Build mobile tests anyone on your team can run Request a Demo Now
Turn your manual testers into automation experts!Request a Demo

Cloudflare Outage Lessons 2026: Improving Site Reliability (SRE)

Gabriel Ernandes
Weekly Newsletter
Receive weekly testRigor newsletters packed with insights on test automation, codeless testing, and the latest advancements in AI.

Cloudflare experienced three major outages within four months. Notably, these incidents were not caused by cyberattacks or software bugs. It was due to the configuration changes made inside the company that caused widespread disruption across the network. These changes caused significant disruption to segments of the global network, without even giving engineers time to intervene.

This is a bitter truth that Cloudflare has had to repeat since November 2025. But in the Cloudflare Post-Mortem 2026 report, there is a big lesson for improving Site Reliability (SRE). These outage lessons go beyond traditional QA checklists and highlight deeper reliability challenges.

Key Takeaways:
  • Minor configuration changes can cause major global outages.
  • Cloudflare outages were not caused by cyberattacks or external threats.
  • Issues in permissions, routing, and network configuration were key triggers.
  • Failures can spread quickly across large-scale distributed systems.
  • Strong infrastructure testing and failover validation are essential for reliability.

Cloudflare Outage: November 18, 2025

This outage was not due to a cyber attack but resulted from a change in database permissions that led to an oversized feature file for the Bot Management system. This caused the routing software to fail as it could not handle the increased file size.

Initially thought to be a DDoS attack, the true problem was identified later, and the feature file was replaced, restoring normal traffic flow by 14:30 UTC. This incident exposed certain zero-trust architecture gaps in how internal permissions are managed.

By 17:06, all Cloudflare systems were operational again. The company expressed regret over the impact of the outage and committed to preventing similar incidents in the future. This outage affected high-profile websites, including X and ChatGPT.

Cloudflare Outage: December 5, 2025

In December 2025, Cloudflare experienced significant anycast network failures from 08:47 to 09:12 UTC, affecting about 28% of HTTP traffic. Anycast network failures happen when traffic sent to the same IP address gets routed to the wrong, slow, or unreachable server due to routing issues. This can cause higher latency, service outages in some regions, or uneven load if routing changes unexpectedly.

This incident was also not due to a cyber attack but resulted from changes made to body parsing logic aimed at addressing a recently disclosed vulnerability in React Server Components.

Cloudflare acknowledged the unacceptable nature of the outage, especially following a previous incident in November, proving how easily Infrastructure as Code (IaC) errors can impact global availability. The company plans to publish details on measures to prevent future issues. This outage affected websites including LinkedIn, Zoom, and Downdetector.

Cloudflare Outage: February 20, 2026

In February 2026, Cloudflare experienced a service outage lasting 6 hours and 7 minutes, affecting customers using its Bring Your Own IP (BYOIP) service. The outage occurred due to a change in how Cloudflare managed IP addresses, leading to BGP route leaks and the unintended withdrawal of customer prefixes via Border Gateway Protocol (BGP). This caused disruptions, making services and applications unreachable and resulting in 403 errors on Cloudflare’s DNS resolver (1.1.1.1).

While Cloudflare engineers reverted the change and restored prefix configurations, about 1,100 prefixes were withdrawn. This event highlighted the importance of blast radius mitigation in large-scale networks. Blast radius mitigation means limiting how much damage a failure or attack can cause in a system. It ensures only a small part is affected instead of the whole system going down.

Some customers were able to restore their services independently. Cloudflare expressed regret over the incident and committed to outlining preventive steps for the future. This outage affected users across platforms like Uber Eats, Bet365, and Wikipedia.

A Gentle Reminder

If even Cloudflare, a major global network provider, can go down due to a small internal configuration change, then we should think about the infrastructure resilience of the systems we use every day. This was not a hack or a software bug. Rather, small internal decisions affected global traffic around the world.

This is not about comparing ourselves to them, but about serious thinking. Traditionally, testing focuses on validating application correctness (Application testing), but the potential errors in the infrastructure on which it runs or its settings (Configuration) often go unnoticed. In fact, these errors often lead to large-scale failures. It is time to ask yourself whether your system is also hiding hidden flaws that are not visible from the outside, and whether the existing systems are sufficient to detect them before they affect customers.

Why Should Testers Care?

Teams write tests for features, APIs, and UI flows. But how many teams are testing for cascading failures caused by Infrastructure as Code (IaC) errors? Do you include global DNS failover scenarios in your test matrix? Do you test chaos engineering for networks, not just at the application layer, but also at the network layer?

Each Cloudflare report points to some test coverage that most organizations lack:
  • Blast radius mitigation: Pre-testing such failures is a must. You must validate that a change to a single database or firewall rule cannot trigger a feedback loop that crashes the entire proxy layer.
  • Automated circuit breakers: If your failover paths are not tested in real-world failure scenarios, there is no point in having expensive systems or calculating a multi-CDN strategy ROI.

AI-based testing platforms can be a big help in this regard. In particular, agentic testing frameworks can automatically generate and run regression tests as infrastructure changes occur. Therefore, engineers do not have to write new scripts every time a configuration changes. Teams that test the edge cases along with the surface of the system can survive such massive failures.

Beyond Incident Reports: Can You Catch Failures Before Customers Do?

Cloudflare’s reports are very accurate, transparent, and technically in-depth. Their transparency is commendable. But the relevant question for your organization is not ‘where did Cloudflare go wrong’. Rather, if a similar bug occurs in your system, can your QA and SRE teams detect it before it reaches customers?

Can they?

If you can’t say yes, that’s where the changes should start. See how AI-powered testing can help you detect infrastructure changes and failures in advance.

Agentic testing frameworks can automatically generate and run regression tests as infrastructure changes occur. Start taking action today to avoid writing an explanatory report after the next failure in your system.

You're 15 Minutes Away From Automated Test Maintenance and Fewer Bugs in Production
Simply fill out your information and create your first test suite in seconds, with AI to help you do it easily and quickly.
Achieve More Than 90% Test Automation
Step by Step Walkthroughs and Help
14 Day Free Trial, Cancel Anytime
“We spent so much time on maintenance when using Selenium, and we spend nearly zero time with maintenance using testRigor.”
Keith Powe VP Of Engineering - IDT
Automate tests with plain English using Generative AI. Reduce QA overhead, increase coverage, efficiency and scalability.
Get Our Newsletter
We will send monthly testRigor updates on new features, upcoming events and links to recordings.
Email*
Product
Company
Security
Resources & Learning
© 2026 testRigor. All rights reserved.
Privacy Overview
This site utilizes cookies to enhance your browsing experience. Among these, essential cookies are stored on your browser as they are necessary for ...
Read more
Strictly Necessary CookiesAlways Enabled
Essential cookies are crucial for the proper functioning and security of the website.
Non-NecessaryEnabled
Cookies that are not essential for the website's functionality but are employed to gather additional data. You can choose to opt out by using this toggle switch. These cookies gather data for analytics and performance tracking purposes.