": ["deployment_failure", "configuration_drift"]
    }
}

3. Impact Model

Calculates the potential blast radius based on the knowledge graph:

Impact = Number of affected resources × Criticality factor × Dependency depth

A change near the root of your dependency tree (a load balancer, a database, an IAM policy) has a much higher impact score than a change at the edge.

Real Scenario: Preventing a Data Breach

A Knowledge Tree customer running an e-commerce platform received an anomaly alert at 3:42 AM:

ALERT: Anomaly score 96
Change: IAM role 'ecs-task-role' granted s3:GetObject on 'customer-data-prod'
User: jenkins-deploy-user
Time: 03:42:17 UTC

The AI had identified that this IAM role was attached to a container task that had been exploited in a previous security incident. The correlation model flagged it as a potential re-exploitation attempt.

The on-call engineer investigated:

Change history: The Jenkins user had never modified IAM policies outside business hours
Context: No deployment was running at 3:42 AM
Impact: The role had access to 14 S3 buckets with customer PII

The engineer revoked the change immediately. The security team later confirmed it was an attempted credential-stuffing attack. The anomaly detection had saved an estimated $2-5 million in potential breach costs.

Incident Response Automation

Beyond detection, Knowledge Tree can automate response actions:

Anomaly Type	Automated Response
Security group wide open	Revert change, notify security team
IAM policy escalation	Detach policy, disable access key, alert
Unknown deployment	Pause rollout, capture deployment manifest, alert
Orphaned resource creation	Tag for review, add to cost tracking
Cross-account access change	Require secondary approval, log evidence for SOC 2

These automated responses can reduce MTTR from hours to seconds for common incident patterns.

Integration with Existing Tools

Knowledge Tree's anomaly detection integrates with your existing incident management stack:

PagerDuty: Create incidents for high-scoring anomalies
Slack: Post change summaries with blast radius to channels
Jira: Create tickets for changes requiring manual review
OpsGenie: Alert on-call teams with contextual data
ServiceNow: Log changes with complete infrastructure context

Getting Started

AI anomaly detection is available in the Business and Enterprise plans:

Enable monitoring — Connect your infrastructure and let the models learn baselines (typically 7-14 days)
Configure alerts — Set thresholds for anomaly scores and notification channels
Review insights — The AI dashboard shows trends, patterns, and recommended actions
Automate responses — Set up automated remediation for common patterns

The system is most effective after 2 weeks of baseline learning, but starts providing value immediately with pre-trained models based on thousands of infrastructure deployments.

Don't wait for incidents. Predict them. Book a demo to see AI anomaly detection in action.

AI-Powered Incident Response: How Knowledge Tree Detects Anomalies Before They Become Outages