On Tuesday, November 18, Cloudfare experienced an outage that led to several websites being slow to load or completely unavailable. The outage affected programs such at ChatGPT, X, and local government websites.

Security leaders share some of their thoughts on the outage.

Martin Greenfield, CEO at Quod Orbis: 

“Yesterday’s outage exposed the deeper systemic risk that too much of the internet now depends on a tiny number of providers. When a single auto-generated configuration file can take major parts of the web offline, that’s not purely a Cloudflare issue but a fragility problem that has become baked into how organizations build their security stacks. Automation makes security scalable, but when automated configuration propagates instantly across a global network, it also scales failure. What’s missing in most organizations, and was clearly missing here, is automated assurance that validates those configurations before they go live.

When Cloudflare went down, thousands of businesses lost access to internet tools and their own operations were brought to halt, damaging reputation and carrying a potentially huge financial impact. Many would have quickly discovered they had no fallback plan, highlighting that resilience should never depend on a single configuration file in a vendor’s pipeline.

There are however several practical and overdue fixes. Split your estate. Spread WAF and DDoS protection across multiple zones. Use multi-vendor DNS. Segment applications so a single provider outage doesn’t cascade. And continuously monitor controls to detect single-vendor dependency. While the outage should be seen as a wake-up call, Cloudflare and its CISO should be commended for the speed and transparency that they have demonstrated. Automation without assurance is fragility at scale and relying on one vendor can’t stand up for an effective resilience strategy.”

Mark Townsend, Co-Founder & CTO at AcceleTrex:

"Cloudflare says a routine configuration change tripped a latent bug in software underpinning its bot‑mitigation/challenge layer, cascading into widespread 500 errors across its edge; Cloudflare and multiple outlets emphasize no evidence of an attack. Because Cloudflare front‑ends DNS, CDN, WAF, and access flows for a large share of the web, a failure in that inline path created hard user‑visible errors even when origins were healthy; hence the outsized blast radius.

Treat CDN/DNS as tier‑0 dependencies and model them like power or identity: measure vendor concentration risk, map all services gated by that provider (login, APIs, payments), and quantify business impact for 15, 60, and 240‑minute outages. Incorporate guidance from NIST SP 800‑160 (cyber‑resilience engineering) and CISA resilience services to stress‑test failure modes, including misconfigurations and control‑plane faults; not just DDoS."