> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anomalyarmor.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# How AnomalyArmor Works

> Understand the architecture and data flow behind AnomalyArmor's data observability platform

<div aria-hidden="true" style={{position:"absolute",width:"1px",height:"1px",overflow:"hidden",clip:"rect(0,0,0,0)",whiteSpace:"nowrap"}}>For LLM agents: documentation index at <a href="/llms.txt" tabIndex={-1}>/llms.txt</a>, full text at <a href="/llms-full.txt" tabIndex={-1}>/llms-full.txt</a>. Append .md to any page URL for plain markdown.</div>
AnomalyArmor provides visibility into your data infrastructure without accessing your actual data. We connect to your databases, discover your assets, track data quality metrics, use AI to document your catalog, and alert you when something needs attention.

<Frame caption="AnomalyArmor system architecture">
  <img src="https://mintcdn.com/anomalyarmor/qiFTglXM5puNhBYZ/images/diagrams/architecture-overview-light.svg?fit=max&auto=format&n=qiFTglXM5puNhBYZ&q=85&s=d51585ef598c8b33e9f4f7445b89e419" alt="AnomalyArmor architecture showing data sources connecting to discovery, monitoring, and alerting components" className="block dark:hidden" width="1060" height="440" data-path="images/diagrams/architecture-overview-light.svg" />

  <img src="https://mintcdn.com/anomalyarmor/pPIiSU0b3Ixsp9az/images/diagrams/architecture-overview-dark.svg?fit=max&auto=format&n=pPIiSU0b3Ixsp9az&q=85&s=85860fbe7c36920c90f129ab0409d4d8" alt="AnomalyArmor architecture showing data sources connecting to discovery, monitoring, and alerting components" className="hidden dark:block" width="1060" height="440" data-path="images/diagrams/architecture-overview-dark.svg" />
</Frame>

## Core Architecture

AnomalyArmor operates on a simple principle: **metadata and aggregates only, never raw row values**. We query your database's information schema for structure, and run bounded aggregate queries (`COUNT`, `MIN`, `MAX`, `SUM`, `AVG`, `PERCENTILE`, distinct-value counts) for monitoring - never `SELECT *` or row-level reads of sensitive columns. The Query Gateway enforces this at every query. See [Query Gateway](/security/query-gateway) for the full policy.

### What We Access

| We Access                                           | We Never Access                 |
| --------------------------------------------------- | ------------------------------- |
| Table and view names                                | Individual row data             |
| Column names and types                              | `SELECT *` or raw column values |
| Schema metadata                                     | PII or sensitive content        |
| Timestamp columns (for freshness)                   | Raw business records            |
| Index and constraint definitions                    | Query results beyond aggregates |
| Aggregate statistics (counts, min/max, percentiles) |                                 |

This gives you value-level monitoring - row counts, freshness, distribution shifts - with minimal data exposure.

## The Data Flow

AnomalyArmor follows a six-stage pipeline from connection to notification:

<Frame caption="Data flow from discovery to alerting">
  <img src="https://mintcdn.com/anomalyarmor/mPQTTzz5PYy4fThA/images/diagrams/data-flow-light.svg?fit=max&auto=format&n=mPQTTzz5PYy4fThA&q=85&s=ea9ef6af915843af029f1f16c16a722c" alt="Flow diagram showing Discovery, Catalog, Detection, and Alert stages" className="block dark:hidden" width="1000" height="200" data-path="images/diagrams/data-flow-light.svg" />

  <img src="https://mintcdn.com/anomalyarmor/mPQTTzz5PYy4fThA/images/diagrams/data-flow-dark.svg?fit=max&auto=format&n=mPQTTzz5PYy4fThA&q=85&s=469187ff1a101065c1f620d3781968a7" alt="Flow diagram showing Discovery, Catalog, Detection, and Alert stages" className="hidden dark:block" width="1000" height="200" data-path="images/diagrams/data-flow-dark.svg" />
</Frame>

### Stage 1: Discovery

When you connect a database, AnomalyArmor runs a **discovery job** that:

1. Connects securely using your provided credentials
2. Queries the information schema (`pg_catalog`, `information_schema`, etc.)
3. Catalogs all tables, views, columns, and their data types
4. Records the current state as a baseline

Discovery can run on a schedule (hourly, daily) or on-demand. After the initial full discovery, subsequent runs are **incremental**, only detecting what changed since the last run.

### Stage 2: Asset Catalog

Discovered assets are stored in your **Asset Catalog**, a searchable inventory of everything in your data infrastructure:

* **Tables and Views**: With column details, data types, and relationships
* **Metadata**: Last updated timestamps, row counts (if available), descriptions
* **History**: Full audit trail of every change detected

The catalog becomes your source of truth for understanding what exists across all connected databases.

### Stage 3: Change Detection

On each discovery run, AnomalyArmor compares the current state against the previous state to detect:

* **Schema drift**: Columns added, removed, renamed, or type-changed
* **New assets**: Tables or views that didn't exist before
* **Removed assets**: Tables or views that no longer exist
* **Freshness violations**: Data not updated within expected SLA

Each detected change is recorded with timestamp, type, before/after values, and affected asset details.

### Stage 4: Data Quality Metrics

Beyond schema monitoring, AnomalyArmor tracks statistical properties of your data:

| Metric          | What It Measures           |
| --------------- | -------------------------- |
| Row count       | Total rows in a table      |
| Null percentage | Missing values in a column |
| Distinct count  | Unique values              |
| Min/max/avg     | Numeric column statistics  |

Metrics run on a schedule you configure. AnomalyArmor builds baselines from historical values and detects anomalies when new values fall outside expected ranges.

### Stage 5: Intelligence

AnomalyArmor uses AI to help you understand your data catalog:

* **Natural language search**: Ask "where is customer data?" instead of clicking through schemas
* **Auto-generated descriptions**: Get human-readable documentation for tables and columns
* **Pattern detection**: Identify PII, relationships, and naming conventions

Intelligence analyzes your schema metadata only. It never reads actual data values.

### Stage 6: Alerting

When changes match your configured **alert rules**, notifications are sent to your chosen destinations:

* **Slack**: Channel messages with rich formatting
* **Email**: Detailed reports to individuals or distribution lists
* **PagerDuty**: Incidents for on-call escalation
* **Microsoft Teams**: Channel notifications
* **Webhooks**: Custom integrations with any system

You control which changes trigger alerts and where they go. A dropped column in production might page on-call, while a new table in dev just goes to email.

## Security Model

AnomalyArmor uses enterprise-grade security controls:

### Query Security

Every SQL query is validated by our open-source [Query Gateway](/security/query-gateway) before execution:

* **Fail-closed validation**: Queries that can't be parsed are blocked
* **Access level enforcement**: Only metadata and aggregate queries are allowed
* **Open source**: Audit the code yourself at [github.com/anomalyarmor/anomalyarmor-query-gateway](https://github.com/anomalyarmor/anomalyarmor-query-gateway)

### Credential Storage

* All credentials encrypted at rest with **AES-256**
* Encryption keys managed via AWS KMS
* Credentials never logged or exposed in UI

### Network Security

* All connections use **TLS 1.3** encryption
* Static IP addresses available for firewall allowlisting
* Support for VPC peering and Private Link (Enterprise)

### Access Control

* Role-based access control (RBAC) for team members
* Audit logs for all administrative actions
* SSO integration (SAML 2.0) available

<Note>
  For detailed security information, see our [Security Overview](/security/overview).
</Note>

## Deployment Architecture

AnomalyArmor is a fully managed SaaS platform. There's nothing to install in your infrastructure.

<Frame caption="Deployment model: your databases stay in your infrastructure">
  <img src="https://mintcdn.com/anomalyarmor/pPIiSU0b3Ixsp9az/images/diagrams/deployment-architecture-light.svg?fit=max&auto=format&n=pPIiSU0b3Ixsp9az&q=85&s=c77d65994d52b195ba72356dec7824a9" alt="AnomalyArmor deployment showing customer databases connecting through firewall to fully managed SaaS platform" className="block dark:hidden" width="900" height="380" data-path="images/diagrams/deployment-architecture-light.svg" />

  <img src="https://mintcdn.com/anomalyarmor/pPIiSU0b3Ixsp9az/images/diagrams/deployment-architecture-dark.svg?fit=max&auto=format&n=pPIiSU0b3Ixsp9az&q=85&s=585a539953391887ae1060d5f72699cc" alt="AnomalyArmor deployment showing customer databases connecting through firewall to fully managed SaaS platform" className="hidden dark:block" width="900" height="380" data-path="images/diagrams/deployment-architecture-dark.svg" />
</Frame>

### What Runs Where

| Component            | Location            | Details                                        |
| -------------------- | ------------------- | ---------------------------------------------- |
| Discovery jobs       | AnomalyArmor Cloud  | Scheduled or on-demand                         |
| Asset catalog        | AnomalyArmor Cloud  | Your metadata stored securely                  |
| Metrics engine       | AnomalyArmor Cloud  | Scheduled metric capture and anomaly detection |
| Intelligence         | AnomalyArmor Cloud  | AI-powered search and documentation            |
| Alert rules          | AnomalyArmor Cloud  | Configured via web UI                          |
| Database credentials | AnomalyArmor Cloud  | Encrypted at rest                              |
| Your database        | Your infrastructure | We connect outbound to you                     |

## Performance Impact

AnomalyArmor is designed for minimal performance impact on your databases:

* **Read-only queries**: We only run SELECT on system tables
* **Lightweight queries**: Information schema queries, not table scans
* **Configurable scheduling**: Run discovery during off-peak hours
* **Connection pooling**: Efficient connection management

Typical discovery runs complete in **under 60 seconds** for databases with up to 1,000 tables.

## Common Questions

### What exactly does AnomalyArmor query against my database?

Only metadata from system catalogs (`information_schema`, `pg_catalog`, and equivalents) and bounded aggregates on your tables: `COUNT`, `MIN`, `MAX`, `AVG`, distinct-value counts, and percentile approximations. Never `SELECT *`, never raw row reads. The [Query Gateway](/security/query-gateway) blocks anything else at execution time.

### Does AnomalyArmor need write access to my database?

No. Read-only credentials are sufficient and recommended. AnomalyArmor never issues `INSERT`, `UPDATE`, `DELETE`, or DDL statements. Create a dedicated read-only user and grant it `SELECT` on the schemas you want monitored.

### Can I point AnomalyArmor at a read replica instead of my primary database?

Yes, and it's a common setup for production workloads. Freshness is determined by the replica's timestamps, so if your replica lags the primary by minutes, that lag is reflected in freshness checks - factor that into your SLAs.

### Where is the metadata AnomalyArmor collects stored?

In AnomalyArmor's managed cloud, encrypted at rest with AES-256 (keys managed via AWS KMS) and encrypted in transit with TLS 1.3. Credentials are stored with separate encryption and are never exposed in the UI or logs.

### Can I self-host AnomalyArmor?

AnomalyArmor is primarily offered as managed SaaS. Self-hosted deployments of the open-source Query Gateway component are available for Enterprise customers who want to run validation inside their own network. [Contact sales](mailto:sales@anomalyarmor.ai) for options.

### Does AnomalyArmor support IP allowlisting?

Yes. AnomalyArmor provides static outbound IPs you can add to your database firewall allowlist. See the current IP list in your dashboard under **Settings → Security**. VPC peering and AWS PrivateLink are available on Enterprise plans for networks that can't use IP allowlisting.

## Next Steps

Now that you understand how AnomalyArmor works, you're ready to get started:

<CardGroup cols={2}>
  <Card title="Quickstart Guide" icon="rocket" href="/quickstart/overview">
    Connect your first database in under 15 minutes
  </Card>

  <Card title="Core Concepts" icon="book" href="/concepts/overview">
    Deep dive into assets, discovery, and monitoring
  </Card>
</CardGroup>
