Two days ago, November 18th, 2025, Cloudflare went down. And with it, a significant chunk of the internet stopped working.
X (formerly Twitter) became inaccessible. ChatGPT threw errors. Shopify stores went dark. McDonald’s self-service kiosks displayed the dreaded “Cloudflare Error” message.
Even DownDetector—the site people visit to check if things are down—couldn’t load because it also relies on Cloudflare.
The irony wasn’t lost on anyone.
The outage lasted several hours. Cloudflare’s own investigation revealed the culprit: a configuration file used for their Bot Management system unexpectedly doubled in size, causing their traffic routing software to crash. No cyberattack. No malicious activity. Just a cascading failure triggered by an automated process that grew beyond expected parameters.
By mid-afternoon, services were restored. Cloudflare apologized. The internet moved on.
But here’s what the outage really exposed: most organizations have no idea how deep their dependencies actually go.
The Dependency You Didn't Know You Had
When companies map their critical vendors, they list the obvious ones. Your cloud provider. Your CRM. Your payment processor. The systems you actively chose, signed contracts for, and monitor.
But what about the vendors your vendors rely on?
Cloudflare provides infrastructure services to millions of websites—CDN, DDoS protection, DNS, bot management. Most users never see the Cloudflare logo. They just experience a faster, more secure internet. Until they don’t.
When X went down yesterday, it wasn’t because X’s systems failed. It was because Cloudflare—an upstream dependency they rely on but don’t directly control—had an issue. The same happened to OpenAI, Truth Social, Indeed, NJ Transit’s digital services, and thousands of others.
These are companies with sophisticated infrastructure teams, robust disaster recovery plans, and multi-million dollar tech budgets. Yet they were all brought down by a single point of failure they couldn’t fix themselves.
The Problem With Invisible Infrastructure
Infrastructure outages don’t just show us what broke—they show us what we never realized we depended on.
Here’s the uncomfortable reality: most companies know their first-degree dependencies, but not their second or third-degree ones.
You know you use AWS. But do you know which services AWS itself depends on? You know your SaaS tool is critical. But do you know what CDN they use, what monitoring tool tracks their uptime, what DNS provider routes their traffic?
When one of those invisible, upstream dependencies fails, entire systems stall. And there’s nothing you can do but wait.
This isn’t theoretical. In October, AWS suffered a daylong outage that took down numerous online services. In July 2024, a faulty CrowdStrike software update caused a global outage that grounded flights and disrupted hospitals. And now, Cloudflare.
The pattern is clear: the internet is held up by a handful of critical infrastructure providers, and when one fails, the ripple effects are massive.
What This Means for Risk Management
If you’re responsible for security, risk, or business continuity, the Cloudflare outage should prompt some uncomfortable questions:
Do we actually know our dependencies?
Not just the vendors you pay directly, but the entire chain. Who powers your cloud provider’s networking? What DNS service does your SaaS platform use? Where are the single points of failure hiding?
How far do they reach?
A dependency map shouldn’t stop at your immediate vendors. It should go at least two or three levels deep. Because that’s where the hidden risks live.
Are we prepared for failures we can’t control?
You can have perfect incident response plans, but if the failure is upstream and outside your control, what’s your Plan B? Do you have redundancy? Failovers? Alternative routing?
Do we have visibility when things break?
Many companies only discovered they depended on Cloudflare when the error page appeared. That’s too late. Do you have monitoring in place that alerts you to third-party failures before your customers notice?
Building Resilience in an Interconnected World
The reality is, you can’t eliminate dependencies. Modern software is built on layers of infrastructure, APIs, and third-party services. That’s what makes the internet work.
But you can be smarter about it:
Map your dependencies honestly.
Don’t just document direct vendors. Trace the chain. Ask your vendors who they depend on. Include it in your risk assessments.
Build in redundancy where it matters.
For critical services, consider multi-vendor strategies. DNS failover. CDN redundancy. Alternative routing paths.
Test your assumptions.
Run scenarios where a major infrastructure provider goes down. How long until it impacts you? What breaks first? What’s your response?
Monitor upstream dependencies.
Set up alerts for third-party status pages. Use tools that track the health of services your services depend on.
Communicate proactively.
When an upstream failure happens, your customers need to know it’s not you that’s down—and more importantly, what you’re doing about it.
The Bigger Picture
Cloudflare outage was resolved relatively quickly. But it served as a reminder: we’re all more connected—and more vulnerable—than we think.
For every company that confidently says “our systems are resilient,” there’s a hidden dependency they haven’t mapped. A vendor they didn’t know they relied on. A single point of failure waiting to be discovered.
Infrastructure outages aren’t just technical incidents. They’re stress tests for your risk management strategy. They reveal gaps in your understanding of how your systems actually work. And they force you to ask the hard questions you’ve been avoiding.
So here’s the question every tech leader should be asking today: If Cloudflare can take down half the internet, what hidden dependency could take down yours?
At Human Risks, we help organizations map, assess, and manage the risks they can see—and the ones they can’t. Because resilience isn’t just about preparing for known threats. It’s about understanding your dependencies before they become your vulnerabilities.
Learn more about how we help companies build real resilience →
