Cloudflare Outage: Why Businesses Needs A Solid Fallback Plan Cloudflare said the crash was triggered by a change to one of its database systems' permissions.

Cloudflare's system crash, which led to prolonged outages at ChatGPT, Canva, X (formerly Twitter), Shopify, and many other high-profile internet platforms, has revived the conversations around the fragility of the internet ecosystem and the need for fallback plans.

It is worth noting that this is not the first time internet companies have faced such widespread outages in recent times.

Just last month, Amazon's AWS outage, reportedly caused by a hidden flaw in its DNS management system, affected a number of internet platforms such as WhatsApp, Signal, Reddit, Roblox, and PlayStation/Xbox networks. Microsoft's Azure too suffered a major outage that impacted thousands of companies and government systems, as well as airlines.

So clearly, when one provider goes down, it sinks the entire organization's operations with it. And with no fall back plans in place, these outages can lead to major loss in business, apart from reputational damage.

According to reports, the average cost of downtime could go up to USD 9,000 per minute, though it depends on the size of the business and industry. While smaller companies may face lower cost, large enterprises could face more than USD 5 million per hour loss due to an unplanned downtime.

What is Cloudflare and why is it so important?

Estimated to support nearly 20% of all global websites, Cloudflare is considered as the most critical infrastructure company. It essentially acts as a key middle layer between a user and website's server, effectively serving as an internet highway management system.

Cloudflare's key services include:

Content Delivery Network (CDN): Instead of making your browser request all the way to source to grab a website's pictures and videos, Cloudflare keeps copies in little storage lockers all over the world. When you open a site, it hands you the stuff from the locker closest to your house. This makes the websites load much faster.

Cybersecurity: It also prevents hackers trying to breach websites with fake traffic (DDoS attacks), malware, and those annoying robot programs that scrape prices or spam login pages.

DNS Resolution: It is essentially the internet's "phone book," translating domain names (e.g., example.com) into IP addresses quickly and securely.

It competes with platforms like Akamai, Azure CDN, Google Cloud CDN, and Amazon CloudFront. Moreover, Cloudflare's total revenue for a 12-month-period ending September, 2025 stood at around USD 2.01 billion. For the full fiscal year 2024, the company reported annual revenue of USD 1.67 billion.

Why did Cloudflare crash?

Ayush Panwar, Threat Intelligence Researcher at CloudSEK explains that Cloudflare has a tool called Bot Management. It checks every visitor to a website and decides: "Is this a real human typing on their phone, or a robot script trying to cause trouble?" To make that call, it uses machine learning .

The AI doesn't guess randomly—it looks at a bunch of clues about each visitor, like "how fast did they click?" or "what browser are they using?" Each clue is called a "feature." The feature file is an automatically generated list of these clues, pulled from a database and is called a "Feature File". It's like a recipe telling the AI: "Use these 50 ingredients to bake a 'bot score' for every request."

On November 18, 2025, Cloudflare accidentally uploaded a "Feature file" that was way too big. Their system tried to read it every 5 minutes and crashed. And resulted in millions of websites (including ChatGPT, Discord, and many online stores) showing errors or going completely offline for a few hours.

"These things happen more often than people think. A few weeks ago AWS took down big parts of the internet because someone typed the wrong command. Azure had a similar outage when a routine update went wrong. Fastly broke half the web in 2021 with one bad config change," noted Panwar.

Cloudflare on its blog explains: "The issue was not caused, directly or indirectly, by a cyber attack or malicious activity of any kind. Instead, it was triggered by a change to one of our database systems' permissions which caused the database to output multiple entries into a "feature file" used by our Bot Management system. That feature file, in turn, doubled in size. The larger-than-expected feature file was then propagated to all the machines that make up our network.

The software running on these machines to route traffic across our network reads this feature file to keep our Bot Management system up to date with ever changing threats. The software had a limit on the size of the feature file that was below its doubled size. That caused the software to fail."

What should SMEs and startups must learn from it?

While large companies have deep pockets to offset the financial losses caused by long outages, for smaller companies or early-stage startups these can be extremely devastating.

The stakes are always high in today's competitive internet economy. Consider the potential consequences: a WhatsApp-based service fails to load, or a Shopify storefront goes dark during a critical sale. These failures can lead to major fallouts, not limited to lost revenue due to payment failures or a high rate of customer churn.

Experts say that younger or smaller startups must avoid putting all eggs in one basket. They also stress the need for having two different providers, in a potential combination of two CDNs, two DNS services, or one CDN + a server-side firewall. Moreover, experts say, there needs to be a fallback plan or Plan B. Apart from multi-vendor setups, businesses can consider investing into external monitoring to ensure timely response and seamless traffic rerouting during such outage.

".Just be careful: when you turn Cloudflare off, you lose the protection it was giving you—caching, DDoS blocking, the web firewall, bot fighting, everything. So understand what you're dropping before you need to do it in a panic. A five-minute test on a quiet day can save you a lot of stress later," cautioned Panwar.

"The main takeaway is that even best-in-class providers cannot guarantee uninterrupted availability. Dependency mapping is critical. Companies need full visibility into every third-party service sitting between them and their users- whether it's analytics, payments, or CDNs," Oded Vanunu, Chief Technologist & Head of product's vulnerability research at Check Point Software, told Entrepreneur India.

"When an outage occurs, you must know immediately whether you are impacted directly or indirectly. The cost of convenience should not be underestimated. Centralizing everything with one provider is easy and inexpensive, but downtime results in financial loss, customer frustration, and reputational damage," Vanunu added.