Something in your data does not look right. Maybe a handful of transactions are suspiciously large, a few sensor readings are way outside the normal range, or certain user accounts behave nothing like the rest. You do not have labeled examples of "good" and "bad" — you just know that anomalies are in there somewhere. Isolation Forest finds them automatically. Upload a CSV, pick your feature columns, and get a scored, ranked list of anomalies in under 60 seconds.
What Is Isolation Forest?
Isolation Forest is an unsupervised machine learning algorithm designed specifically for anomaly detection. The core insight is elegant: anomalies are easier to isolate than normal points. If you randomly split data with a series of cuts, an unusual data point gets separated from the crowd in just a few cuts, while a normal point buried in a dense cluster takes many more cuts to isolate. The fewer cuts required, the more anomalous the point.
Think of it like a game of 20 questions. If someone is thinking of a common animal like a dog, it takes many questions to narrow down the answer. But if they are thinking of a platypus, a couple of targeted questions ("Does it lay eggs?" "Does it have a bill?") isolate it almost immediately. Isolation Forest works the same way — it builds random decision trees that split the data along random features at random thresholds. Points that end up in short branches (isolated quickly) get high anomaly scores. Points deep in the tree (hard to isolate) are normal.
The algorithm builds an ensemble of these random trees — an "isolation forest" — and averages the path lengths across all trees to produce a stable anomaly score for every row in your dataset. No distance calculations, no density estimation, no assumptions about what your data distribution looks like. This makes it fast, scalable, and effective across a wide range of data types.
Real-World Applications
Fraud detection. Credit card transactions, insurance claims, expense reports — fraudulent activity almost always looks different from legitimate behavior. Unusual amounts, strange timing, atypical merchant categories. Isolation Forest scores every transaction and surfaces the ones that stand out, giving your fraud team a ranked list to investigate instead of random spot checks.
Manufacturing quality control. Sensor readings from production lines generate thousands of data points per hour. Most readings fall within normal operating parameters, but defective products or equipment malfunctions create outlier patterns across temperature, pressure, vibration, or dimensional measurements. Isolation Forest catches these without needing a historical database of known defects.
Cybersecurity and intrusion detection. Network traffic logs contain millions of normal connections and a handful of suspicious ones — unusual ports, abnormal data volumes, strange access patterns. Isolation Forest flags the connections that deviate from normal behavior, even for novel attack types that signature-based systems would miss.
Financial trading. Unusual trading volumes, price movements, or order patterns can indicate market manipulation, insider trading, or system errors. Isolation Forest applied to trading data highlights the transactions or time windows that break from normal market behavior.
Data quality auditing. Before running any analysis, you need clean data. Isolation Forest can scan your dataset for rows that look fundamentally different from the rest — data entry errors, unit mismatches, duplicate records with corrupted fields, or test data mixed into production. It is a fast first pass to catch problems that summary statistics miss.
What Data Do You Need?
You need a CSV with at least one numeric feature column. In practice, you will get better results with multiple feature columns — the algorithm works by splitting across features, so more dimensions give it more ways to separate anomalies from normal points. Map your feature columns when you upload (the tool supports multiple features via feature_1 through feature_N).
The features should be numeric measurements that you expect anomalies to deviate on. For transaction data, that might be amount, frequency, and time since last transaction. For sensor data, temperature, pressure, and vibration readings. For user behavior, session duration, page views, and click patterns. You do not need to label anything as "anomaly" or "normal" — the algorithm figures that out on its own.
There is no strict minimum sample size, but the algorithm works best with at least a few hundred rows. With very small datasets (under 50 rows), there is not enough structure for the random trees to learn what "normal" looks like. The default sample size and tree count are tuned for typical datasets, but you can adjust them if needed.
Module Parameters
The module exposes four parameters you can adjust:
- n_trees — Number of isolation trees in the forest. More trees produce more stable anomaly scores at the cost of computation time. The default works well for most datasets.
- contamination — Expected proportion of anomalies in your data. This sets the threshold for classifying points as anomalous vs. normal. If you know roughly 2% of your transactions are fraudulent, set this to 0.02. If you have no idea, the default uses a statistical heuristic.
- sample_size — Number of rows sampled to build each tree. Smaller samples make anomalies stand out more sharply (they are easier to isolate in a smaller crowd). The default balances detection sensitivity with stability.
- enabled_analyses — Which report sections to include. Default is "all". You can disable specific analyses if you only need certain outputs.
How to Read the Report
The report contains ten sections, each designed to answer a specific question about the anomalies in your data.
Executive Summary
The TL;DR card gives you the headline finding: how many anomalies were detected, what percentage of the dataset they represent, and the key features driving the anomaly scores. Start here to get the big picture before diving into details.
Analysis Overview
Shows the dataset dimensions, feature count, and model configuration used. This is your audit trail — you can confirm exactly which columns were analyzed and what parameters were applied.
Data Preprocessing
Documents how the data was cleaned and prepared before modeling. This includes handling of missing values, feature scaling, and any transformations applied. Transparency matters — you should know what happened to your data before the algorithm touched it.
Anomaly Score Distribution
A histogram of anomaly scores across all data points. Normal points cluster at low scores; anomalies sit in the right tail. The shape of this distribution tells you a lot: a clean separation between normal and anomalous scores means the anomalies are distinct and the model is confident. A gradual tail with no clear gap means the boundary between normal and unusual is fuzzy, and you should interpret the threshold with more caution.
Feature Space: Anomalies vs Normal
A scatter plot showing anomalies (highlighted) against normal points in feature space. This is where the anomalies come alive visually — you can see whether they cluster in a specific region, scatter across the feature space, or sit at extreme values on particular dimensions. If the anomalies form a visible group, that suggests a systematic pattern (like a batch of bad sensor readings). If they scatter randomly, each anomaly may have a different cause.
Feature Importance
Not all features contribute equally to the anomaly scores. This section ranks which features the isolation trees relied on most to separate anomalies from normal data. If "transaction_amount" dominates feature importance, your anomalies are primarily driven by unusual amounts. If multiple features contribute roughly equally, the anomalies are multivariate — they look unusual across several dimensions simultaneously, which often indicates more sophisticated outlier patterns.
Normal vs Anomaly Comparison
Side-by-side statistics for normal and anomalous groups — means, medians, standard deviations, and distributions for each feature. This is where you understand what makes the anomalies different. Maybe anomalous transactions have 10x the average amount. Maybe anomalous sensor readings have normal temperature but extreme pressure. The comparison table makes the differences concrete and quantifiable.
Top Anomalies
A ranked table of the most anomalous data points with their scores and feature values. This is your action list — the specific rows you need to investigate. Each row includes the anomaly score and the raw feature values, so you can immediately see why a particular point was flagged. Sort by score to prioritize the most extreme cases first.
Model Configuration
The exact parameters used for the isolation forest model — number of trees, sample size, contamination rate, and random seed. This enables reproducibility: anyone can rerun the analysis with identical settings and get identical results.
Statistical Summary
Descriptive statistics for the full dataset and for the anomaly subset — counts, means, ranges, and quantiles. Provides the numerical context to interpret the anomaly detection results in terms of your actual data scale.
When to Use Something Else
Isolation Forest is a strong general-purpose choice for anomaly detection, but it is not the only option. The best method depends on your data structure and what kind of anomalies you expect.
If your data is univariate — a single column of numbers — a Z-score approach is simpler and more interpretable. Z-scores flag points that fall more than 2 or 3 standard deviations from the mean. It is easy to explain, requires no model fitting, and works well when the data is roughly normally distributed. For a single column, there is no need for the machinery of a random forest.
If you suspect your anomalies form their own cluster — a group of similar outliers rather than scattered individual points — DBSCAN may be more appropriate. DBSCAN finds dense clusters and labels everything outside those clusters as noise (anomalies). It is particularly effective when normal data forms clear, tight groups and anomalies sit in sparse regions between them.
For high-dimensional data with complex nonlinear relationships, one-class SVM learns a boundary around the normal data in a high-dimensional feature space. It can capture more complex shapes of "normal" behavior than Isolation Forest, but it is slower, harder to tune, and more sensitive to the choice of kernel and hyperparameters.
For very large, high-dimensional datasets (hundreds of features), autoencoders — a neural network approach — can learn a compressed representation of normal data and flag anything that reconstructs poorly. Autoencoders require more data and more tuning, but they scale to problems where tree-based methods struggle with dimensionality.
Isolation Forest hits the sweet spot for most practical anomaly detection tasks: it handles multivariate data, requires no labels, runs fast, and produces interpretable scores. Start here unless you have a specific reason to reach for something more specialized.
The R Code Behind the Analysis
Every report includes the exact R code used to produce the results — reproducible, auditable, and citable. This is not AI-generated code that changes every run. The same data produces the same analysis every time.
The analysis uses the isotree package for building the isolation forest model and computing anomaly scores. Feature importance is calculated from the average depth at which each feature contributes to isolating anomalous points. Visualization uses ggplot2 for scatter plots, score distributions, and group comparisons. Every step is visible in the code tab of your report, so you or a data scientist can verify exactly what was done, reproduce the results, or adapt the analysis for your own pipeline.