🎉 Cloudbrief + Paperbrief are in early-access. Sign up free →
Cloudbrief
Reports & investigations

Reports & investigations

What a daily report contains

Daily reports run at 09:00 IST for every AWS account you have set as daily_enabled = true. Each report has:

  • Top-line severity — info, low, medium, high, critical. Derived from the worst individual finding.
  • Summary — one paragraph synthesised from the underlying findings + detector signals.
  • Findings — discrete observations, each with severity + description + linked source data. Examples:
    • "S3 storage line item jumped 47% week-on-week ($120 → $176)"
    • "RDS instance prod-db-1 has a query consuming 38% of the wait time"
    • "ALB prod-web had a 9-minute 5xx spike at 14:32 (peak 4.2% error rate)"
  • Root-cause chains — multi-link chains connecting findings across tiers. E.g. cost finding → CloudTrail event → DB query → HTTP endpoint. The chain has a confidence score; chains below 0.6 are not surfaced.
  • Underlying data — the actual numbers (cost by service, top SQL, ALB metric time-series) the AI synthesised from. Useful for verification.

Reports are stored forever in our S3 (analyzer-reports-*) and visible at Cloudbrief → Reports indefinitely.

On quiet days

If the detector layer finds nothing worth running the AI on, you get a single-line "All clear ✓" report and no LLM call is made. This is typical for ~60–80% of analyses across well-run AWS accounts — the AI bill stays in the low single dollars per month per account because of this.

Investigations (on-demand)

When you want to dig into a specific window or service, run an investigation:

Cloudbrief → Investigate → "New investigation".

Pick:

  • The AWS account
  • A date range (any window in the last 90 days)
  • Optionally, specific services (RDS, ALB, EB)

The investigation runs through the same pipeline as the daily report but with a focused scope. Takes 30–120 seconds. Useful when:

  • A customer complained about something yesterday and you want to know what happened
  • The monthly bill spiked and you want to know why before paying
  • You're writing a postmortem and need a synthesised narrative

Each investigation produces a normal Report row that lives in Reports forever.

Root-cause chains in detail

A root-cause chain is an ordered list of findings where each link is causally connected to the next. Example chain:

  1. Cost — DataTransfer-Out spend jumped 80% week-on-week ($30 → $54)
  2. CloudWatch — ALB outbound bytes on prod-web jumped 90% over the same window
  3. Access logs — A single endpoint /api/export/csv accounts for 71% of the new outbound bytes
  4. CloudTrail — A eb:UpdateEnvironment deploy at 2026-05-18 14:12 introduced a new code path

The chain comes with:

  • Severity — the worst link's severity
  • Confidence — synthesised by the model, range 0.0–1.0
  • Affected resources — list of ARNs / names

Chains with confidence < 0.6 are stored in the underlying data but not promoted to the report top — the model isn't sure enough.

Email recipients

Daily reports are emailed to the recipient list you set when connecting the AWS account (or anytime via Cloudbrief → AWS accounts → click an account → "Edit recipients"). One email per AWS account per day.

If no recipients are configured for an account, the analysis still runs (and the report is viewable in the UI) — we just don't send email. This is intentional: there is no platform-wide default-recipients fallback, because that would email one tenant's data to another.

Export

CSV export of a report's findings: Cloudbrief → Reports → click a report → Export → CSV.

Full-fidelity JSON export of the underlying data is not surfaced in the UI yet — email us if you need it for an integration.

Connecting an AWS accountIncident hunting