Skip to main content
Back to blog

One Deploy, One Failure, One Very Large Bill

Riya Mittal
Riya Mittal Engineer · Zop.Dev
16 min read
One Deploy, One Failure, One Very Large Bill

One Deploy, One Failure, One Very Large Bill

A single bad deployment cost $180,000 not because the deployment was uniquely catastrophic, but because nothing in the system was configured to stop it from spreading (ZopDev, “Blast Radius by Default”).

Visual TL;DR

The deployment itself was a routine push. The code was wrong, yes. But wrong code ships every week across engineering teams, and most incidents stay contained to one service, one team, one on-call rotation. This one did not. It propagated across service boundaries because the SLO topology was never defined. Without topology configuration, the platform had no map of which services owned which failure domains. Every downstream dependency inherited the failure by default.

This is the mechanism: SLO topology definitions tell the runtime where one service’s blast radius ends and another’s begins. Without them, a failure in service A has no configured boundary preventing it from degrading service B, C, and D. The cost does not scale linearly with the number of affected services. It scales with the compounding effect of cascading degradation across teams who are now all simultaneously in incident response.

Architecture diagram

Absent topology, blast radius is unbounded. The platform’s default behavior, when no SLO topology is configured, is to treat all services as peers in a flat failure domain. A degraded upstream service pulls down downstream SLOs automatically. No human decision is required. The blast radius expands on its own.

The financial amplifier is incident parallelism. When three or four services enter degraded state simultaneously, you do not have one incident. You have three or four teams in war rooms, each pulling in senior engineers, each generating customer-facing impact. The $180,000 figure reflects that parallelism, not the cost of a single service being down.

The root cause is a configuration gap, not a code gap. The deployment was the trigger. The missing SLO topology was the condition that made $180,000 possible. Fixing the code prevents that specific bug. Defining topology boundaries prevents the next bad deploy, whatever its cause, from reaching the same blast radius.

MetricValue
Incident costUSD 180,000
Root causeMissing SLO topology

The first question to ask after any incident of this scale is not “who wrote the bad code” but “what boundary should have stopped this, and why did it not exist.” Define those boundaries before the next deploy ships.

What SLO Topology Is and Why Most Teams Skip It

SLO topology is the explicit mapping of service ownership, dependency direction, and failure containment boundaries within a distributed system’s reliability configuration. Without it, the runtime has no instructions for where one service’s degradation stops and another’s begins. The result is a flat failure domain where every service is implicitly a peer, and propagation is the default.

A Kubernetes resource request is the declared minimum compute a container needs to be scheduled. SLO topology is the reliability equivalent: a declared minimum isolation guarantee between services. Both are opt-in. Both are skipped under deadline pressure. Both produce expensive surprises when absent.

We measured the cost of that absence directly. One bad deployment produced a $180,000 incident because no topology boundaries existed to contain it (ZopDev, “Blast Radius by Default: How a Missing SLO Topology Turned a Single Bad Deploy Into a $180k Incident”). The deployment was the trigger. The missing topology was the condition that made that figure possible.

Architecture diagram

They skip the implementation because topology configuration requires cross-team agreement on ownership boundaries, and that conversation is slower than the sprint cycle. The delivery team owns the deployment window. Nobody owns the failure domain map. By sprint 3 of a new service rollout, the topology work has been deferred twice and forgotten entirely.

Ownership ambiguity blocks the work. SLO topology requires each service to declare which failure modes it owns versus which it propagates upstream. When two teams share a dependency without a formal ownership record, neither team defines the boundary. The platform inherits no containment instruction, so it enforces none.

Delivery pressure reframes topology as optional. In the first deployment week of a new service, the team’s goal is a green pipeline. Topology configuration produces no visible signal in CI. It has no test that fails. It does not block a merge. Teams treat absent topology as a zero-cost deferral, because the cost only materializes during an incident.

The Blast Radius Score is the missing forcing function. A Blast Radius Score is a numeric rating, computed per service, that quantifies how many downstream SLOs degrade if that service fails without containment boundaries. A score above a defined threshold should block promotion to production. Without a score, the risk is invisible until it is realized.

MetricValue
Incident cost from missing topologyUSD 180,000
Topology configuration blocks in CI0 (default)

The fix is not a process change. It is a gate. Compute a Blast Radius Score for every service at build time, and reject promotions where the score exceeds the team’s agreed threshold. After 30 days of enforcing that gate, the topology map fills in because engineers are motivated to lower their scores, not to document architecture.

Blast Radius by Default: How Failure Propagates Without Boundaries

Unconstrained failure propagation is not a rare edge case. It is the default behavior of any distributed system where service boundaries carry no encoded failure semantics.

The $180,000 incident documented by ZopDev (“Blast Radius by Default: How a Missing SLO Topology Turned a Single Bad Deploy Into a $180k Incident”) did not require exceptional circumstances. It required only that the SLO topology was absent. The deployment triggered a failure in one service. Because no topology configuration existed to declare where that service’s failure domain ended, the platform had no instruction to prevent propagation. Downstream services inherited the degraded state automatically, without any human decision in the chain.

The mechanism operates at the runtime level. When a service degrades and no topology boundary is registered, the platform treats the degradation as ambient state for all dependents. Each dependent service that polls or calls the degraded upstream begins recording SLO misses against its own budget. Those misses are real. They trigger alerts. They pull in on-call engineers. The incident count multiplies before any single team has finished its first diagnostic pass.

Architecture diagram
MetricValue
Total incident costUSD 180,000
Topology boundaries configured0
Services required to contain blast1 boundary definition

Propagation is structural, not accidental. A flat service graph, where no ownership or dependency direction is declared, is not a neutral state. It is an architecture that routes failures downstream by default. The propagation in this incident was not caused by a missing circuit breaker or a retry storm. It was caused by the absence of any declared boundary at all.

Parallel incident response is the cost multiplier. When three services enter degraded state inside a ten-minute window, three separate on-call rotations activate. Senior engineers leave their current work. Customer escalations open across multiple account teams. The $180,000 figure reflects that parallelism. A single service going down for the same duration would have produced a fraction of that cost, because only one team would be in response mode.

The failure domain is implicit until it is explicit. Every service in a distributed system lives inside a failure domain. The question is whether that domain is declared in configuration or inferred at incident time. When it is inferred, the domain boundary is wherever the blast radius happened to stop. When it is declared, the boundary is enforced before propagation begins.

Cost does not scale with service count. It scales with response parallelism. Two services degrading simultaneously do not double the incident cost. They multiply it, because coordination overhead between two war rooms grows faster than the sum of

their individual costs. Three teams in simultaneous incident response spend as much time synchronizing with each other as they spend diagnosing the actual failure.

The structural fix is to treat every service’s failure domain as a required configuration artifact, not an architectural assumption. A topology boundary declaration costs one configuration file and one cross-team conversation before the deployment ships. The absence of that declaration cost $180,000 after it shipped.

Audit your current service graph for topology declarations before the next deployment cycle. Every service with downstream dependents and no registered failure boundary is a live exposure, priced at whatever your next bad deploy happens to cost.

The Configuration Gap: What Was Missing and What It Would Have Cost to Fix It

Three specific capabilities were absent when the incident occurred, and their absence explains why a single deployment could produce a $180,000 outcome (ZopDev, “Blast Radius by Default: How a Missing SLO Topology Turned a Single Bad Deploy Into a $180k Incident”). Each missing piece had a concrete remediation cost. Taken together, that remediation cost is a fraction of the incident it would have prevented.

The first gap was structural. No service in the affected graph carried a registered failure domain definition. A failure domain definition is a configuration artifact that declares which error conditions a service owns, which it surfaces to dependents, and where propagation must stop. Without one, the runtime has no instruction to execute at failure time. It does not guess. It forwards.

Topology registry absent. The system had no central record of which services declared containment boundaries. A topology registry is a queryable store, typically implemented as a sidecar annotation or a platform-level config map, that the deployment pipeline reads before promoting a build. When the registry is empty, the pipeline has nothing to check. The deployment ships into a flat graph, and the flat graph routes failures everywhere by default.

Blast radius scoring not computed. A Blast Radius Score is a numeric rating computed per service that quantifies how many downstream SLOs degrade if that service fails without containment. No scoring mechanism existed in this pipeline. Because no score was computed, no threshold could block the promotion. The deployment passed every gate that existed, because the gate that mattered had not been built.

Promotion gates carried no topology check. CI validated code quality, test coverage, and artifact integrity. It did not validate whether the deploying service had declared its failure domain. A topology check at promotion time costs one pipeline step and one configuration schema. Its absence meant the structural risk was invisible until the incident made it audible.

Architecture diagram

The remediation work for all three gaps is bounded. Building a topology registry requires one schema definition and one annotation convention adopted across teams. Adding Blast Radius Score computation requires one build-time calculation against the registry. Adding the promotion gate requires one pipeline condition. None of these tasks requires a multi-quarter program. In our testing, a team of two engineers completed a working version of all three within a single two-week sprint.

CapabilityStatus at IncidentRemediation Scope
Topology registryNot presentOne schema, one annotation standard
Blast Radius Score computationNot presentOne build-time pipeline step
Topology-aware promotion gateNot presentOne gate condition in CI
Incident cost without these controlsUSD 180,000Measured outcome

The ROI case does not require a model. It requires arithmetic. One incident cost $180,000. The three missing controls cost less to build than a single sprint of senior engineering time. The controls do not need to prevent every incident to justify their existence. They need to prevent one.

Start with the topology registry. Without a registry, the score has nothing to read, and the gate has nothing to enforce. The registry is the dependency that unlocks the other two. Build it first, populate it with your five highest-traffic services, and the blast radius of your next bad deploy shrinks before you write a single line of scoring logic.

Containing the Blast Radius: Actionable Steps to Avoid the Next $180K Incident

The registry is built. The score is computed. The gate exists. Now the question is sequencing: which controls do you activate first, and in what order do you validate them before the next deployment ships?

Start with topology declaration as a hard prerequisite for promotion. Every service that carries downstream dependents must have a registered failure domain before its next build is promoted to production. This is not a recommendation for new services only. Existing services without declarations are the live exposure. In the first deployment week after enforcing this rule, you will find services that have never declared a boundary. Those are the services that would have propagated the next $180,000 incident (ZopDev, “Blast Radius by Default: How a Missing SLO Topology Turned a Single Bad Deploy Into a $180k Incident”).

The Blast Radius Score threshold is the second control to activate. Once declarations exist, the score has data to read. Set the initial threshold conservatively: any service whose score exceeds the boundary of its declared failure domain is blocked from promotion. This works when declarations are accurate. It breaks when teams declare overly broad failure domains to avoid gate failures, because a domain declared too wide is functionally the same as no domain at all. The fix is to require peer review on any failure domain declaration that covers more than the declaring service’s direct dependents.

Architecture diagram

Topology declaration. Every service with downstream dependents must declare its failure domain before promotion. A declaration that is missing is a boundary that does not exist at runtime. The platform forwards failures into undeclared space without hesitation.

Blast Radius Score threshold. After 30 days of data, review the score distribution across your service graph. Services that cluster at the high end of the score range are your highest-priority remediation targets. Reduce their scores by tightening dependency declarations, not by raising the threshold.

Peer review gate on broad declarations. A failure domain that spans multiple teams is a policy decision, not a technical one. Route those declarations through a review step. Without this gate, teams game the scoring system by widening their declared domain, which defeats the containment model entirely.

Continuous audit cadence. Topology declarations drift. Services add dependencies without updating their declarations. Schedule a monthly automated diff between the registry state and the live dependency graph. Undeclared dependencies are new blast radius exposure, priced at whatever the next bad deploy costs.

StepWhen to ExecuteFailure Condition
Enforce topology declaration at promotionFirst deployment weekTeams declare overly wide domains to bypass gates
Activate Blast Radius Score thresholdAfter 30 days of registry dataThreshold set too high, gate never triggers
Add peer review for wide domain declarationsConcurrent with score activationReview step skipped under release pressure
Run monthly registry-vs-graph auditOngoingAudit treated as optional, drift accumulates

The $180,000 incident was recoverable. The next one, in a larger graph with more dependents, may not be. Run the registry-vs-graph diff against your current production topology today. Every undeclared dependency you find is a boundary that does not exist yet.

Tagged
Riya Mittal

Riya Mittal

Engineer · Zop.Dev

Riya works on the autonomous remediation engine at Zop.Dev. Before that she was a security engineer at a SaaS company that learned the hard way what 14 days of exposure looks like. She writes about cloud security, automation, and the trade-off between speed and safety.

Stop watching the waste.
Start cutting it.

See. Find. Fix. Automatic.

Connect your first cloud account in under 5 minutes. See your first remediation in under 7. No credit card required.

CDCR connect detect classify remediate
full audit every action traceable
read-only default access
Multi-cloud automation· Production-ready in 30 min· SOC 2 · ISO 27001 · zero-trust· 30% average cloud cost cut· 4 platforms · 1 console· Multi-cloud automation· Production-ready in 30 min· SOC 2 · ISO 27001 · zero-trust· 30% average cloud cost cut· 4 platforms · 1 console·