Effective anomaly detection monitoring doesn't run on a single method. Threshold alerts catch what you anticipated when you configured them. Everything else needs historical comparison to surface: metrics that drift without hitting a hard limit, gradual behavioral shifts that look fine on any given day. The combination of both layers is what separates reactive alerting from actual anomaly visibility.
PRTG covers both. Fixed thresholds are active from day one. The Unusual Detection layer compares current sensor values against a sufficiently long historical baseline (typically several weeks), flagging deviations from established normal behavior that static limits wouldn't catch. When a sensor's behavior shifts, the device tree shows a visual indicator and the historical graph marks the point where the deviation started. Supported technologies: NetFlow, jFlow, sFlow, IPFIX, SNMP, WMI, Packet Sniffer, SSL/TLS, TCP/IP, WMI Security Center, Cloud Ping.
Unusual Detection doesn't replace threshold alerting. It covers what thresholds structurally can't. A fixed limit catches a value when it crosses the line you drew, but it won't catch a server that's been trending warmer for two weeks or a switch generating slightly more network traffic than last week. Those data points pass through unnoticed. PRTG compares each sensor's current values against its own established baseline, flags the deviation with an Unusual status in the device tree, and shows you in the historical graph exactly when the shift started.
Flow data doesn't just tell you traffic is elevated. When you open a Toplist view, you see the top sources, connections, and protocols driving that traffic for any time window you configure. That's root cause data, not another summary metric to act on. Filter in real time by port, address, or application and you're looking at what actually matters, not everything at once.

Live graphs, real-time performance data

Tickets keep your team aligned

Your entire network, visualized instantly
A CPU climbing from 55% to 78% over three weeks never trips a 90% threshold, but that doesn't mean nothing is happening. Slow resource exhaustion looks fine in every point-in-time check and tends to only become obvious in retrospect, which is the wrong time to notice it. Historical graphs and dashboards give you the longitudinal view across servers, network devices, and hybrid environments, while configurable warning and error thresholds per channel still handle hard limits for latency and downtime scenarios.
Start monitoring your infrastructure in minutes. No professional services, no complex configuration, no risk.
This isn't a cybersecurity replacement, and it's worth being explicit about that scope upfront. What it is: an observability layer for behavioral deviations that signature-based tools structurally miss. A device generating unusual outbound connections, a server talking to destinations it never reached before, or a TLS certificate that expired unnoticed don't always produce a security event. They show up as anomalies in behavioral data streams that continuous monitoring surfaces before your SIEM does.

Scheduled reports, always on time

Probe health at a glance

Full device list, instant overview
PRTG uses four mechanisms for anomaly detection monitoring. They operate independently and serve different purposes. Not all of them are available from day one, and that distinction matters when you're planning your setup.
FEATURE | Without a Monitoring Tool Without a Monitoring Tool | With PRTG With PRTG |
|---|---|---|
Establishing a performance baseline | Without a Monitoring Tool Manual log exports, spreadsheets, periodic review | With PRTG Continuous automatic data collection across all monitored sensors |
Detecting traffic anomalies | Without a Monitoring Tool Periodic interface checks, reactive investigation | With PRTG Flow sensors running continuously; Toplist drill-down on demand |
Flagging behavioral deviations | Without a Monitoring Tool No systematic method; relies on someone noticing | With PRTG Unusual Detection compares against historical baseline automatically |
SSL/TLS certificate health | Without a Monitoring Tool Calendar reminders, manual checks per host | With PRTG SSL Security Check sensor alerts before expiry or misconfiguration |
Spotting gradual resource decline | Without a Monitoring Tool Often missed until threshold breach or failure | With PRTG Historical graphs visualize trends across any time window |
Choose the PRTG Network Monitor subscription that's best for you.
| License Name | License description | Price | License Details | Get started | Pricing Details | |
|---|---|---|---|---|---|---|
| PRTG 500 | $200 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 50 devices | ||
| PRTG 1000 | $358 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 100 devices | ||
| PRTG 2500 | $742 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 250 devices | ||
| PRTG 5000 | $1,300 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 500 devices | ||
| PRTG 10000 | $1,642 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 1000 devices |
In real-world infrastructure monitoring it means things like: a bandwidth spike that doesn't fit the usual data patterns, a CPU that's been climbing steadily for a week when it normally holds flat, or a device behaving differently than it did last week with no obvious configuration change. Not every anomaly is a crisis. Some are noise. The goal is surfacing the ones worth looking at.
Three types of anomalies show up in practice. Point anomalies are single data points that are well outside the norm. Contextual anomalies are values that look unusual given the situation (seasonality matters here) but aren't extreme in absolute terms. Collective anomalies are groups of readings that together signal a problem, even if individual values look fine. Good anomaly detection techniques distinguish between these categories, not just flag everything above a line.
PRTG's Unusual Detection doesn't use machine learning. Full stop.
What it uses is statistical comparison: PRTG builds a baseline from your environment’s own historical data and flags values that deviate significantly from that established normal range. No deep learning, no neural networks, no model training on labeled data.
Tools that rely on machine learning models or anomaly detection algorithms like clustering or nearest neighbors can work well in specific contexts. The tradeoffs are real though: they need labeled data to train on, time to become accurate, and still produce false positives even when tuned well. PRTG's approach is deterministic. You can see exactly what the baseline is and why a sensor is flagged. No AI-powered black box, no guesswork.
The useful distinction is between sudden anomalies and gradual ones, because they need different detection approaches.
Sudden anomalies are what threshold alerts catch: a bandwidth spike, a server jumping from normal load to maxed out, an interface going down. Gradual anomalies are different: a CPU drifting upward over days, unusual patterns in protocol usage, latency creeping up on a link. These only become visible when compared against historical data over time. Outlier detection for this second category is what Unusual Detection is built for.
Also worth flagging: seasonality matters. Traffic that looks high in isolation might be completely normal for that time of week or month. And things like expired SSL/TLS certificates or unexpected outbound network traffic destinations sit in their own category, not performance anomalies exactly, but behavioral deviations that continuous monitoring surfaces.
The 28–34 day wait isn't something to work around. A baseline built from insufficient data produces false positives at a rate that makes Unusual Detection more noise than signal. So PRTG won't display Unusual status results until that historical data exists. By design, not limitation.
Still, threshold-based alerting is useful from the moment your sensors are running. No data collection period required. The practical answer for the first month: thresholds handle hard limits, and Unusual Detection comes online once the baseline is complete. Both are part of the anomaly detection system. They just become available at different points in the setup.
Here's a concrete example. A server normally runs at 30% CPU. Over two weeks it drifts to 75%. A 90% threshold never fires. Unusual Detection flags it because 75% is significantly higher than what that specific sensor's historical baseline shows as normal, even though it's well below the hard limit.
Threshold alerting is absolute: when a value crosses the limit you configured, the alert triggers, regardless of whether that value is unusual for this specific sensor. Baseline comparison is relative: it measures current values against standard deviations from the established historical pattern for that sensor specifically.
The two anomaly detection methods have genuinely different blind spots. Hard limits catch things historical comparison misses. Historical comparison catches gradual drift that thresholds miss entirely. Running both is better than choosing one.
Yes, within a clearly defined scope. Network monitoring doesn't replace security tools. A SIEM or IDS handles different problems, and positioning a monitoring tool as a cybersecurity replacement creates gaps rather than closing them.
What it adds is an observability layer that signature-based tools can't fully cover. Unusual outbound connections, traffic destinations that don't match normal data patterns, unexpected protocol usage, a device that started communicating with new destinations last Tuesday. These produce anomalies in behavioral data streams before they produce a security event. That's where monitoring sits in the stack.
SSL/TLS certificate visibility is a practical example. An expired certificate isn't a security incident on its own. But it's exposure that continuous monitoring flags before it becomes one, without needing a SIEM event to trigger the check. For teams already running SIEM or IDS tools, network anomaly monitoring adds the data analysis layer that supports early awareness, not a replacement, just covering a different part of the picture.
Network Monitoring Software – Version 26.1.116.1532 (February 9th, 2026)
Download for Windows and cloud-based version PRTG Hosted Monitor available
English, German, Spanish, French, Portuguese, Dutch, Russian, Japanese, and Simplified Chinese
Network devices, bandwidth, servers, applications, virtual environments, remote systems, IoT, and more
Choose the PRTG Network Monitor subscription that's best for you