Alerts & Escalation
How StackSpend generates alerts, routes them to the right people, escalates unresolved issues, and notifies your team via email and Slack.
Where alerts come from
Every alert in StackSpend originates from one of two sources:
| Source | When it fires | Learn more |
|---|---|---|
| Anomaly detection | After every sync. StackSpend compares the latest spend against a per-provider baseline and fires when the deviation is statistically significant. | Anomaly detection |
| Budget thresholds | When monthly spend for a provider crosses 50%, 80%, or 100% of its configured budget. | Budgets |
Alert severity
Anomaly alerts are assigned a severity based on how far spend deviated from the normal range and the absolute dollar impact. Budget alerts are assigned severity based on which threshold was crossed.
| Severity | Meaning |
|---|---|
| Low | Minor deviation — worth noting, unlikely to require immediate action. |
| Medium | Moderate deviation — review soon. |
| High | Significant deviation — investigate promptly. |
| Critical | Large deviation or 100% budget breach — act immediately. |
Alert lifecycle
Each alert moves through the following states. Team members advance an alert from the Inbox.
| State | Description |
|---|---|
| New | Alert just fired. Appears in Inbox and triggers notifications. |
| Acknowledged | Someone is looking into it. Pauses the escalation clock. |
| Resolved | Root cause identified and addressed. Cleared from Inbox and escalation. |
| False positive | The spike was expected. Feeds back into baseline tuning. |
| Dismissed | Closed without action. |
Who alerts go to
Routing in the Inbox depends on whether the provider has an owner assigned:
- Owned alerts — appear under "For you" in the owner's Inbox.
- Unowned alerts — appear under "Needs attention" for every workspace member.
All alerts are also broadcast to notification channels regardless of ownership. See Notification channels below.
Escalation
When an owned alert stays open past its SLA, StackSpend escalates it automatically. The SLA is configurable per severity level — tighter for critical alerts, looser for low ones.
Default escalation SLAs
| Severity | Default SLA | Meaning |
|---|---|---|
| Critical | 1 day | Must be resolved within 1 business day or admins are notified. |
| High | 2 days | 2 business days before escalation. |
| Medium | 5 days | 5 business days before escalation. |
| Low | Off | Low-severity alerts never escalate by default. |
What happens when an alert escalates
- The alert appears in every admin's Inbox under a dedicated "Escalated" section, marked with a shield icon.
- The original owner still sees it in their "For you" section — they are not removed from the loop.
- Weekends do not count. Only business days (Monday–Friday) are counted toward the SLA.
- Once the alert is resolved, dismissed, or marked as a false positive, it is removed from the escalated list for all admins.
Configuring escalation SLAs
Admins can change the escalation thresholds for each severity level — or turn escalation off entirely for any severity — in Settings → Budgets & alerts → Task escalation.
Task escalation
When an owned task stays open past its SLA, it's flagged as escalated — shown to admins in the Inbox, on the Tasks page, and in the daily summary.
Days an owned task can stay open before it escalates, by severity. Set to 0 to turn escalation off for that severity.
1 day
2 days
5 days
Off
Set any severity to 0 to disable escalation for that level. Changes take effect immediately — any open alerts that have already exceeded the new SLA will escalate on the next check.
Notification channels
Both anomaly and budget alerts trigger notifications through your configured channels:
| Channel | Routing | Configure in |
|---|---|---|
| Broadcast to all configured report recipients. | Settings → Daily report | |
| Slack | Broadcast to the connected Slack channel. | Settings → Integrations → Slack |