Serverless environments pose significant challenges for anomaly detection due to stateless function execution, short-lived invocations, and limited observability—leading to difficulties in distinguishing benign from malicious behavior, inconsistent monitoring granularity, and poor cross-function behavioral correlation. To address these issues, this paper proposes a next-generation lightweight anomaly detection framework tailored for Serverless computing. The framework integrates context-awareness, multi-source heterogeneous data fusion, real-time stream processing, and edge-cloud collaboration. It introduces three key innovations: (1) event-driven cross-function behavioral modeling, (2) identification of cold-start amplification effects, and (3) construction of threat graphs targeting Denial-of-Service (DoS) and Denial-of-Wallet (DoW) attacks. The work formally articulates core design principles for Serverless anomaly detection and provides both theoretical foundations and practical technical pathways toward adaptive, privacy-preserving, and high-accuracy cloud-native runtime security systems.

Serverless computing has redefined cloud application deployment by abstracting infrastructure and enabling on-demand, event-driven execution, thereby enhancing developer agility and scalability. However, maintaining consistent application performance in serverless environments remains a significant challenge. The dynamic and transient nature of serverless functions makes it difficult to distinguish between benign and anomalous behavior, which in turn undermines the effectiveness of traditional anomaly detection methods. These conventional approaches, designed for stateful and long-running services, struggle in serverless settings where executions are short-lived, functions are isolated, and observability is limited. In this first comprehensive vision paper on anomaly detection for serverless systems, we systematically explore the unique challenges posed by this paradigm, including the absence of persistent state, inconsistent monitoring granularity, and the difficulty of correlating behaviors across distributed functions. We further examine a range of threats that manifest as anomalies, from classical Denial-of-Service (DoS) attacks to serverless-specific threats such as Denial-of-Wallet (DoW) and cold start amplification. Building on these observations, we articulate a research agenda for next-generation detection frameworks that address the need for context-aware, multi-source data fusion, real-time, lightweight, privacy-preserving, and edge-cloud adaptive capabilities. Through the identification of key research directions and design principles, we aim to lay the foundation for the next generation of anomaly detection in cloud-native, serverless ecosystems.