Crosshire
Tech · Snowflake · FinOps · 9 min read · 2 June 2026

Crosshire Audit: your warehouse, with receipts.

One pass over a Snowflake account export surfaced $2,090 a year of idle compute, 61 findings, and zero users with MFA — none of it visible on the invoice the day before. Every figure traces back to the row that produced it.

Standard-warehouse idle breakdown
01The line items nobody reads

Your warehouse keeps an invoice. Nobody reads the line items.

The monthly Snowflake bill is one number with a date on it. Underneath it, in ACCOUNT_USAGE, sits the thing you actually needed: every warehouse-second you paid for, every query that did or didn't justify it, every role that ran the work, every login that did or didn't carry a second factor. It records exactly what you spent and on what. Almost nobody reads it, because it's tens of thousands of rows across a dozen views, and there's no total at the bottom that means anything.

We pointed Crosshire Audit at one such export. The first number it handed back:

85.1% of standard-warehouse compute was idle.

Not "could be optimised." Idle — warehouses powered on, billed, running no queries. On that account it came to about $174 a month, roughly $2,090 a year, with 14 standard warehouses flagged. That figure isn't a benchmark borrowed from someone else's cluster. It's the compute credits the account was billed, minus the credits real query work accounts for, leaving the idle remainder. Read from the export. Shown with its arithmetic.

Idle compute
85.1%
of standard-warehouse credits
Annual idle cost
$2,090
extrapolated from 4-day window
Warehouses flagged
14
standard warehouses with idle
Total findings
61
7 high · 7 med · 3 low · 44 info
02What Crosshire Audit is

A static, in-browser diagnostic. Nothing leaves the page.

Crosshire Audit is a self-service cost, security, performance, and governance diagnostic for Snowflake and Databricks. You point it at an account export; the audit engine writes the findings; a static dashboard renders them in your browser. There's no live connection to babysit, and once the report is built, no data leaves the page.

The design constraint is receipts — the same one behind Aura, our agent-spend tool. Every dollar Crosshire Audit shows you traces back to the warehouse, the query, and the usage row that produced it. A finding you can't source is a finding we don't print.

On the demo Snowflake account that's 61 findings, each carrying three things:

  • a severity (high / med / low / info),
  • a confidence (strong / plausible / speculative / upper-bound), and
  • a dollar figure, but only where one is defensible.
A number is not a receipt. A receipt shows you which warehouse, which query, which row.
03Why the invoice isn't enough

The bill tells you that you spent. Not where, and not why.

The invoice tells you a total. It never tells you the things you can act on:

Which warehouse burned the budget while doing nothing? The idle finding splits compute into the credits attributable to queries and the credits that aren't, per warehouse — so the 85% isn't a vibe, it's a column.

Could a layout change pay for itself? The clustering finding names the table, names the column that historically skips the most data, and nets the expected saving against the cost of maintaining the clustering — so you see net benefit, not a gross headline.

Is anything running that shouldn't be? A notebook container service was sitting powered-on with no auto-suspend — roughly $23 a month of compute doing nothing in particular, the kind of thing that never shows up as a line you'd notice.

04The cost findings

Sorted by what they actually recover.

A selection from the demo account, with confidence attached:

Finding Severity Confidence Impact
Idle warehouse credits high strong $174 / mo
Adaptive-warehouse candidacy med speculative $26–$65 / mo (range, overlaps idle)
Per-table clustering (net) high plausible $23 / mo net
Notebook container, no auto-suspend high plausible $23 / mo
Poor pruning (full-table scans) high upper-bound ~$16 / mo (overlaps clustering)

Two of these carry deliberate asterisks. Adaptive-warehouse candidacy flags standard warehouses whose compute mostly isn't tied to query work — candidates to switch to per-query (adaptive) billing. It's shown as a range, marked speculative, and is an alternative fix for the same idle credits, so it is never added on top of them. Whether to actually make that switch is its own question — we benchmarked it in Snowflake Adaptive: one less thing to plan; short version, adaptive wins for bursty workloads, while a right-sized standard warehouse is usually cheaper for near-constant ones. Poor pruning is an upper bound on scan waste that overlaps the clustering remedy — shown, not summed.

05The findings with no dollar sign

Some risks aren't a price. We don't pretend they are.

Two of the loudest findings on the demo account had nothing to do with money:

Zero of the active users had multi-factor authentication. Not most. Zero of two. An account with an active MFA bypass is counted as not protected, and the bypass itself is marked "not assessed" when that detail wasn't collected.

ACCOUNTADMIN — the break-glass, do-anything role — was running the daily workload. Around 3,300 real data-processing queries ran under it. That reads fine right up until the day it's an audit finding or an incident report.

Neither carries a dollar figure, and we don't invent one. Dressing a security gap as "$X of risk" would be the same sleight of hand the whole tool exists to avoid.

A security gap is a security gap. A made-up dollar on top of it is just a worse lie.
06The total is smaller on purpose

One number, provable from every direction.

When the engine totals what's genuinely recoverable on the demo account, it lands at about $178 a month — $2,134 a year. Barely above the idle figure alone, even though the report is full of dollar-flagged findings. That's deliberate: the total only sums findings drawn from non-overlapping pools, applies a residual-overlap haircut, and caps the result at what the account actually pays so it can never exceed your real spend.

We could have summed every dollar-flagged tile and printed a bigger, friendlier number. We printed the one we can defend line by line instead — and the full reasoning gets its own post, because it's the part we're proudest of.

07Who it is for

One diagnostic, three kinds of reader.

If you run Snowflake. Idle, pruning, clustering, oversized warehouses, queueing, and serverless slices — each one a recoverable dollar or an explicit not-assessed, with the access and governance posture in the same pass.

If you run Databricks. The same diagnostic in DBUs rather than dollars — for a reason that gets its own section in the methodology post. Untagged spend, serverless without a usage policy, over-broad grants: surfaced and quantified in the unit you're actually billed in.

If you're in FinOps or platform. A number you can take to the warehouse owner without flinching, because it reconciles to a query. A measured figure survives the meeting; a slider figure gets walked back in three months.

08The honest part

Edges acknowledged, not papered over.

What this analysis assumes — and doesn't
  • The dollars assume $3.00/credit list price, disclosed as an estimate. Your contract rate changes the absolute figures, not the shape.
  • The demo window is ~4 days of metered data extrapolated to monthly. Confidence on each finding reflects how much of the fleet had measurable coverage.
  • Adaptive (Snowflake-managed) warehouses are excluded from the idle measurement entirely — they don't break out per-query usage, so their idle can't be measured. Their compute (~$40/mo here) is reported on its own line and never flagged as recoverable.
  • Standard warehouses with no usage breakdown are marked "usage not measured", never assumed fully idle.
09Getting started

Open the diagnostic. Read your own numbers.

The demo account is a sandbox; yours won't be. But the contract is the same — measured, sourced, capped at reality. Open the diagnostic, point it at your export, and read what your ACCOUNT_USAGE has been recording.

Curious what your own warehouse numbers look like? Start a conversation →
· · ·

Numbers in this post are from a seeded Snowflake demo account, snapshot 20 May 2026, priced at $3.00/credit (disclosed estimate). Crosshire Audit runs static in your browser; the audit engine writes the findings, the UI renders them. — Crosshire

Further reading
  1. Aura: spend, with receipts — the same receipts thesis applied to Claude Code agent transcripts.
  2. Snowflake Adaptive: one less thing to plan — benchmarking standard vs adaptive warehouse billing for bursty vs steady workloads.
  3. Why the total is smaller on purpose (forthcoming) — the overlap-haircut and spend-cap methodology behind the $178/mo figure.
  4. Snowflake ACCOUNT_USAGE schema reference — the views the engine reads from.
  5. Crosshire consulting — data platform audit engagements with the same rigour as this diagnostic.
D
writes Crosshire Journal · crosshire.ch · June 2026