Blast Radius

I. Formal Definition

The set of resources, identities, data classes, and downstream systems that an adversary can affect from a successful compromise of a single asset, prior to detection and containment. Blast radius is a structural property of an architecture, not an incident-response variable. The federation expects blast-radius reduction to be a continuous design objective, achieved through segmentation, least-privilege scoping, time-bounded credentials, and network constraint. A documented blast-radius analysis is required for every Tier-1 service under UFMS-001:2.4.

II. Etymology

Borrowed from physical-security and weapons-effects vocabulary; entered software security through the chaos-engineering and cloud-architecture communities in the mid 2010s.

III. Federation Usage

Federation members must publish a blast-radius worksheet for each Tier-1 service, identifying the worst-case reachable scope from a single compromised asset. Worksheets older than twelve months are not admissible under MEV-Annex:3.2.

IV. Related Terms

• lateral-movement
• zero-trust
• segregation-of-duties
• threat-model

V. Authoritative Citations

• UFMS-001:2.4UFMS Article II - Blast Radius
• MEV-Annex:3.2MEV Annex III - Worksheet Cadence

VI. Citation in BibTeX

@misc{ifo4_glossary_blast_radius,
  title        = {{Blast Radius}},
  author       = {{IFO4 Federation Editorial Board}},
  howpublished = {{IFO4 Federation Glossary, slug \texttt{blast-radius}}},
  year         = {2026},
  url          = {https://ifo4.org/glossary/blast-radius},
  note         = {Category: SecOps; key: BlastRadius}
}

VII. Challenge This Definition

Federation members and accredited practitioners may challenge any entry under TGS-002:1.7. Filed challenges are routed to the editorial board, triaged into the revision register, and resolved in writing on the public docket. The slug remains stable through any revision.