I build cloud-based systems for startups and enterprises. My background in operations gives me a unique focus on writing observable, reliable software and automating maintenance work.
I love learning and teaching about Amazon Web Services, automation tools such as Ansible, and the serverless ecosystem. I most often write code in Python, TypeScript, and Rust.
B.S. Applied Networking and Systems Administration, minor in Software Engineering from Rochester Institute of Technology.
Concentration risk is shuffle-sharding’s evil twin: having an oligopoly of SaaS creates infinite, invisible choke points.
The Crowdstrike outage (nobody expects a blank file!) revealed a deep concentration risk among industries that follow similar compliance regimes: they want to be legible to auditors as being secure. How does one do that? No-one ever got fired for buying IBM as the story goes. Crowdstrike became a de facto monopoly not because it’s good, but because of a combination of enterprise sales, cargo culting, and similar CISOs swapping between similar companies.
Because of these multiple independent processes drove an invisible concentration of risk:
Getting to scale at all costs has been THE way to beat the competition since the Industrial Revolution. In the Industrial Revolution, marginal costs decreased and advantaged scale. Software brought marginal costs to near-zero for information-based goods, further advantaging scale. Wide vision and quick response is the central promise of a big EDR player like Crowdstrike.
You see the same in Cloudflare, Stripe Radar, and GSuite spam filtering: scale reveals patterns invisible to your lone WAF, payment processor, or mail server. You pay in knowing they’ll use data in aggregate you couldn’t use at your scale, the dividend is that you get to use others’ aggregates.
It got a Web 2.0 name (shudder blitzscaling shudder) and became business as usual. If you weren’t doing it, someone who did came and ate your lunch. The logic makes sense: why scrap it out and build a business when you can take the gains from some other industry and skip straight to winning. Do pass Go, do collect $200M in ARR.
As a bright-eyed founder there are infinite demands on your time, decisions, and trust. It’s also very likely you are connected to a network of other founders, VC’s, and employees of startups. It’s highly likely you’ll pick a bank, an auditing firm, an EDR vendor, and many other not-your-main-business things based on their recommendations. In 2023 this resulted in a rapid collapse of at least one bank:
But the world deposit insurance now protects is different than the one it was developed in, and I think it may need to be updated. One much remarked upon elsewhere is that some banks have hypernetworked customer bases who can through relatively independent action tweet and WhatsApp themselves to withdrawing $42 billion in a day.
This dynamic is extremely visible in startups: similar groups of VC partners end up on deals in similar industries. Every possible purchaser in a large business has a watering hole where they meet like-minded folks and swap tips, tricks, and horror stories. Combine this with enterprise sales teams that attempt to traverse those networks, and you have a natural system for creating big winners in software markets.
Imagine a world where there are only 2-4 models that see wide adoption and your chosen model is strongly influenced by your network. You might try to get “neutral” recommendations in cowork sessions with your LLM and your friends will happen to get similar ones.
Even if you don’t try to get recommendations, when you vibe-code or spec-driven-develop an app it will get defaults for unspecified behavior. This introduces concentration not a single person has thought about. Why does your app use postgres? Everyone’s app uses postgres. Why does your app use FusionAuth? It’s in the training data and came up first in your agent’s web search.
Previously you had to at least select a library by its name and likely did some basic checking of the supply chain. Now you’ve got decisions you forgot because you watched an agent make them or didn’t review at all.
All these incentives add up to severe industry-wide risks that no single actor can do much about. Who is going to intentionally buy the second most secure EDR? What about the second best WAF? Often in software the better option is cheaper too: it has more market share, better economies of scale, and thus can pass a portion of that saving to you.
Major provider outages seem to be becoming more frequent. These make dependencies visible, but unless you act by switching providers the monoculture remains. It’s worth doing a runtime map of systems you own to see if there are additions or substitutions that can make these outages less severe.