The scope of systems, data, users, or operations affected when one component is compromised or fails.
Blast radius is the scope of systems, data, users, or operations that could be affected when one component is compromised or fails. In plain language, it asks how far the damage can spread from a single mistake, outage, or breach point.
Blast radius matters because not every incident stays local. A poorly contained identity, application, or network problem can expand into a much larger business and security issue.
It also matters because many good security decisions are really about limiting how much one failure can affect at once.
Blast radius appears in identity design, cloud architecture, segmentation strategy, key management, and incident response planning. Teams connect it to Least Privilege, Defense in Depth, Network Segmentation, Security Group, and Containment.
It is a useful concept because it turns “secure enough” into a more concrete design question: what happens if this one control fails?
| Design choice | How it helps |
|---|---|
| Least privilege | Limits what one identity can affect after compromise. |
| Segmentation | Prevents one compromised zone from reaching everything else. |
| Separate admin paths | Keeps sensitive control planes off ordinary access routes. |
| Scoped keys and service accounts | Reduces how widely one leaked secret can be used. |
A service account has broad access across many cloud resources. If that account is exposed, the blast radius is much larger than it would be if the account were limited to one narrowly defined workload.
Blast radius is not the same as Risk. Risk includes likelihood and business consequences, while blast radius focuses more specifically on the scope of possible impact.
It is also different from Containment. Containment is a response action taken during an incident, while blast radius is the potential spread that good design tries to limit ahead of time.