Coursify

Netflix Intentionally Breaks Production

Netflix Intentionally Breaks Production

Verified Sources
Jun 21, 2026

The Hook: Netflix Intentionally Breaks Production

On any given business day at Netflix, a software tool is silently hunting through the company's production infrastructure, selecting servers at random and killing them. No warning. No mercy. A service handling millions of streaming viewers simply vanishes — and nobody notices.

That's the goal.

Netflix runs a program called Chaos Monkey whose sole purpose is to randomly terminate production instances during business hours. It sounds like a nightmare. It sounds like a security breach. It sounds insane. But this deliberate sabotage is one of the most disciplined reliability practices in modern engineering.

"The best way to avoid failure is to fail constantly." — Netflix Engineering Philosophy^[2]

Why would any company deliberately break its own systems? Because Netflix learned the hard way that untested resilience isn't resilience at all. In August 2008, a major database corruption brought their DVD shipping operation to a halt for three days. That catastrophic failure became the catalyst for a radical philosophy: if you don't test your ability to survive failure, you're just hoping you can.

Footnotes

  1. The Evolution from Netflix's Chaos Monkey to AI-Powered Chaos — History of chaos engineering from Netflix's origins through modern AI-driven approaches.

  2. Completing the Netflix Cloud Migration — Netflix's official account of their 2008 database corruption, 3-day outage, and the multi-year AWS migration that followed.

The Evolution of Chaos Engineering at Netflix — AWS re:Invent 2022

The Problem: Why Large Distributed Systems Fail

Netflix's migration to AWS wasn't just a technology upgrade — it was a survival decision. After the 2008 database corruption that crippled DVD shipments for three days, Netflix realized their vertically scaled, single-point-of-failure architecture was fundamentally fragile^[3].

Moving to the cloud solved the scalability problem but introduced a new one: distributed systems fail in ways that are complex, emergent, and unpredictable.

Why Distributed Systems Are Inherently Fragile

Failure CategoryExampleImpact
Network PartitionsSevered connections between servicesCascading timeouts
Instance FailuresVM crashes, hardware deathService degradation
Dependency FailuresDownstream API outagesPropagated errors
Latency SpikesDisk I/O congestion, CPU pressureTimeout cascades
Data Center OutagesAWS region/zone failureComplete service loss
MisconfigurationsBad security groups, wrong AMIsCompliance violations

Distributed systems obey the principle of emergent behavior — the system as a whole exhibits properties that no individual component possesses. A single failed instance might be trivial, but when that failure triggers a timeout, which triggers a retry storm, which overloads a database, which causes cascading failures across dozens of microservices — you have a blast radius that nobody predicted^[4].

Netflix was running hundreds of microservices on AWS. Every service depended on other services. The combinatorial space of possible failure modes was effectively infinite. Traditional testing — unit tests, integration tests, staging environments — could only cover a tiny fraction of what could go wrong in production.

The core problem: You can't test every failure scenario, but you can train your system to survive failure itself.

The Birth and Evolution of Chaos Engineering

Netflix Database Corruption

Aug 2008

Major database corruption causes a 3-day outage for DVD shipping. Netflix realizes vertical scaling and single points of failure are unsustainable."

Migration to AWS Begins

2009

Netflix begins rearchitecting from monolithic on-prem infrastructure to distributed microservices on Amazon Web Services."

Chaos Monkey Created

2010

Greg Orzell and the Netflix team create Chaos Monkey — a tool that randomly terminates production EC2 instances during business hours."

Simian Army Announced

Jul 2011

Netflix publicly announces its Simian Army — a suite of failure-injection tools that expands Chaos Monkey's scope to multiple failure types."

Chaos Monkey Open-Sourced

2012

Netflix releases Chaos Monkey as an open-source project on GitHub under the Apache 2.0 license, enabling the broader community to adopt chaos practices."

Failure Injection Testing (FIT)

2014

Kolton Andrus and team build FIT at Netflix, adding fine-grained control over which failures are injected and which components they impact."

Chaos Engineering Team Formed

2015

Bruce Wong creates the Chaos Engineering Team at Netflix. Casey Rosenthal develops the charter and formalizes the discipline beyond 'breaking things.'"

Principles of Chaos Engineering Published

2017

The formal Principles of Chaos Engineering are published at principlesofchaos.org, establishing the scientific methodology: define steady state, hypothesize, experiment, disprove."

Industry Tools Emerge

2016–2018

Gremlin (founded by ex-Netflix and Amazon engineers) launches the first managed chaos engineering platform. AWS Fault Injection Simulator follows. Chaos goes enterprise."

Simian Army Retired

2016

Netflix retires the Simian Army GitHub project. Core functionality migrates to other Netflix internal tools and Chaos Monkey 2.0 (built on Spinnaker)."

Birth of Chaos Monkey

Chaos Monkey was created in 2010 by Greg Orzell and the Netflix engineering team, as Netflix migrated from on-premises data centers to AWS^[1]. The original purpose was brutally simple: randomly terminate EC2 instances in production to verify that Netflix services could survive individual server failures without any customer impact.

The philosophy was counterintuitive: instead of trying to prevent failures (an impossible goal in distributed systems), Netflix would induce them — during business hours, with engineers standing by, in a carefully monitored environment^[6].

"By running Chaos Monkey in the middle of a business day, in a carefully monitored environment with engineers standing by to address any problems, we can still learn the lessons about the weaknesses of our system and build automatic recovery mechanisms to deal with them. So next time an instance fails at 3 AM on a Sunday, we won't even notice." — Netflix TechBlog^[6]

Initial Resistance

Netflix lore says Chaos Monkey was not instantly popular. Individual contributors initially grumbled about the added burden — their services were being disrupted, and they had to build resilience they hadn't planned for^[5]. But the tool forced a cultural shift: once the pain of unexpected instance termination was brought directly to engineers, they did what engineers do best — they solved the problem. Services became more fault-tolerant, auto-recovery mechanisms were built, and eventually teams adopted Chaos Monkey as standard practice.

What made Chaos Monkey revolutionary wasn't the technology — it was the management principle instantiated in running code: failure is inevitable, so make it routine^[5].

Footnotes

  1. Birth of Chaos — O'Reilly Media — Casey Rosenthal's account of formalizing chaos engineering from "breaking things" to a disciplined practice at Netflix.

How Chaos Monkey Works: From Random Kill to Resilient System

  1. 1
    Step 1

    Chaos Monkey runs as a scheduled service during business hours (typically Monday–Friday, 9 AM–5 PM). Running during work hours ensures engineers are available to address any problems that surface. A random instance is selected from the pool of eligible targets.

  2. 2
    Step 2

    Chaos Monkey queries the cloud provider's API (originally AWS Auto Scaling Groups) to discover all running instances. It randomly selects an instance from the eligible pool. Teams can opt certain critical services out during specific windows, but the default is participation.

  3. 3
    Step 3

    The tool issues an API call to terminate the selected instance — equivalent to pulling the power cord on a server. No graceful shutdown, no warning to the application. The service running on that instance must handle the abrupt loss on its own.

  4. 4
    Step 4

    The surrounding monitoring systems and load balancers detect the instance loss. Auto-scaling groups spin up replacement instances. Other service instances absorb the traffic. If the system is properly designed, the failure is invisible to users.

  5. 5
    Step 5

    If the termination causes user-visible impact — errors, latency spikes, failed requests — the team has identified a weakness. Engineers fix the issue by adding redundancy, circuit breakers, retry logic, or fallback mechanisms.

  6. 6
    Step 6

    Each termination cycle reinforces the system. Over time, the architecture becomes inherently resilient to instance-level failures. What was once a crisis becomes routine:

Controlled Failure ≠ Recklessness

Chaos Monkey is NOT random destruction. Every run is bounded by safety mechanisms: business-hours scheduling, opt-out capabilities for critical windows, monitoring requirements, and engineer availability. If a real incident occurs during a chaos experiment, the experiment is immediately halted. The blast radius is deliberately constrained.

The Simian Army

Chaos Monkey proved that instance-level failure injection worked. But Netflix's distributed architecture faced threats far beyond a single server going down. The team needed to test entire availability zone outages, network latency, security misconfigurations, and more. The result was the Simian Army — a suite of failure-inducing tools, each targeting a different class of vulnerability^[7].

ToolFailure TypeScopeWhat It Tests
Chaos MonkeyInstance terminationSingle instanceAuto-recovery, instance redundancy
Chaos GorillaAvailability zone outageEntire AZCross-zone failover, load balancing
Chaos KongRegion outageEntire AWS regionRegional traffic evacuation
Latency MonkeyNetwork latency injectionService-to-serviceTimeout handling, retry logic, circuit breakers
Security MonkeySecurity rule violation detectionAll instancesIAM compliance, security group rules
Janitor MonkeyUnused resource cleanupOrphaned resourcesCost optimization, resource hygiene

Chaos Gorilla — Testing Zone-Level Failure

While Chaos Monkey targets individual instances, Chaos Gorilla simulates the outage of an entire AWS availability zone. AWS regions consist of multiple availability zones, each acting as an isolated private network. Chaos Gorilla verifies that service load balancers can properly shift traffic and keep services running even when a complete zone goes dark^[7].

Chaos Kong — Regional Catastrophe

At the top of the escalation ladder, Chaos Kong simulates the failure of an entire AWS region — the maximum realistic disaster in a cloud-native architecture. Netflix runs Chaos Kong experiments regularly to ensure their systems can evacuate traffic from a failing region to a healthy one without severe service degradation^[7].

Latency Monkey — The Silent Killer

Latency Monkey doesn't kill anything — it introduces artificial delays into the network communication between services. This tests whether dependent services have proper timeout configurations, retry logic, and circuit breakers. Latency is often more dangerous than total failure because slow responses can tie up connection pools and trigger cascading timeouts across the system.

Security Monkey & Janitor Monkey

Security Monkey monitors for security violations — it looks for misconfigured security groups, expired SSL certificates, insecure IAM policies, and other compliance issues^[7]. Janitor Monkey identifies and cleans up unused resources — orphaned EBS volumes, unattached IP addresses, stale snapshots — reducing both attack surface and cloud costs.

Footnotes

  1. Netflix Simian Army — GitHub (Retired) — The original open-source repository for the Simian Army suite, retired in 2016. 2

Simian Army: Failure Scope by Tool

Blast radius escalation from instance to region level

What Is Chaos Engineering?

By 2015, it was clear that "breaking things in production" needed a more rigorous definition. Casey Rosenthal, who joined Netflix to lead the Chaos Engineering Team, found that many engineers understood the practice as simply causing random destruction — which was inaccurate and dangerous^[5]. The discipline needed formalization.

In 2017, the Principles of Chaos Engineering were published at principlesofchaos.org, establishing the definitive definition^[9]:

"Chaos Engineering is the discipline of experimenting on a system in order to build confidence in the system's capability to withstand turbulent conditions in production."

The Four-Step Scientific Method

Chaos Engineering follows a rigorous, hypothesis-driven methodology — not random mayhem^[9]:

Define Steady StatehypothesizePredict Continuationinject faultObserve BehaviorcompareValidate or Disprove\text{Define Steady State} \xrightarrow{\text{hypothesize}} \text{Predict Continuation} \xrightarrow{\text{inject fault}} \text{Observe Behavior} \xrightarrow{\text{compare}} \text{Validate or Disprove}
StepActionExample
1. Define Steady StateIdentify measurable output indicating normal behavior"Error rate is 0.01%, latency p99 is 200ms"
2. Form HypothesisPredict that steady state continues in both control and experimental groups"Terminating instance X will not change error rate"
3. Inject VariablesIntroduce real-world failure eventsKill instance, add latency, drop packets
4. Disprove HypothesisLook for differences between control and experimental groupsError rate spiked to 5% → hypothesis disproven, weakness found

Hypothesis-Driven Testing

The critical insight is that chaos engineering is hypothesis-driven, not destruction-driven. You don't break things to see what happens. You:

  1. State what you believe about how the system should behave under failure
  2. Design the smallest experiment that can test that belief
  3. Compare expected vs. actual behavior

If the system behaves as predicted, your confidence increases. If it doesn't, you've found a real weakness — before your users do^[9].

Advanced Principles

The Principles of Chaos Engineering also specify^[9]:

  • Vary Real-World Events: Inject failures that actually happen — server crashes, network partitions, corrupt messages, not just the easy ones
  • Run in Production: Only production has the full complexity, traffic, and state of a real system. Staging environments are sanitized approximations
  • Automate to Run Continuously: Manual Game Days are valuable, but automated chaos runs continuously to catch regressions
  • Minimize Blast Radius: Start small. Expand scope gradually. Always have kill switches and rollback plans

Footnotes

  1. Chaos Engineering: The History, Principles, and Practice — Gremlin — Tutorial covering hypothesis formation, experiment design, and practical chaos engineering adoption.

Steady-State Focus

Focus on the measurable output of the system — throughput, error rates, latency percentiles — not internal attributes. Chaos Engineering verifies that the system does work, rather than trying to validate how it works. This is a crucial distinction: you're testing systemic behavior, not component correctness.

Real-World Examples Across Big Tech

Netflix didn't invent the concept of deliberately testing failure. But it did popularize it, and similar practices emerged independently at other major technology companies.

Netflix — The Pioneer

Netflix's chaos program evolved from the original 2010 Chaos Monkey to Failure Injection Testing (FIT), built by Kolton Andrus in 2014, which added fine-grained control over failure dimensions. The results: Netflix improved from three nines (99.9%99.9\%) to four nines (99.99%99.99\%) of uptime for critical streaming services^[4]. Their chaos experiments regularly test instance failures, zone outages, and regional evacuations — all while serving over 200 million subscribers.

Amazon GameDays

Jesse Robbins, Amazon's "Master of Disaster," drew from his experience as a volunteer firefighter to create GameDay exercises between 2006–2010^[1]. The philosophy: just as firefighters practice responses before real emergencies, engineering teams should rehearse failure scenarios. Amazon GameDays reproduce past incidents or simulate new ones to test the resilience of their massive retail infrastructure. AWS now offers GameDay as a formal service for customers^[12].

Google DiRT — Disaster Recovery Testing

Google's DiRT (Disaster Recovery Testing) program was founded in 2006 by site reliability engineers^[13]. Google's SRE motto: "Hope is not a strategy." DiRT exercises range from role-playing scenarios to physically unplugging hardware in data centers. Engineers plan and execute controlled disruptions to critical systems while ensuring no customer harm. The DiRT postmortems are considered some of the most valuable internal learning documents at Google^[14].

Meta / Facebook — Storm

Facebook Storm is Meta's approach to resilience testing: it simulates data center failures to test what happens to Facebook traffic when an entire data center goes offline. Meta also runs chaos experiments on their massive distributed infrastructure to validate failover mechanisms and disaster recovery procedures^[15].

CompanyProgramFoundedFocus
NetflixChaos Monkey / Simian Army / FIT2010Instance, zone, and region failure injection
AmazonGameDays~2006Rehearsing past incidents and injecting failures
GoogleDiRT2006Disaster recovery, data center physical failures
MetaStorm~2010sData center failover and traffic evacuation

Footnotes

  1. InfoQ: Designing Chaos Experiments and Running Game Days — Interview with Kolton Andrus on FIT and improving Netflix from 99.9% to 99.99% availability.

  2. Google DiRT: Disaster Recovery Testing — O'Reilly (Chaos Engineering Book, Ch. 5) — In-depth chapter on Google's DiRT program, including "Hope is not a strategy" philosophy.

Chaos Engineering Maturity Across Organizations

Relative maturity in key dimensions

Benefits of Chaos Engineering

The quantitative and qualitative benefits of chaos engineering are well-documented across organizations that have adopted the practice^[16]2:

1. Faster Recovery (Reduced MTTR)

Regular exposure to failure scenarios builds muscle memory. Teams that practice responding to outages recover dramatically faster during real incidents. Mature implementations report 60–90% reduction in Mean Time To Recovery (MTTR)^[16]. When an instance dies at 3 AM on a Sunday, the system recovers automatically — and engineers don't even need to be paged.

2. Better Reliability and Higher Availability

Netflix's adoption of chaos engineering directly contributed to their improvement from 99.9%99.9\% to 99.99%+99.99\%+ availability for streaming services^[4]. That difference — from roughly 8.7 hours to 52 minutes of downtime per year — is the gap between "customers notice" and "customers don't notice."

3. Reduced Outage Impact and Cost

Average downtime costs enterprises approximately $9,000 per minute^[17]. A Forrester Consulting study found that chaos engineering delivered a 245% return on investment (ROI) over three years for large enterprises — primarily through prevented outages^[17].

Annual Outage Cost=Downtime Minutes×$9,000/min\text{Annual Outage Cost} = \text{Downtime Minutes} \times \$9{,}000/\text{min} Mature chaos engineering can reduce MTTR by 60–90%, saving millions annually\text{Mature chaos engineering can reduce MTTR by 60–90\%, saving millions annually}

4. Increased Engineering Confidence

Perhaps the most underappreciated benefit: engineers gain confidence that their systems will survive real failures. This confidence translates into faster deployments (less fear of breaking production), calmer incident responses (the team has rehearsed this), and better architectural decisions (resilience is designed in, not bolted on)^[18].

BenefitMetricSource
MTTR Reduction60–90%Forrester / Enterprise case studies^[16]
Availability Improvement99.9%99.99%+99.9\% \to 99.99\%+Netflix engineering^[4]
ROI over 3 years245%Forrester Consulting^[17]
Engineering Time Savings30–40% reduction in incident responseEnterprise implementations^[16]

Footnotes

  1. Measuring the Benefits of Chaos Engineering — Gremlin — Quantitative analysis of chaos engineering ROI, downtime costs ($9,000/min), and the Forrester 245% ROI study.

  2. Chaos Engineering Benefits — Splunk — Comprehensive overview of benefits including resilience, customer satisfaction, and engineering understanding.

Risks, Criticism & When NOT to Do Chaos Engineering

The Biggest Risk: Experiments Becoming Outages

Poorly implemented chaos engineering becomes an incident generator. Without proper scoping, monitoring, kill switches, and rollback plans, a chaos experiment can cause real user-facing damage. Always: (1) Start with the smallest possible blast radius, (2) Ensure kill switches work before starting, (3) Have engineers on standby during experiments, (4) Halt immediately if a real incident occurs.

Key Lessons from a Decade of Chaos

After examining Netflix's journey and the broader chaos engineering movement, the core lessons crystallize into three fundamental principles:

1. Failure Is Inevitable

In any sufficiently complex distributed system, failure is not a question of if but when. Hardware dies. Networks partition. Dependencies fail. Configuration drifts. There are too many moving parts, too many dependencies, and too many failure modes to prevent them all^[9]. The critical shift is accepting this reality: design for failure, not against it.

2. Test Before Disaster

The entire purpose of chaos engineering is to discover weaknesses before they become outages. As Google's SRE team puts it: "Hope is not a strategy."^[14] Analyzing emergencies in production becomes far easier when it's not actually an emergency. Controlled failure injection lets you examine system behavior under stress with time, calm, and full observability — exactly what you don't have during a real incident at 2 AM.

3. Resilience > Perfection

Perfection — zero failures, zero incidents — is not achievable in distributed systems. Resilience is: the ability to absorb failures and continue operating. The goal of chaos engineering is not to prevent failures from ever occurring, but to ensure that when they do, the system degrades gracefully, recovers automatically, and users are unaffected^[9].

ResilienceAbsence of Failure\text{Resilience} \neq \text{Absence of Failure} Resilience=Graceful Degradation+Automatic Recovery+Minimal Blast Radius\text{Resilience} = \text{Graceful Degradation} + \text{Automatic Recovery} + \text{Minimal Blast Radius}

Footnotes

  1. Chaos Monkey at Netflix: The Origin of Chaos Engineering — Gremlin — Detailed history of Chaos Monkey's creation, FIT, and the evolution from instance termination to structured failure injection.

Chaos Engineering Core Concepts

1 / 5
20%
Question · Term

What is Chaos Monkey?

Click to reveal
Answer · Definition

A tool created by Netflix in 2010 that randomly terminates production EC2 instances during business hours to test system resilience and auto-recovery mechanisms.

Common Misconceptions About Chaos Engineering

Chaos Engineering Benefit Distribution

How organizations report value from chaos engineering practices

Knowledge Check

Question 1 of 5
Q1Single choice

Who created Chaos Monkey at Netflix, and in what year was it first deployed?

Sources & Further Reading

Explore Related Topics

1

Software Engineering Applications

Software engineering adapts disciplined design, construction, testing, and evolution methods to the specific quality‑attribute priorities of each application domain.

  • Major domains (enterprise, cloud/web, embedded/real‑time, healthcare, scientific, cyber‑physical) differ in primary concerns such as security, reliability, timing, scalability, and safety.
  • Selecting and ranking quality attributes drives architecture, verification, and operational practices; missed deadlines in real‑time systems must satisfy R=Tsense+Tcompute+Tcommunicate+TactuateDR = T_{sense}+T_{compute}+T_{communicate}+T_{actuate} \le D.
  • Secure development is integrated throughout the lifecycle, not added later, to protect interconnected, continuously‑updated software.
  • Analyzing a domain follows a systematic steps: identify stakeholders, define scope, prioritize attributes, choose architecture, add assurance mechanisms, and plan operation/evolution.
2

Node.js Roadmap: From Fundamentals to Production-Grade Mastery

Node.js has become one of the most dominant platforms for backend development, powering everything from lightweight APIs to large-scale microservices architectures. With over 200,000 packages in the NPM registry and adoption by companies like Netflix, PayPal, and LinkedIn, Node.js remains a critical

3

Brooks’s “No Silver Bullet” and the Persistent Challenge of Software Productivity

Brooks’s “No Silver Bullet” argues that software productivity cannot be boosted tenfold by any single technology because essential complexity—stemming from problem domain, coordination, change, and invisibility—dominates accidental complexity.

  • Accidental complexity (languages, tools, CI/CD) can be reduced, but essential difficulty remains the main bottleneck.
  • The four inherent challenges are complexity, conformity, changeability, and invisibility, with interactions growing roughly O(n2)O(n^2).
  • Modern tools improve accidental aspects, yet coordination, requirements volatility, and conceptual design still limit productivity.
  • Incremental gains arise from better architecture, domain modeling, communication, and disciplined processes, not from a miracle solution.
Browse all research articles