CostObserverWhat is SecFinOps? The Answer Nobody in Cloud Is Talking About
Your FinOps team looks at the bill. Your SecOps team looks at the alerts. Neither team is reading the same story. Here is why that gap exists and what it is costing you.
A $3K cost spike lands in the AWS bill. The FinOps team opens a ticket. The security team opens a separate ticket. Both teams investigate the same incident for three days without talking to each other.
This is not a hypothetical. It is the pattern we kept seeing across every AWS environment we worked in before building CostObserver. And it is the reason SecFinOps exists as a discipline.
What Is SecFinOps?
SecFinOps is the integration of Security and FinOps (Cloud Financial Operations). Not another layer of complexity on top of what you already have. Just finally seeing the complete picture from one view.
The clearest way to explain it is through a single resource.
Traditional FinOps looks at an EC2 instance and says: “This costs $500/month and runs at 15% CPU. Let us right-size it.”
Traditional SecOps looks at the same instance and says: “This has misconfigured security groups. Fix them.”
SecFinOps looks at both signals together and says: “This $500/month instance has open security groups, runs at 15% CPU, and could be replaced with a $150/month instance with proper security configurations. Fix the security issue and save $350/month simultaneously.”
Same resource. Complete context. One decision instead of two separate tickets that never get prioritised together.
What a Real Incident Looks Like
Here is a documented attack pattern that illustrates why this matters in practice.
An IAM access key is compromised, a pattern the Verizon 2025 Data Breach Investigations Report identifies as central to basic web application attacks, where stolen credentials were involved in 88% of incidents in that category. The attacker uses the key to launch EC2 GPU instances in an unused region for cryptomining.
In AWS Cost Explorer, this shows up as an unexpected EC2 compute spike with no corresponding deployment or feature launch. Just a line item that looks like infrastructure cost.
Meanwhile, AWS GuardDuty raises a credential-related finding flagging the unusual API activity from the compromised key.
The FinOps team sees the bill spike. The security team sees the GuardDuty finding. Neither team connects them because they are in different tools, different channels, and different weekly reviews.
Two separate post-mortems. Same root cause. The cost was the first signal. Nobody was wired to hear it.
Why Cloud Billing Already Has Security Costs Inside It
This is the part most teams do not realise until they look closely.
AWS WAF charges $0.60 per million requests processed, regardless of whether those requests are legitimate traffic or malicious probing. Every blocked attack still costs you money. It just shows up as “WAF request charges” in your bill, not as “security cost.”
AWS GuardDuty charges approximately $4.00 per million CloudTrail management events analysed. For an account processing 40 million CloudTrail events per month in us-east-1, that is roughly $160/month in GuardDuty costs alone, before VPC Flow Log and DNS analysis. That appears as a separate line item in Cost Explorer under Security, Identity, and Compliance.
Sources: AWS WAF pricing, AWS GuardDuty pricing
Neither of these costs is labeled “security spend” in a way that FinOps teams naturally track. They are infrastructure costs with security functions. The bill does not differentiate. Most teams do not either.
The Cost-Security Connection
Cost anomalies are security signals. That is the core thesis of SecFinOps.
A sudden spike in data transfer costs is worth investigating for data exfiltration. Unexpected compute charges in a region you do not operate in is worth investigating for cryptomining. A jump in your S3 costs is worth asking whether an overly permissive IAM role allowed external access to your bucket.
Traditional billing tools show the cost. They do not show the cause. That gap is where incidents live undetected for weeks before anyone notices.
Where to Start
You do not need a new platform to begin. Three things that cost nothing:
Pull CloudTrail events alongside your next cost spike — before assuming it is a scaling issue, check the corresponding CloudTrail activity and GuardDuty findings for that time window. The answer is usually there.
Tag resources with security context — add security tier and compliance requirement tags alongside your existing team and project tags. This bridges cost data with security posture without any new tooling.
Get FinOps and SecOps in the same weekly review — not to assign blame. To compare what each team is seeing. The overlap will surface patterns neither team could see independently.
Note: AWS Cost Anomaly Detection can alert on unusual spend patterns via email or SNS. It is free to set up and requires no code changes. AWS Cost Anomaly Detection
Why We Built CostObserver
The pattern above kept repeating. Cost spike in one tool, security finding in another, two teams, zero shared context, two separate post-mortems for the same root cause. Across enough AWS environments, it stopped looking like a process problem and started looking like a tooling gap.
CostObserver is the first SecFinOps platform that connects cost, security, and resource behaviour in one view. When you see a spike in your bill, CostObserver shows you which resource caused it, whether it has security misconfigurations, and exactly what to fix first, ranked by financial impact.
The goal is not another dashboard. It is the story behind every dollar, with the fix attached.
Start your free CostObserver beta — read-only access, no credit card, connects in minutes.