Series: Introducing Blast Radius — See What Breaks Before You Deploy
“It Was Just a Security Group Change”
A developer modifies an ingress rule on a security group. The pull request looks clean, and cdk diff shows that only one resource is changing. The PR is approved, merged, and deployed.
Then the alerts start flowing in. Ten EC2 instances lose connectivity. Three RDS databases become unreachable. The production app goes down.
The change was correct in isolation. The problem was everything downstream of that change, and nothing in the IaC diff revealed it.
This isn’t a fictional horror story. It is a category of incident that happens because IaC tools are blind to runtime dependency relationships.
Terraform Plan Shows Your Change — Not Its Consequences.
IaC tools tell us what we are changing, but they don’t tell us what else is affected and will break.
terraform plan shows 1 resource modified. In reality, 28 downstream resources are affected.
cdk diff shows a property update. In reality, there is a cascading dependency chain through Config relationships.
CloudFormation change sets list actions on declared resources. Undeclared runtime dependencies are invisible.
Manual review doesn’t scale. You’d need to trace relationships across AWS Config, Resource Explorer, and tribal knowledge, and still probably miss something. The other option is to deploy to a dev environment and see what breaks.
The information exists in AWS. Config tracks relationships. Resource Explorer indexes resources. It’s just not connected to your deployment workflow.
See the Blast Radius Before You Deploy.
Blast Radius connects the data AWS already has to your deployment workflow. It discovers downstream dependencies from your infrastructure change, scores each one for risk, and optionally asks AI whether you should deploy.
It works with CDK, CloudFormation, and Terraform out of the box. You don’t need to change your IaC tool.
The dependency graph makes the cascade visible: your changed resource highlighted in blue, everything downstream fanning out and color-coded by risk score. Click any node for details. There’s a table view too.
Frontend Dependency Graph Example
The score isn’t a mystery: (depth × 0.30) + (criticality × 0.40) + (change severity × 0.30). It is explainable, auditable, and tunable.
The output lands in your PR as a comment (GitHub Action), in your terminal (CLI), or in an interactive graph (frontend).
From IaC Diff to Risk Score in 30 Seconds
You push a PR with an infrastructure change.
Blast Radius auto-generates the changeset (runs cdk synth, terraform plan, or reads your CloudFormation change set).
An adapter normalizes the changeset into a single canonical format. CDK, CloudFormation, and Terraform all describe the same change in different ways. The canonical format unifies them.
AWS Config queries discover real, live dependency relationships. Not what’s in the IaC, what’s actually wired together in your account.
Each affected resource is scored for how far away it is (depth), how important it is (criticality), and how dangerous the change type is (severity).
Results: a risk summary, scored resources, dependency graph, and optional AI-generated deployment recommendation.
Flow Diagram of how Blast Radius Works
Total wall time: 10–30 seconds, depending on graph size.
Two Gates: Numbers and Judgment
Threshold gate (--threshold 75): If any downstream resource scores above your number, the pipeline fails. Deterministic. No AI required. Good for teams that want a hard cutoff.
AI gate (--ai-gate): An AI model analyzes the full dependency graph and returns a deploy/no-deploy recommendation with confidence. Catches systemic risks that individually score below the threshold but are dangerous collectively.
You modify a security group attached to a shared RDS Proxy. Eight Lambda functions score 62. Two ECS services score 68. All below your threshold of 75. But every one of them routes database traffic through that proxy. Take it down and you’ve killed every service that touches your database. The AI sees the shared dependency. The threshold just sees ten numbers under 75.
You can use either of them or both together. If using both, it fails if EITHER triggers. This gives you defense in depth.
Exit codes are CI-friendly: 0 = pass, 1 = fail, 2 = error
Add It to Your Pipeline in Five Minutes
First, deploy the backend to your own AWS account. One stack, one command:
git clone https://github.com/sburgholzer/BlastRadius.git && cd BlastRadius
npm install && npm run build && cd packages/infra && cdk deploy
One requirement before you deploy: AWS Config and Resource Explorer must be enabled in your account. That’s where Blast Radius reads live dependency relationships.
Then add it to your pipeline. The fastest path is the GitHub Action — it auto-comments on your PR with the full analysis:
- uses: sburgholzer/BlastRadius@v0.1.0
with:
format: terraform-plan
input: plan.json
ai-gate: true
api-url: ${{ secrets.BLAST_RADIUS_URL }}
For CDK, you’ll need to generate a CloudFormation changeset first, then pass it to the action. The full setup is in Article 2.
Or skip the GitHub Action entirely and run it from the CLI in any CI system:
curl -sL https://github.com/sburgholzer/BlastRadius/releases/latest/download/blast-radius.js -o blast-radius.js
node blast-radius.js analyze --format cdk --stack MyStack --ai-gate
Blast Radius is open source. You can find the repo here.
Closing Thoughts
Infrastructure changes will always carry risk. The goal isn’t to eliminate that risk; it’s to see it clearly before you deploy. Blast Radius gives you that visibility in the time it takes to review a PR.
Next In This Series
Article 2: Add a Blast Radius Gate to Your CI/CD Pipeline
Article 3: Serverless IaC Risk Analysis: The Architecture Behind Blast Radius
Article 4: 349 Tests, Zero Mocks: Building Blast Radius in TypeScript
These articles are coming in the next few weeks. I’ll update this post with links as each one publishes.
Top comments (0)