The CrowdStrike Reckoning (Apr 2024 – Jun 2025)
One Friday in July 2024 produced the largest IT outage in history — and it wasn’t a cloud provider. This window’s postmortems are dominated by other people’s software running inside your trust boundary: security agents in the kernel, a dealer platform for an entire industry, a cloud vendor deleting a customer, and a quota policy pushed worldwide.
The incidents that defined the period
- Google Cloud / UniSuper, May 2024 — A misconfiguration during provisioning led Google Cloud to delete an entire customer’s private cloud subscription — a ~$125B pension fund — causing ~two weeks of disruption. Recovery leaned on UniSuper’s own third-party backups. The joint apology statement was unprecedented; “what if our cloud account itself is the failure domain?” entered every DR review.
- CDK Global, June 2024 — Ransomware took down the SaaS platform underpinning ~15,000 North American car dealerships for weeks. A whole industry discovered it had a single point of failure it had never load-tested: its vendor.
- CrowdStrike, July 19, 2024 — A faulty Rapid Response Content update (Channel File 291) hit an out-of-bounds read in the Falcon sensor running in the Windows kernel: ~8.5 million machines blue-screened. Airlines, hospitals, banks, 911 centers. Insured losses in the billions; Delta alone claimed ~$500M. The RCA and Congressional testimony detailed the gap: sensor code was staged and tested; content updates were validated by a checker with a bug and deployed globally at once (crowdstrike.com RCA).
- Azure Central US, July 30, 2024 — A DDoS defense misconfiguration amplified rather than mitigated an attack, in a summer of repeated Microsoft incidents.
- OpenAI, December 11, 2024 — A new telemetry service overwhelmed Kubernetes API servers across clusters; DNS caching masked the rollout risk, and engineers were locked out of the control planes they needed to revert. A modern classic: observability tooling as the outage trigger, published with unusual candor for an AI lab.
- Google Cloud, June 12, 2025 — A new Service Control policy feature with a null-pointer path, no feature flag, and instant global metadata replication crash-looped API management worldwide (~3 hours; ~7.5h for us-central1). Cloudflare (whose Workers KV depended on GCS), Spotify, and dozens of others went down with it. The postmortem’s own action items read like this series' greatest hits: flag-gate everything, stagger global propagation, add backoff.
What the postmortems reveal
1. “Content” updates are code. CrowdStrike’s split — rigorous staging for binaries, instant global push for configuration content — is the same pattern as Cloudflare 2019 and Google 2025. The industry’s hardest-won lesson keeps recurring one abstraction level up: anything that changes runtime behavior needs canaries, whether it’s called code, config, content, or policy.
2. Third-party risk moved inside the perimeter. Kernel-resident agents, SaaS platforms, and cloud control planes all demonstrated that your availability is a weighted sum of your vendors’. Vendor staged-rollout policies, kill switches, and “can we run degraded without X?” questions entered procurement checklists — and (via DORA in the EU) regulation.
3. Deletion protection became a customer demand. UniSuper and (memories of) Atlassian made soft-delete, multi-party approval for destructive operations, and off-provider backups standard enterprise asks.
4. AI joined the response — cautiously. By 2025, AI-drafted incident summaries and postmortem first-drafts were common in tooling (incident.io, PagerDuty, Rootly); the debate shifted to whether AI should act, not just summarize.
Practice and tooling shifts
- Windows resiliency work: Microsoft began pushing security vendors out of the kernel — an OS-level architecture change caused by a postmortem.
- Staged rollout for everything became the loudest industry norm since blameless culture: rings, feature flags, and propagation delays for config and content, not just binaries.
- Resilience regulation matured: DORA (EU financial sector) took effect January 2025, making incident reporting and third-party risk management legal obligations.
Takeaways that still hold
- Inventory every agent with kernel or root privileges on your fleet, and know its vendor’s rollout policy before you need to.
- Back up your cloud outside that cloud; assume the account, not just the region, can fail.
- If a change can propagate globally in seconds, that speed is itself a risk to be engineered — add deliberate friction.
- Ask of every vendor: “Show me your postmortem culture.” It predicts your downtime better than their SLA does.