Security teams focus on logs, network flows, and threat intelligence. Finance teams watch cost dashboards. But there's a valuable overlap: many security incidents create abnormal cost patterns that FinOps tools can detect.
Cost Anomalies as Security Signals
Cryptomining
The most common cloud security incident. Attackers gain access to your cloud account and spin up GPU or high-CPU instances to mine cryptocurrency. The first sign is often a massive spike in compute costs.
Cost signal: Sudden appearance of GPU instances (P100, V100 shapes on OCI) or large numbers of compute instances in unusual regions.
Data Exfiltration
When attackers steal data, they need to move it out of your cloud. This creates data transfer costs.
Cost signal: Unexpected spike in outbound data transfer, especially from regions or services that don't normally generate egress traffic.
Resource Hijacking
Compromised accounts might be used to provision resources for DDoS attacks, spam relays, or as jump points for other attacks.
Cost signal: New resources appearing in compartments with no recent deployment activity, or resources in regions your organization doesn't use.
Abandoned Attack Infrastructure
Attackers sometimes provision resources and don't clean up after themselves. These "orphaned" attack resources continue to incur costs.
Cost signal: Resources with no associated application traffic but steady compute charges.
Building a Cost-Security Feedback Loop
1. Share Anomaly Alerts
Configure OCIFinOps anomaly alerts to go to both the FinOps team and the security team. A cost spike that finance dismisses as "growth" might be a red flag for security.
2. Correlate with Security Events
When you detect a cost anomaly, cross-reference with:
•OCI Audit logs (was there unusual API activity?)
•Authentication logs (any new or unauthorized access?)
•Network flow logs (unusual traffic patterns?)
3. Geographic Awareness
Most organizations use only a few OCI regions. Costs appearing in unexpected regions warrant immediate investigation — both from a cost and security perspective.
4. Resource Type Monitoring
Establish a baseline of resource types your organization uses. If GPU instances suddenly appear and nobody requested them, investigate immediately.
Case Study: Catching a Compromised Account
A customer noticed that OCIFinOps flagged an anomaly: compute costs in the us-phoenix-1 region (which they don't use) jumped from $0 to $2,400 in a single day. Investigation revealed:
1. An API key had been committed to a public GitHub repository
2. An attacker used the key to provision 48 compute instances
3. The instances were mining cryptocurrency
The cost anomaly was detected within hours. Without cost monitoring, the breach might have continued for weeks or months.
Practical Steps
1. Enable OCIFinOps anomaly detection across all compartments and regions
2. Set high sensitivity for regions and compartments you don't actively use
3. Create a playbook: "When a cost anomaly appears in an unused region, escalate to security immediately"
4. Include cost dashboards in your security operations center (SOC) monitoring
Cost monitoring won't replace your security stack, but it's a valuable additional signal that catches incidents that traditional security tools might miss — because attackers can hide their code, but they can't hide the bill.