AS-201a · Module 2

Blast Radius Thinking

3 min read

Let me introduce a concept that will change how you think about every deployment decision you make for the rest of your career. It is called blast radius thinking.

In military and engineering contexts, blast radius is the area affected when something goes wrong. A controlled demolition has a small blast radius because the engineers planned for failure. An uncontrolled explosion has a massive blast radius because nobody did.

Every deployment decision is a blast radius decision. The question is not whether the system will fail — all systems fail eventually. The question is: when this fails, what else does it take down with it?

Do This

  • Deploy on isolated infrastructure — separate server, separate network, separate credentials
  • Ask "what is my blast radius?" before every deployment, not after every incident
  • Choose more friction, more cost, more setup time if it shrinks the blast radius
  • Apply the principle of least privilege — the agent gets access to exactly what it needs and nothing more

Avoid This

  • Deploy on personal hardware connected to your home or office network
  • Reuse credentials between the agent deployment and other systems
  • Skip isolation because "it's just a personal project" — personal data is still data
  • Assume that because the software is popular, it must be secure

When Greg deployed on the Mac Mini M4, the blast radius would have included his entire personal network. Every device. Every credential. Every piece of personal data on every machine connected to that network. One compromised agent, and the blast radius is your whole digital life.

When Greg deployed on a Hostinger VPS instead, the blast radius was one isolated server. If the agent was compromised — if someone exploited the exact same vulnerabilities that hit 30,000 other instances — the damage stops at the boundary of that server. No lateral movement. No credential reuse. No path back to the personal network. The blast radius is contained.

That is the difference. Not sophistication. Not genius. A single architectural decision that limits what can go wrong.