Cybersecurity anomaly explainability is enhanced, with particular attention to collaborative filter-based anomaly detection. An enhanced system obtains user behavior vectors derived from a trained collaborative filter, computes a similarity measure of user behavior based on a distance between user behavior vectors and a similarity threshold, and automatically produces an explanation of a detected cybersecurity anomaly. The explanation describes a change in user behavior similarity, in human-friendly terms, such as “User X from Sales is now behaving like a network administrator.” Each user behavior vector includes latent features, and corresponds to access attempts or other behavior of a user with respect to a monitored computing system. Users may be sorted according to behavioral similarity. Explanations may associate a collaborative filter anomaly detection result with a change in behavior of an identified user or cluster of users, per specified explanation structures. Explanations may include organizational context information such as roles.