How to build per-location per-cohort two-sigma anomaly detection

The 4-skill bundle on the per-location-anomaly-detection agent

One agent. Four coordinated skills. The Baseline + Detect + Verify + Audit bundle runs above the warehouse + anomaly- detection + SPC + statistical-test substrate and writes one canonical per-location per-cohort per-anomaly detection record.

Compliance overlay

Five anchors run per-location per-cohort per-anomaly before any detection alerts. The first anchor is operationally distinctive: per-cohort 2σ + EWMA + Shewhart + CUSUM + Western Electric + Nelson Rules + Mahalanobis + Bonferroni/BH FDR/Holm/Šidák multi-comparison correction + replication-crisis discipline converge on every anomaly classification.

FAQ

What is per-location per-cohort two-sigma anomaly detection — and what is the per-cohort-2-sigma-times-Shewhart-CUSUM-EWMA-times-Western-Electric-Nelson-rules-times-Mahalanobis-times-multi-comparison-correction-times-replication-crisis-discipline problem distinctive to this skill?

A multi-location retail operator with 50-300 stores ships per-location per-cohort per-KPI per-day anomaly detection across 10-50 KPIs (revenue + traffic + conversion + AOV + CAC + LTV + retention + churn + NPS + units-per-transaction + labor-hours + COGS + inventory-turn + price-realization). With 100 locations × 5 cohorts × 30 KPIs × 7 days = 105,000 per-cohort observations per week, naive 2σ thresholds generate ~5,000 false positives per week (5% false-positive rate × 105k tests). The four-skill bundle on the per-location-anomaly-detection agent — Baseline, Detect, Verify, Audit — sits above the warehouse + anomaly-detection + SPC + statistical-test substrate (Snowflake + BigQuery + Databricks + dbt + Airflow + PyOD + Anomalib + Alibi-Detect + Luminaire + Merlion + statsmodels + Prophet anomaly + Shewhart + CUSUM + EWMA + Hotelling T-squared + Datadog Anomaly + AWS Lookout for Metrics + Vertex AI Anomaly + Azure ML Anomaly) and writes a per-location per-cohort per-anomaly canonical detection record. The operationally distinctive anchor: per-location per-cohort 2-sigma (2σ) threshold + per-cohort z-score + per-cohort EWMA exponentially-weighted moving average + per-cohort robust statistics (median + median absolute deviation (MAD) + interquartile range (IQR) + Tukey fence + trimmed mean) + per-cohort statistical-process-control (Shewhart X-bar + R-chart + S-chart + X-MR + CUSUM + Tabular CUSUM + V-mask CUSUM + EWMA + GEWMA + Hotelling T-squared + Multivariate SPC + Western Electric Rules WE1 + WE2 + WE3 + WE4 + Nelson Rules N1-N8) + per-anomaly outlier-test (Grubbs + Dixon + Generalized ESD + Chauvenet + Peirce + Tietjen-Moore + Rosner) + per-cohort Mahalanobis distance + per-cohort change-point detection (Bayesian change-point + PELT + Binary Segmentation + Window-based + CUSUM change-point) + multi-comparison correction (Bonferroni + Benjamini-Hochberg FDR + Holm-Bonferroni + Šidák + Hochberg + Hommel + Storey q-value + locally-weighted FDR) + replication-crisis statistical discipline (Ioannidis 2005 + Amrhein Greenland McShane 2019 + per-anomaly Rosenbaum sensitivity (Γ) + Cornfield inequality + E-value (VanderWeele Ding 2017) + falsification test + negative-control outcome + per-cohort placebo test + reverse causality test + pre-registration + per-cohort permutation test).

Why do Datadog Anomaly + AWS Lookout for Metrics + Vertex AI Anomaly + Azure ML Anomaly + PyOD + Prophet anomaly break at multi-location-per-cohort-multi-KPI-multi-comparison scale?

Each anomaly-detection vendor ships per-account flat anomaly-classification primitive at single-KPI level. None coordinates per-location per-cohort per-KPI anomaly detection against per-cohort 2σ threshold + per-cohort z-score + per-cohort EWMA + per-cohort robust statistics + per-cohort SPC (Shewhart + CUSUM + EWMA + Western Electric + Nelson Rules) + per-cohort Mahalanobis + per-cohort change-point + multi-comparison correction (Bonferroni + Benjamini-Hochberg FDR + Holm-Bonferroni + Šidák) + replication-crisis discipline (Rosenbaum sensitivity + E-value + negative-control + per-cohort placebo). None handles per-cohort multivariate outlier detection at the cross-KPI level. None gates against FDD Item 19 financial performance representations when anomaly shared with franchisees + FINRA Rule 2210 when public-company anomaly + SOX 302/404/906 + FASB ASC 280 segment reporting. None writes a per-location per-cohort per-anomaly WORM detection audit trail. The four-skill bundle Baseline + Detect + Verify + Audit sits above the warehouse + anomaly-detection + SPC + statistical-test substrate — it does not replace it.

How does Baseline + Detect work?

Baseline runs per-location per-cohort per-KPI rolling-baseline computation: per-cohort N-day rolling mean + per-cohort N-day rolling standard deviation + per-cohort EWMA exponentially-weighted moving average (with smoothing parameter λ tuned per-cohort) + per-cohort EWMVar exponentially-weighted moving variance + per-cohort median + per-cohort median absolute deviation (MAD) + per-cohort interquartile range (IQR) + per-cohort Tukey fence + per-cohort trimmed mean. Per-cohort Shewhart X-bar + R-chart + S-chart + X-MR control-limit computation. Per-cohort CUSUM tabular reference value (k) + decision interval (h) + V-mask parameters. Per-cohort Hotelling T-squared multivariate control limit. Per-cohort Mahalanobis distance covariance-matrix estimate via Minimum Covariance Determinant (MCD) robust estimator. Detect runs per-location per-cohort per-KPI per-period anomaly detection: per-cohort 2σ threshold + per-cohort z-score + per-cohort EWMA threshold + per-cohort Shewhart control-rule application (Western Electric Rules WE1 single-point-outside-3σ + WE2 two-of-three-outside-2σ + WE3 four-of-five-outside-1σ + WE4 eight-in-a-row-same-side + Nelson Rules N1-N8). Per-cohort CUSUM upward + downward shift detection. Per-cohort EWMA upper + lower control limit. Per-cohort Mahalanobis distance threshold. Per-anomaly outlier-test (Grubbs + Dixon + Generalized ESD + Chauvenet + Peirce + Tietjen-Moore + Rosner). Per-cohort change-point detection (Bayesian change-point + PELT + Binary Segmentation + Window-based + CUSUM change-point).

What does Verify + Audit do?

Verify runs per-anomaly statistical-robustness verification: multi-comparison correction (Bonferroni + Benjamini-Hochberg FDR + Holm-Bonferroni + Šidák + Hochberg + Hommel + Storey q-value + locally-weighted FDR) + per-anomaly Rosenbaum sensitivity (Γ) + Cornfield inequality + E-value (VanderWeele Ding 2017) for unmeasured-confounding robustness + falsification test (negative-control outcome) + per-cohort placebo test + reverse causality test + per-cohort permutation test. Per-anomaly classification: P0 multi-rule fire + Bonferroni-survives + E-value > 2 + Rosenbaum-Γ > 2 (operations alert immediate) + P1 single Shewhart 3σ rule + BH FDR survives 72-hour + P2 CUSUM/EWMA drift 7-day + P3 single 2σ no multi-comparison correction 30-day + P4 docs-only. Per-anomaly per-cohort robust-classification record. Gate runs 5 anchors per-location per-cohort per-anomaly before any detection alerts. (1) Per-cohort 2σ + z-score + EWMA + Shewhart + CUSUM + Western Electric WE1-WE4 + Nelson N1-N8 + Mahalanobis + change-point + multi-comparison correction (Bonferroni + BH FDR + Holm + Šidák) + replication-crisis discipline (Ioannidis + Amrhein-Greenland-McShane + Rosenbaum Γ + Cornfield + E-value + falsification + negative-control + per-cohort placebo + reverse causality). (2) FTC Section 5 + Pfizer 1972 + CFPB UDAAP + Lanham + USPTO + Robinson-Patman + FDD Item 19 financial performance representations when anomaly shared with franchisees + 15-state franchise. (3) HIPAA + state mini-HIPAA + FINRA Rule 2210 + Rule 3110 + SEC Regulation FD + per-state professional licensing. (4) EU AI Act Article 50 transparency when AI-ML anomaly classification + Article 13/14/15 + Annex III when AI-ML anomaly detection drives operations alert + Article 6/27 FRIA + DSA + DMA + GDPR Article 6/7/22/28/30 + LGPD + DPDP + PIPEDA + Quebec Law 25 + CCPA + CPRA + 18-state. (5) WCAG 2.2 AA + ARIA + EAA + ADA Title III + Section 508 + SOX 302/404/906 + COSO + Exchange Act 13(b)(2) + FASB ASC 280 segment reporting + SEC Reg S-K. Audit writes a per-location per-cohort per-anomaly WORM detection record: per-cohort baseline snapshot + per-cohort SPC rule-fire + multi-comparison correction result + replication-crisis robustness check + per-anchor gate-pass + AI-ML provenance + EU AI Act FRIA. Retention: 7-year FTC + 7-year IRS + 7-year HIPAA + 7-year state bar + 6-year SEC + 3-year FINRA + 7-year SOX + GDPR Article 30 + EU AI Act Article 12 + SOC 2 CC7/CC8.

What does this skill connect to on the per-location-anomaly-detection agent and across the swarm?

On the per-location-anomaly-detection agent: per-location per-cohort per-KPI anomaly detection + per-cohort baseline + per-cohort SPC + per-cohort robust statistics. Across the swarm: per-location AI-calibrated forecasting (#600 same per-location-cohort substrate + same replication-crisis discipline) + root-cause attribution sketch (#604 DOWNSTREAM consumer of per-cohort anomaly) + peer-cohort computation (sibling) + per-location metric ingestion (UPSTREAM source of per-cohort metric) + integration-drift-monitor agent (#562 + #569 + #570) + per-state-overlay-composer (#599 UPSTREAM canonical for FDD Item 19 + FINRA per-state) + real-time change-event emission (#603 UPSTREAM canonical for per-anomaly alert event) + per-field conflict-resolution policy (#607 same per-source authority hierarchy substrate). Commercial-pillar parent: /pre-emptive-churn-and-cohort-relative-trends.

What does the 6-workstream pre-engagement-baseline reporting cycle look like for this skill?

Every two weeks during the Tier 3 Fractional CMO with AI Swarm engagement, six workstreams report against the pre-engagement baseline. Workstream 1: per-portfolio per-location per-cohort per-KPI anomaly-detection coverage — locations monitored + cohorts baselined + KPIs detected. Workstream 2: Baseline per-cohort rolling-baseline computation flow — per-cohort mean + std + EWMA + EWMVar + median + MAD + IQR + Tukey + Shewhart control-limit + CUSUM reference + Hotelling T-squared + Mahalanobis MCD covariance absorbed. Workstream 3: Detect per-location per-cohort per-KPI detection flow — 2σ + z-score + EWMA + Shewhart + WE1-WE4 + Nelson N1-N8 + CUSUM + Mahalanobis + Grubbs + Dixon + Generalized ESD + change-point detection. Workstream 4: Verify per-anomaly statistical-robustness flow — Bonferroni + BH FDR + Holm + Šidák multi-comparison correction + Rosenbaum sensitivity Γ + E-value + Cornfield + falsification + negative-control + per-cohort placebo + reverse causality + per-cohort permutation test. Workstream 5: Regulatory-defense audit coverage — per-cohort 2σ + SPC + Mahalanobis + multi-comparison + replication-crisis discipline + EU AI Act Article 50 + FDD Item 19 + FINRA 2210 + SOX + FASB ASC 280. Workstream 6: FBC feedback-loop pattern-learning — per-location per-cohort per-anomaly realized-vs-predicted classification + per-multi-comparison correction retrospective + per-replication-crisis robustness retrospective.

Related reading

• Parent commercial pillar: pre-emptive churn and cohort- relative trends
• Sibling build-pillar: per-location AI-calibrated forecasting (#600 same per-location-cohort substrate + same replication-crisis discipline)
• Sibling build-pillar: root-cause attribution sketch (#604 DOWNSTREAM consumer of per-cohort anomaly)
• Sibling build-pillar: real-time change-event emission (#603 UPSTREAM canonical for per-anomaly alert event)
• Fractional CMO with AI Swarm
• AI Readiness Assessment