AnomalyArmor provides visibility into your data infrastructure without accessing your actual data. We connect to your databases, discover your assets, track data quality metrics, use AI to document your catalog, and alert you when something needs attention.Documentation Index
Fetch the complete documentation index at: https://docs.anomalyarmor.ai/llms.txt
Use this file to discover all available pages before exploring further.
Core Architecture
AnomalyArmor operates on a simple principle: metadata and aggregates only, never raw row values. We query your database’s information schema for structure, and run bounded aggregate queries (COUNT, MIN, MAX, SUM, AVG, PERCENTILE, distinct-value counts) for monitoring - never SELECT * or row-level reads of sensitive columns. The Query Gateway enforces this at every query. See Query Gateway for the full policy.
What We Access
| We Access | We Never Access |
|---|---|
| Table and view names | Individual row data |
| Column names and types | SELECT * or raw column values |
| Schema metadata | PII or sensitive content |
| Timestamp columns (for freshness) | Raw business records |
| Index and constraint definitions | Query results beyond aggregates |
| Aggregate statistics (counts, min/max, percentiles) |
The Data Flow
AnomalyArmor follows a six-stage pipeline from connection to notification:
Stage 1: Discovery
When you connect a database, AnomalyArmor runs a discovery job that:- Connects securely using your provided credentials
- Queries the information schema (
pg_catalog,information_schema, etc.) - Catalogs all tables, views, columns, and their data types
- Records the current state as a baseline
Stage 2: Asset Catalog
Discovered assets are stored in your Asset Catalog, a searchable inventory of everything in your data infrastructure:- Tables and Views: With column details, data types, and relationships
- Metadata: Last updated timestamps, row counts (if available), descriptions
- History: Full audit trail of every change detected
Stage 3: Change Detection
On each discovery run, AnomalyArmor compares the current state against the previous state to detect:- Schema drift: Columns added, removed, renamed, or type-changed
- New assets: Tables or views that didn’t exist before
- Removed assets: Tables or views that no longer exist
- Freshness violations: Data not updated within expected SLA
Stage 4: Data Quality Metrics
Beyond schema monitoring, AnomalyArmor tracks statistical properties of your data:| Metric | What It Measures |
|---|---|
| Row count | Total rows in a table |
| Null percentage | Missing values in a column |
| Distinct count | Unique values |
| Min/max/avg | Numeric column statistics |
Stage 5: Intelligence
AnomalyArmor uses AI to help you understand your data catalog:- Natural language search: Ask “where is customer data?” instead of clicking through schemas
- Auto-generated descriptions: Get human-readable documentation for tables and columns
- Pattern detection: Identify PII, relationships, and naming conventions
Stage 6: Alerting
When changes match your configured alert rules, notifications are sent to your chosen destinations:- Slack: Channel messages with rich formatting
- Email: Detailed reports to individuals or distribution lists
- PagerDuty: Incidents for on-call escalation
- Microsoft Teams: Channel notifications
- Webhooks: Custom integrations with any system
Security Model
AnomalyArmor uses enterprise-grade security controls:Query Security
Every SQL query is validated by our open-source Query Gateway before execution:- Fail-closed validation: Queries that can’t be parsed are blocked
- Access level enforcement: Only metadata and aggregate queries are allowed
- Open source: Audit the code yourself at github.com/anomalyarmor/anomalyarmor-query-gateway
Credential Storage
- All credentials encrypted at rest with AES-256
- Encryption keys managed via AWS KMS
- Credentials never logged or exposed in UI
Network Security
- All connections use TLS 1.3 encryption
- Static IP addresses available for firewall allowlisting
- Support for VPC peering and Private Link (Enterprise)
Access Control
- Role-based access control (RBAC) for team members
- Audit logs for all administrative actions
- SSO integration (SAML 2.0) available
For detailed security information, see our Security Overview.
Deployment Architecture
AnomalyArmor is a fully managed SaaS platform. There’s nothing to install in your infrastructure.
What Runs Where
| Component | Location | Details |
|---|---|---|
| Discovery jobs | AnomalyArmor Cloud | Scheduled or on-demand |
| Asset catalog | AnomalyArmor Cloud | Your metadata stored securely |
| Metrics engine | AnomalyArmor Cloud | Scheduled metric capture and anomaly detection |
| Intelligence | AnomalyArmor Cloud | AI-powered search and documentation |
| Alert rules | AnomalyArmor Cloud | Configured via web UI |
| Database credentials | AnomalyArmor Cloud | Encrypted at rest |
| Your database | Your infrastructure | We connect outbound to you |
Performance Impact
AnomalyArmor is designed for minimal performance impact on your databases:- Read-only queries: We only run SELECT on system tables
- Lightweight queries: Information schema queries, not table scans
- Configurable scheduling: Run discovery during off-peak hours
- Connection pooling: Efficient connection management
Common Questions
What exactly does AnomalyArmor query against my database?
Only metadata from system catalogs (information_schema, pg_catalog, and equivalents) and bounded aggregates on your tables: COUNT, MIN, MAX, AVG, distinct-value counts, and percentile approximations. Never SELECT *, never raw row reads. The Query Gateway blocks anything else at execution time.
Does AnomalyArmor need write access to my database?
No. Read-only credentials are sufficient and recommended. AnomalyArmor never issuesINSERT, UPDATE, DELETE, or DDL statements. Create a dedicated read-only user and grant it SELECT on the schemas you want monitored.
Can I point AnomalyArmor at a read replica instead of my primary database?
Yes, and it’s a common setup for production workloads. Freshness is determined by the replica’s timestamps, so if your replica lags the primary by minutes, that lag is reflected in freshness checks - factor that into your SLAs.Where is the metadata AnomalyArmor collects stored?
In AnomalyArmor’s managed cloud, encrypted at rest with AES-256 (keys managed via AWS KMS) and encrypted in transit with TLS 1.3. Credentials are stored with separate encryption and are never exposed in the UI or logs.Can I self-host AnomalyArmor?
AnomalyArmor is primarily offered as managed SaaS. Self-hosted deployments of the open-source Query Gateway component are available for Enterprise customers who want to run validation inside their own network. Contact sales for options.Does AnomalyArmor support IP allowlisting?
Yes. AnomalyArmor provides static outbound IPs you can add to your database firewall allowlist. See the current IP list in your dashboard under Settings → Security. VPC peering and AWS PrivateLink are available on Enterprise plans for networks that can’t use IP allowlisting.Next Steps
Now that you understand how AnomalyArmor works, you’re ready to get started:Quickstart Guide
Connect your first database in under 15 minutes
Core Concepts
Deep dive into assets, discovery, and monitoring