Corch

Multi-agent anomaly detection that explains WHY things break, not just WHAT. Three agents - Pattern Analyst, Change Detective, Root Cause - run in parallel with confidence-weighted synthesis.

Comment

Inspiration

Production systems fail at 3 AM. Your monitoring dashboard lights up with red alerts: "Packet loss detected. CPU spike. Error rate elevated." But none of these alerts answer the question your on-call engineer is desperately asking: WHY?

Traditional monitoring tells you WHAT broke. We built Anomaly Hunter to tell you WHY it broke - autonomously, in real-time, before your engineer has even opened their laptop.

We were inspired by how SRE teams actually troubleshoot incidents: multiple specialists collaborating in parallel - someone checks metrics, someone analyzes trends, someone hunts for root causes. Why couldn't AI agents do the same thing, but in seconds instead of hours?

What it does

Anomaly Hunter is an autonomous AI investigator for production incidents. Upload time-series data (metrics, logs, performance counters), and three specialized agents investigate in parallel:

  1. Pattern Analyst - Runs statistical analysis, detects outliers using Z-scores, identifies anomaly clusters
  2. Change Detective - Analyzes time-series drift, finds change points, characterizes patterns (spike, gradual drift, burst)
  3. Root Cause Agent - Generates hypotheses, correlates evidence, explains WHY the anomaly happened

The system synthesizes their findings using confidence-weighted voting, assigns severity (1-10), and delivers actionable recommendations. For critical issues (severity ≥8), it triggers voice alerts to get immediate human attention.

Example output: Input: Network packet loss CSV (400 measurements over 6.7 hours) Output: Severity: 9/10 Finding: "Hardware failure causing intermittent packet loss" Evidence: 3 anomaly clusters, 80σ deviation, correlation 0.42 Confidence: 91% Recommendation: "Replace network switch immediately"

How we built it

Foundation: Built on Corch, our proven AI orchestration framework (73% quality pass rate). We adapted Corch's sequential code generation pattern to parallel anomaly investigation.

Architecture:

  • Multi-agent orchestration - 3 agents run concurrently via asyncio.gather(), results synthesized using confidence-weighted voting (adapted from Corch's proven synthesis pattern)
  • Multi-model routing - Different AI models for different reasoning tasks (GPT-5 Pro for pattern recognition, Claude Sonnet 4.5 for time-series analysis)
  • ML platform deployment - Auto-scaling infrastructure, no manual server management
  • Real-time event streaming - Kafka-compatible event broker publishes anomaly detections with sub-second latency
  • Production monitoring - Custom metrics tracking agent accuracy, false positive rates, response times
  • Voice synthesis - Converts critical alerts (severity ≥8) to spoken audio for immediate attention
  • Workflow orchestration - Data ingestion → context enrichment → multi-agent analysis → alerting
  • Knowledge base (RAG) - Learns your infrastructure's specific patterns, improving accuracy over time

Tech stack: Python 3.9+, NumPy/SciPy for statistical analysis, async/await for parallelization, FastAPI for REST endpoints

Evaluation system: Built custom anomaly detection evaluator measuring precision, recall, F1 score, and false positive rate. Validated on 7 realistic production failure scenarios.

Challenges we ran into

1. Balancing precision vs. recall Early versions caught everything (100% recall) but flooded teams with false alarms. We tuned agents to be conservative - better to miss an edge case than cry wolf. Final result: 75% precision, 1.7% FPR.

2. Multi-model coordination Getting 3 different AI models to agree is hard. We solved it with confidence-weighted synthesis - agents that are more certain get more influence on the final verdict. Borrowed this pattern directly from Corch.

3. Real-time performance Running 3 LLMs in sequence would take 10-15 seconds. Parallelization with asyncio.gather() cut it to 3-4 seconds. Added fallback rule-based analysis when APIs are slow.

4. Ground truth validation How do you validate anomaly detection? We created 7 realistic scenarios based on real production failures (database spikes, memory leaks, hardware failures), labeled the ground truth, and built automated evaluation.

5. StackAI integration issues StackAI gateway returned 404 errors during development. We built graceful degradation - agents fall back to statistical analysis with rule-based explanations when LLMs are unavailable. System still works, just less sophisticated.

Accomplishments that we're proud of

✅ 7/7 scenarios detected - Tested on realistic production failures (database connection spike, API latency drift, cache invalidation, disk saturation, network packet loss, error rate spike, memory leak leading to OOM). Caught all of them.

✅ 75% precision, 1.7% false positive rate - Conservative by design. When it alerts, you listen.

✅ Production-ready architecture - Auto-scaling deployment, real-time streaming, voice alerts, monitoring. Not a hackathon demo - a real system.

✅ Evaluation framework - Automated validation with precision/recall/F1 metrics. Know exactly how accurate the system is.

✅ Built in 4.5 hours - From concept to validated system with 8 sponsor integrations in a single afternoon. Corch's foundation made this possible.

✅ Adapting proven patterns - Took Corch's 73% quality improvement pattern (sequential AI collaboration for code generation) and adapted it to parallel AI investigation for anomaly detection. Same principles, different domain.

What we learned

Multi-agent > single agent, even for non-code tasks Corch proved this for code generation. Anomaly Hunter proves it generalizes. No single AI model is perfect - Pattern Analyst catches statistical outliers, Change Detective finds drift, Root Cause explains why. Together they're better than any one model alone.

Conservative detection beats aggressive detection in production We initially optimized for recall (catch every anomaly). But 30% false positives means on-call engineers ignore your alerts. We switched to optimizing for precision - 75% precision with 1.7% FPR means when it alerts, you act.

Graceful degradation is critical LLM APIs fail. Networks timeout. StackAI returns 404s. Building fallback paths (rule-based analysis, direct API calls, cached responses) means the system works even when perfect conditions don't exist.

Evaluation makes the difference Without automated validation, we were guessing. Building the evaluation framework (ground truth labels, precision/recall metrics, automated test suite) let us tune agents with confidence.

The sponsors aren't "integrations" - they're architecture We didn't "integrate" 8 tools. We built an architecture where each sponsor solves a specific production problem:

  • Multi-model routing: Need different AI models for different reasoning tasks
  • ML platform: Need auto-scaling without manual infrastructure
  • Event streaming: Need real-time alerting, not batch processing
  • Monitoring: Need to track system accuracy in production
  • Voice alerts: Need human attention for critical issues
  • Workflow orchestration: Need data pipelines, not just API calls
  • Knowledge base: Need system to learn YOUR infrastructure patterns

What's next for Anomaly Hunter

1. Adaptive thresholds Right now, anomaly detection uses fixed Z-score thresholds (3σ). Next: Learn your baseline automatically, adapt to daily/weekly patterns, reduce false positives for known variance.

2. Multi-metric correlation Current version analyzes single time-series. Next: Correlate across metrics (CPU spike + memory leak + error rate = specific root cause), detect cascading failures.

3. Automated remediation Detection → Explanation → Action. For known patterns (memory leak → restart service, cache miss → warm cache), execute remediation automatically with human approval.

4. Historical pattern learning The knowledge base (RAG) is integrated but not yet learning. Next: Every investigated anomaly becomes training data, system gets smarter about YOUR specific infrastructure over time.

5. Cost optimization Currently calls LLMs for every anomaly. Next: Only invoke LLMs for novel patterns, use cached explanations for known issues, reduce API costs by 80%.

6. Real-world deployment Move from demo to production: Stream live metrics from Datadog/Prometheus, integrate with PagerDuty/Slack, run 24/7 on production infrastructure, track real accuracy metrics.

7. Expand Corch framework Anomaly Hunter proves Corch's multi-agent pattern works beyond code generat

Built With

  • airia
  • elevenlabs
  • openai
  • python
  • redpanda
  • stackai
  • truefoundry
Share this project:

Updates