July 19, 2024. A routine security update goes out from CrowdStrike, a company most consumers have never heard of.
Within hours, 8.5 million Windows systems crash worldwide. Airlines ground flights. Hospitals postpone surgeries. Banks close branches. Retailers can’t process payments. News broadcasts go dark.
The financial damage: at least $10 billion globally. Delta Air Lines alone lost $500 million - $380 million in revenue plus $170 million in operational costs.
None of these organizations wrote the code that crashed their systems. They were all victims of a third-party dependency they may not have even known they had.
Welcome to the reality of modern infrastructure, where your uptime is only as strong as your weakest vendor.
The Hidden Dependency Web
Modern websites and applications don’t exist in isolation. They’re built on layers of third-party services, each with their own dependencies, creating a complex web of potential failure points.
Consider what a typical e-commerce site depends on:
- DNS providers - To be found on the internet
- CDN services - For fast content delivery
- Cloud hosting - For compute and storage
- Payment processors - To accept money
- Email services - For transactional emails
- Analytics platforms - For tracking and insights
- Authentication services - For user login
- Search providers - For site search
- Chat widgets - For customer support
- Advertising networks - For marketing
- SSL certificate authorities - For security
And that’s just the obvious ones. Each of these services has their own dependencies, creating chains of risk you may never see until they break.
The Research Is Clear
Academic research on third-party service dependencies found that 89% of the Alexa top-100K websites critically depend on third-party DNS, CDN, or certificate authority providers. If these providers go down, those websites suffer service disruption - even if their own infrastructure is running perfectly.
The concentration makes it worse. The study found that the top 3 providers in each category can affect 50%-70% of the top 100K websites. A single outage at a major provider cascades across thousands of businesses simultaneously.
Indirect dependencies amplify this further - by up to 25X for popular CDN and DNS providers.
When Giants Fall, Everyone Stumbles
The past few years have provided painful case studies in cascading third-party failures:
CrowdStrike: The $10 Billion Update
The July 2024 CrowdStrike incident wasn’t a hack or a sophisticated attack. It was a faulty update to security software that most affected organizations didn’t directly choose - it came bundled with their IT infrastructure.
The update caused Windows systems to crash into the “blue screen of death.” Affected organizations included:
- Airlines: Delta, United, American, Southwest grounded thousands of flights
- Healthcare: Hospitals postponed non-emergency surgeries
- Banking: Branches closed, ATMs went offline
- Retail: Point-of-sale systems crashed nationwide
- Media: News broadcasts interrupted
The root cause? A content configuration update that passed validation but contained problematic data. One vendor’s mistake propagated through millions of systems within hours.
AWS October 2025: The 15-Hour Cascade
On October 20, 2025, AWS experienced a DNS resolution failure in their us-east-1 region. But it didn’t stop at DNS.
The failure cascaded through:
- DynamoDB
- EC2
- Lambda
- IAM
- Routing gateways
- Analytics services
- Machine learning platforms
- Search services
For 15 hours, major platforms including Snapchat, Roblox, Fortnite, and airline reservation systems were disrupted. Businesses collectively lost an estimated $75 million every hour.
The trigger wasn’t a complex attack - it was a configuration change in their internal infrastructure that had unintended consequences.
Cloudflare November 2025: One-Fifth of the Web
When Cloudflare went down on November 18, 2025, it didn’t just affect Cloudflare customers. It affected everyone who depended on Cloudflare customers.
One in five webpages was affected at the peak. One-third of the world’s 10,000 most popular websites became inaccessible. X, ChatGPT, Spotify, Canva, Zoom, Coinbase - all disrupted simultaneously.
The cause wasn’t an attack. It was a database permissions change that caused duplicate rows in a configuration file. An internal administrative error briefly broke a significant portion of the internet.
The Fastly Hour
In June 2021, a single customer’s configuration change at Fastly triggered a bug that took down their entire global network. For about an hour, sites including The New York Times, Financial Times, Shopify, Spotify, Reddit, Twitch, Pinterest, and government sites like WhiteHouse.gov were unreachable.
One customer’s misconfiguration. Thousands of affected businesses. Millions of frustrated users.
The Numbers Behind the Risk
The scale of third-party dependency risk is staggering:
Outage Statistics
According to Uptime Institute research, two-thirds of all outages involve third-party providers - cloud services, internet providers, telcos, and colocation facilities.
Global network outages increased 33% from January to May 2025, rising from 1,382 to 1,843 monthly incidents. March 2025 saw 2,110 total incidents.
Vendor Proliferation
According to Whistic’s 2024 Third-Party Risk Management Report, half of all companies now work with more than 100 vendors - up from 38% in 2023.
And for each direct vendor relationship, organizations typically have indirect relationships with nearly 14 times more fourth and fifth parties. Your vendor’s vendors become your risk.
Security Breaches
Verizon’s Data Breach Investigations Report found that 30% of breaches now involve third-party vendors - double the previous year.
The average cost of a third-party breach: $5.08 million according to IBM’s 2024 Cost of a Data Breach report.
The Visibility Gap
Despite these risks:
- 60% of companies don’t have a complete list of third parties they share sensitive information with
- Only 39% of organizations rate their third-party risk mitigation as highly effective
- Nearly 50% of companies don’t rank their vendors by risk level at all
- Organizations assess or monitor only 33% of their vendors
Why Your Monitoring Might Miss It
Here’s the insidious part about third-party failures: traditional monitoring often can’t detect them.
If your payment processor goes down, your server keeps running. Your health checks pass. Your CPU utilization looks normal. But customers can’t complete purchases.
If your CDN has regional issues, users in some locations see errors while your origin server reports everything healthy.
If your DNS provider has problems, your internal systems (which may cache DNS or use different resolvers) continue working while external customers can’t find you.
Third-party failures create silent outages - your infrastructure thinks everything is fine while your customers experience something very different.
Mapping Your Dependency Chain
The first step to managing third-party risk is understanding what you actually depend on.
Direct Dependencies (Obvious)
Start with the services you have direct relationships with:
| Category | Examples | Failure Impact |
|---|---|---|
| Hosting/Cloud | AWS, Azure, GCP, Vercel | Complete outage |
| DNS | Cloudflare, Route53, DNSimple | Can’t be found |
| CDN | Fastly, Cloudflare, Akamai | Slow/inaccessible |
| Payments | Stripe, PayPal, Square | Can’t accept money |
| SendGrid, Postmark, SES | No transactional email | |
| Auth | Auth0, Okta, Firebase | Users can’t log in |
Indirect Dependencies (Hidden)
These are harder to identify but equally dangerous:
- Your cloud provider’s dependency on their DNS
- Your CDN’s dependency on their certificate authority
- Your payment processor’s dependency on their bank
- Your email service’s dependency on their IP reputation
Fourth-Party Dependencies (Invisible)
Your vendor’s vendors create risks you may never see:
- The monitoring service your hosting provider uses
- The database software your SaaS tools run on
- The infrastructure provider behind your vendor’s infrastructure
When CrowdStrike crashed systems worldwide, most affected organizations had no direct relationship with CrowdStrike. They were several layers removed - but equally affected.
Building Resilience Against Third-Party Failure
Given that you can’t eliminate third-party dependencies, how do you build resilience?
1. Know What You Depend On
Create and maintain a dependency map:
- List every external service your application needs
- Identify which are critical (can’t function without) vs. degradable (can function with reduced capability)
- Document the impact of each dependency’s failure
- Update quarterly as your stack evolves
2. Monitor From Outside
Don’t rely on internal health checks to tell you if customers can reach you. External monitoring from multiple locations catches:
- DNS resolution failures
- CDN issues in specific regions
- Third-party service degradation
- Problems your internal monitoring can’t see
3. Design for Degradation
Build systems that fail gracefully:
- Payment processor down? Queue orders for later processing
- Analytics service down? Continue serving pages without tracking
- Chat widget down? Show a contact form instead
- CDN down? Fall back to origin (slower but working)
Not every feature is equally critical. Know which you can sacrifice to keep core functionality running.
4. Avoid Single Points of Failure
For critical services:
- Use multiple DNS providers with automatic failover
- Consider multi-CDN strategies for geographic redundancy
- Have backup payment processors configured (even if not active)
- Distribute across multiple cloud regions or providers for critical workloads
5. Have Incident Playbooks
When a third-party fails, you need to act fast:
- How will you detect the issue?
- Who needs to be notified?
- What’s your communication plan for customers?
- What workarounds are available?
- How will you know when service is restored?
Don’t figure this out during an incident. Plan ahead.
6. Review Vendor SLAs and Status Pages
Understand what your vendors actually guarantee and how they communicate issues:
- Subscribe to status page updates for critical vendors
- Know their incident notification timeline
- Understand what compensation (if any) you’re entitled to
- Have contacts for escalation beyond standard support
The Reality of Modern Infrastructure
No business is an island. The services that power modern websites create value through specialization and scale - but they also create interconnected risk.
The CrowdStrike incident proved that even organizations with sophisticated IT operations can be brought down by a vendor several steps removed from their own systems.
The AWS, Cloudflare, and Fastly outages showed that concentration in infrastructure providers means single points of failure for huge portions of the internet.
The path forward isn’t to eliminate third-party dependencies - that’s neither practical nor desirable. It’s to understand them, monitor them, and build systems that can survive their failure.
Your uptime depends not just on your own infrastructure, but on a chain of providers extending far beyond your direct visibility. The businesses that stay online are the ones that acknowledge this reality and plan accordingly.
Want visibility into how third-party issues affect your users? FlareWarden monitors your website from outside your infrastructure, detecting problems - including third-party failures - the way your customers experience them.