Where do I start with chaos engineering if my system has never seen it?

Start with a tabletop GameDay — no fault injection, just a written scenario walked through verbally. Pick a high-blast-radius dependency (auth, primary DB, payments), ask the team what happens if it disappears for 10 minutes, and write down where the answers diverge. The first three GameDays usually surface more reliability gaps than the next thirty. Once the team has detection and runbooks for the obvious failures, then introduce automated fault injection in a dev cluster, then staging, then production-canary. The Principles of Chaos document at principlesofchaos.org and the Gremlin chaos engineering primer cover the progression.

Litmus, Chaos Mesh, Gremlin, AWS FIS — which one should I pick?

If your workload is Kubernetes-native and you want CNCF open source, pick Chaos Mesh or Litmus — both are CNCF Incubating, both define experiments as Kubernetes CRDs, both have active communities. Chaos Mesh has a slightly nicer dashboard and broader fault catalog out of the box; Litmus has a stronger workflow engine and ChaosHub catalog. If you need a polished UX, halt buttons, and an enterprise safety story, Gremlin is the SaaS leader. If you are AWS-native and want fault injection that reaches into the AWS control plane (terminating EC2 instances, throttling EBS, failing over RDS), AWS FIS is the right tool — it's the only option that can natively pause an RDS replica or an EKS managed node group.

What is a steady-state hypothesis and why does it matter?

A steady-state hypothesis is a measurable prediction about system behavior under a chosen condition. The form is: 'under condition X, our steady-state metric Y stays within band Z.' Example: 'under 200ms added latency to the payments service, checkout p99 stays under 1.2s and conversion rate stays within 1% of baseline.' It matters because without a hypothesis, an experiment is just destruction — you cannot learn anything because you did not predict anything. The hypothesis is what makes chaos engineering scientific rather than recreational. The Principles of Chaos document is explicit on this.

What's the difference between full jitter and decorrelated jitter?

Both randomize retry delays to break synchronized retry storms. Full jitter sleeps for a uniform random duration in [0, min(cap, base * 2^attempt)] — each retry's delay is independent of the previous one. Decorrelated jitter sleeps for a uniform random duration in [base, min(cap, prev_sleep * 3)] — the next delay is bounded by a multiple of the previous delay. The AWS Builders' Library article on backoff with jitter empirically tests both and recommends full jitter for most workloads — it produces lower total work and lower client-side completion time across a broader range of contention scenarios. Decorrelated jitter is competitive in narrow regimes but full jitter is the safer default.

Why does the AWS Builders' Library argue against fallback in distributed systems?

Three reasons. First, fallback paths are rarely tested — they only run during failures, which are rare, which means the fallback code path is the buggiest code path in the codebase by the time you need it. Second, fallback masks failure rather than surfacing it — the alert that should have paged you doesn't fire because the fallback returned a 200, and now a degraded mode runs silently for days. Third, fallback paths often have correlated failure modes with the primary — if the primary DB is down because of a network partition, the fallback DB is probably also unreachable through the same partition. The Marc Brooker article 'Avoiding fallback in distributed systems' is the canonical reference. The senior alternative is fail-fast with circuit breakers and explicit degraded responses.

How do I set load-test thresholds that match production SLOs?

Express k6 thresholds as the same numbers your SLO document uses. If the SLO is p99 < 1s and error budget is 0.1%, your k6 thresholds are http_req_duration: ['p(99)<1000'] and http_req_failed: ['rate<0.001']. The load test then fails CI on any build that regresses past the SLO under the steady-state RPS the test simulates. The trap to avoid is loosening the thresholds because the test is flaky — flaky thresholds usually mean the test environment doesn't match production capacity, which means the test isn't measuring what you think it is. Fix the environment, not the thresholds.

When does a circuit breaker hurt more than it helps?

When it's tuned wrong. A breaker with too low a failure threshold opens on transient blips and keeps a healthy dependency offline. A breaker with too long a cooldown extends an outage past the dependency's actual recovery. A breaker on a non-idempotent operation interacts badly with retries (the breaker sees the dependency as down, the caller's retry logic sees the breaker rejection as retryable, and you get a thundering retry storm against the breaker itself). The senior tuning: failure threshold around 50% over a window of 20+ calls, cooldown around 30s, half-open probe of 1-3 requests, and never combine a breaker with an unbounded retry loop — the retry budget must respect the breaker.

How is graceful degradation different from a fallback?

Graceful degradation is an explicit contract: the API returns a smaller response that the client knows is degraded — a product page without recommendations is still a valid product page, the client renders it differently, the user sees an explicit 'recommendations unavailable' placeholder. Fallback is implicit substitution — the recommendations service failed, so a hidden secondary code path silently returned cached recommendations from yesterday and the client has no idea. Degradation is in the API contract; fallback hides under it. The AWS Builders' Library makes this distinction directly. Senior services build degradation into the protocol (a recommendations field that may be empty) rather than fallback into the implementation (a parallel recommendation engine nobody tested).

DevOps / SRE Engineer Hub

Reliability Engineering and Chaos for SREs (2026)

Q: When does a circuit breaker hurt more than it helps?

When it's tuned wrong. A breaker with too low a failure threshold opens on transient blips and keeps a healthy dependency offline. A breaker with too long a cooldown extends an outage past the dependency's actual recovery. A breaker on a non-idempotent operation interacts badly with retries (the breaker sees the dependency as down, the caller's retry logic sees the breaker rejection as retryable, and you get a thundering retry storm against the breaker itself). The senior tuning: failure threshold around 50% over a window of 20+ calls, cooldown around 30s, half-open probe of 1-3 requests, and never combine a breaker with an unbounded retry loop — the retry budget must respect the breaker.

Q: How is graceful degradation different from a fallback?

Graceful degradation is an explicit contract: the API returns a smaller response that the client knows is degraded — a product page without recommendations is still a valid product page, the client renders it differently, the user sees an explicit 'recommendations unavailable' placeholder. Fallback is implicit substitution — the recommendations service failed, so a hidden secondary code path silently returned cached recommendations from yesterday and the client has no idea. Degradation is in the API contract; fallback hides under it. The AWS Builders' Library makes this distinction directly. Senior services build degradation into the protocol (a recommendations field that may be empty) rather than fallback into the implementation (a parallel recommendation engine nobody tested).

By Blake Crosley · Last verified 2026-04-30

In short

Reliability engineering in 2026 is the discipline of building systems that fail without taking the user down. Senior SREs reach for chaos engineering (Netflix's Simian Army lineage, now Litmus and Chaos Mesh and AWS FIS) to inject controlled faults, GameDays to rehearse failure with humans in the loop, k6 or Locust to find the knee of the latency curve before traffic does, and a small fixed library of resilience patterns — exponential backoff with full jitter, circuit breakers, graceful degradation — that every distributed-system call site must implement. The bar: you can author a Chaos Mesh experiment, run a GameDay against a steady-state hypothesis, write a k6 script that holds a target RPS, and explain why fallback paths in distributed systems are usually a liability rather than an asset.

Key takeaways

Chaos engineering started at Netflix in 2010 with Chaos Monkey, expanded into the Simian Army (Latency Monkey, Conformity Monkey, Janitor Monkey, Chaos Gorilla, Chaos Kong), and is now codified in the Principles of Chaos at principlesofchaos.org. The discipline is not random destruction — it is hypothesis-driven experiments against a defined steady state.
Modern fault-injection tooling has converged on Kubernetes-native CRD-driven experiments. Litmus (CNCF Incubating) and Chaos Mesh (CNCF Incubating) are the two open-source standards; Gremlin is the dominant SaaS; AWS Fault Injection Service (FIS) is the AWS-native control plane that talks directly to EC2, RDS, ECS, and EKS.
GameDays are the human-in-the-loop counterpart to automated chaos. A GameDay is a scheduled, scoped, written-down failure-injection exercise where on-call engineers respond to a real fault in a real (or near-real) environment. The output is not just a passed test — it is a list of detection gaps, runbook gaps, and architectural fragility found.
Capacity planning is the discipline of running production at a known headroom from saturation. The senior loop: load-test until p99 latency knees up, measure the saturation signal at the knee, set the production headroom alert at ~60% of the knee, and re-run on every release that changes traffic shape.
k6 (Grafana Labs) is the dominant open-source load-testing tool for HTTP and gRPC services in 2026 — JavaScript-authored scenarios, Go-powered VUs, native Prometheus output. Locust is the Python-native counterpart with a friendlier authoring model for engineers already in Python. Vegeta is the canonical CLI for constant-rate HTTP load.
Exponential backoff with full jitter is the default retry policy for any cross-service call. The AWS Builders' Library article on timeouts and backoff (aws.amazon.com/builders-library/timeouts-retries-and-backoff-with-jitter) is the canonical 2026 reference; full jitter beats decorrelated jitter in most workloads and dominates fixed exponential backoff (which causes synchronous retry storms).
Fallback in distributed systems is usually a liability, not an asset. The AWS Builders' Library article 'Avoiding fallback in distributed systems' argues that fallbacks add modes that aren't tested, mask real failures, and create cascading-failure paths. The senior pattern: fail fast with circuit breakers, return a degraded but explicit response, and avoid silent fallback to a parallel code path.

Chaos engineering: Simian Army to modern fault injection (Litmus, Chaos Mesh, Gremlin)

The discipline started at Netflix in 2010 when Chaos Monkey was unleashed on AWS production to randomly terminate EC2 instances during business hours. The 2011 Netflix Tech Blog post The Netflix Simian Army generalized the idea into a family of agents — Latency Monkey injected RPC delays, Conformity Monkey killed instances that drifted from configuration, Janitor Monkey reaped unused resources, Chaos Gorilla took down an entire AWS Availability Zone, and Chaos Kong took down an entire AWS Region. The thesis: a system that survives random component failure in production is a system that has been engineered for resilience, not a system that hopes nothing breaks.

The discipline was formalized in the Principles of Chaos Engineering. The five advanced principles are: build a hypothesis around steady-state behavior; vary real-world events; run experiments in production; automate experiments to run continuously; and minimize blast radius. The senior reading: chaos is not random destruction — it is a hypothesis-driven scientific method. The form of every experiment is "under condition X, our steady-state metric Y stays within band Z." If Y leaves the band, you have learned something about the system that you didn't know.

The 2026 toolchain has converged on Kubernetes-native CRD-driven controllers. Litmus (CNCF Incubating) and Chaos Mesh (CNCF Incubating) are the two dominant open-source projects; both define experiments as YAML CRDs and reconcile them through an in-cluster operator. Gremlin is the leading commercial SaaS, with a much friendlier UX and an enterprise-grade safety story (halt buttons, blast-radius caps, scheduled windows). AWS Fault Injection Service (FIS) is the AWS-native control plane and is the right tool when your workload is on EC2, RDS, ECS, or EKS and you want fault injection that reaches into the AWS control plane itself (terminating an instance, throttling an EBS volume, failing over an RDS replica).

A canonical Chaos Mesh experiment that injects 200ms of latency on the checkout pod's egress to the payments service for 5 minutes:

apiVersion: chaos-mesh.org/v1alpha1
kind: NetworkChaos
metadata:
  name: payments-latency-200ms
  namespace: chaos-testing
spec:
  action: delay
  mode: all
  selector:
    namespaces:
      - production
    labelSelectors:
      app: checkout-api
  delay:
    latency: "200ms"
    correlation: "50"
    jitter: "20ms"
  direction: to
  target:
    mode: all
    selector:
      namespaces:
        - production
      labelSelectors:
        app: payments-service
  duration: "5m"

What this experiment gets right: a tightly scoped selector (only the checkout-api pods are affected), a tightly scoped target (only their traffic to payments-service is delayed — other dependencies are untouched), a bounded duration (5 minutes — chaos must always have a stop time), and a realistic delay profile with jitter and correlation. The hypothesis being tested: "under 200ms of added payments latency, checkout p99 stays under 1.2s and conversion rate stays within 1% of baseline." The blast radius is the smallest possible set of pods that can falsify the hypothesis.

The senior taste call: never start in production. The progression is dev cluster → staging → production-canary (1% of pods) → production (full). Each step requires the previous one to have produced a clean steady state. The Principles of Chaos document is explicit on this — minimizing blast radius is one of the five advanced principles. The Gremlin Chaos Engineering history and principles primer is the canonical practitioner reference for the progression model.

GameDays: structured failure-injection exercises

A GameDay is the human-in-the-loop counterpart to automated chaos. The format originated at Amazon (Jesse Robbins coined the term while running the Master of Disaster program around 2004) and was refined at Google as part of DiRT (Disaster Recovery Testing). The output of a GameDay is not a passed test — it is a list of detection gaps, runbook gaps, communication gaps, and architectural fragility that the team did not know they had.

The senior format has six stages. Pre-flight writes the experiment plan: the steady-state hypothesis, the failure to inject, the blast radius, the abort conditions, the on-call who will respond, and the observers who will time them. Brief tells the on-call only that a GameDay is running in a window — not which experiment, not which service. Inject applies the fault (manually via kubectl, automatically via Chaos Mesh, or surgically via AWS FIS). Respond is the on-call working the page exactly as they would in a real incident — open the runbook, query the dashboards, escalate if needed. Resolve rolls back the fault and confirms the steady state has returned. Retro writes up what was found: time-to-detect, time-to-mitigate, runbook accuracy, dashboard usefulness, and any latent bug surfaced.

What gets exercised matters more than the exact tool. The senior catalog of GameDay scenarios for a 2026 web-scale service: kill a primary database (does the failover work end-to-end including DNS TTL?); throttle a dependency to 5% of capacity (does the circuit breaker open and stay open?); fill the disk on the primary cache nodes (does the eviction-LRU degrade gracefully or thrash?); inject 30% packet loss between two AZs (does the load balancer's health check route around it?); revoke an IAM credential mid-request (does the SDK refresh cleanly or stall?); take down the auth service (does the rest of the platform respond with explicit 401s, or does it cascade into 5xx on every endpoint?). Each scenario is a hypothesis with a measurable steady state, not a destructive experiment.

The blast-radius rule that experienced SREs internalize: a GameDay against a production system must have a one-keystroke abort. If the fault cannot be reverted in under 30 seconds — by deleting the chaos CR, by toggling the feature flag, by kubectl rollout undo, by paging in the experiment author — the experiment does not run in production. Period. AWS FIS supports a stop-condition CloudWatch alarm that auto-aborts the experiment if a chosen metric crosses a threshold; this is the canonical safety pattern. The AWS FIS stop conditions documentation is the reference.

The detection gap is the highest-value finding. If the on-call took 12 minutes to notice that payments latency had doubled, that is not a chaos failure — it is an alerting failure. Write the alert, re-run the GameDay, watch the time-to-detect drop. This is the loop that turns chaos engineering into reliability improvement rather than chaos for its own sake. Charity Majors's writing on production excellence is the canonical practitioner reference for this loop.

Capacity planning and load testing with k6 and Locust

Capacity planning is the discipline of running production at a known headroom from saturation. The senior loop: load-test in a representative environment until p99 latency knees up, measure the saturation signal at the knee, set the production headroom alert at ~60% of the knee, and re-run on every release that materially changes the traffic shape. The Google SRE Book chapter on Monitoring Distributed Systems defines the four golden signals (latency, traffic, errors, saturation) that drive the model.

k6 (Grafana Labs) is the dominant open-source load-testing tool in 2026. Test scenarios are authored in JavaScript and executed by a Go runtime, which is what gives k6 its strong VU efficiency — a single laptop can hold tens of thousands of concurrent virtual users. The native output integrates with Prometheus, InfluxDB, and Grafana Cloud k6. Locust is the Python-native counterpart with a friendlier authoring model for engineers already in the Python ecosystem (its master-worker model also scales horizontally with one config flag). Vegeta is the canonical CLI for constant-rate HTTP load and is the right pick for short, scripted spike tests inside CI.

A canonical k6 script that ramps to 200 virtual users, holds for 5 minutes, then ramps down — exercising the checkout endpoint and asserting that p95 latency stays under 800ms and the error ratio stays under 1%:

import http from 'k6/http';
import { check, sleep } from 'k6';

export const options = {
  stages: [
    { duration: '2m', target: 200 },   // ramp to 200 VUs
    { duration: '5m', target: 200 },   // hold steady
    { duration: '1m', target: 0 },     // ramp down
  ],
  thresholds: {
    http_req_failed:   ['rate<0.01'],            // error rate < 1%
    http_req_duration: ['p(95)<800', 'p(99)<2000'],
  },
};

export default function () {
  const payload = JSON.stringify({ cart_id: __VU, items: 3 });
  const params = { headers: { 'Content-Type': 'application/json' } };
  const res = http.post('https://staging.example.com/checkout', payload, params);
  check(res, {
    'status is 200':      (r) => r.status === 200,
    'has order_id':       (r) => r.json('order_id') !== undefined,
  });
  sleep(1);
}

What this script gets right: a ramp-up stage (sudden spike to 200 VUs is unrealistic and produces a misleading curve); a steady-state hold (5 minutes is long enough for caches and connection pools to warm); thresholds expressed as SLO-shaped pass/fail (p95 < 800ms, error rate < 1%) so the test fails CI when the build regresses; a check on response shape (status 200 + a parsed order_id) so a service that 200s with a malformed body still fails the test. The senior taste call: thresholds should match the production SLO, not be looser. A load test that passes at p95 < 2000ms when production SLO is 800ms is theater, not a guard.

Capacity planning at the next level requires identifying the saturation signal that leads latency. Useful proxies in 2026 stacks: CPU run-queue length (proc.runqueue_size on Linux), connection-pool wait time (most ORM and HTTP-client libraries expose this), work-queue depth (Sidekiq, Celery, RabbitMQ), and JVM/CLR GC pause time. Saturation leads latency — the queue grows before the request times out. The practical pattern: watch the saturation signal during the load test, find the knee, and set a production alert at the saturation level corresponding to ~60% of the knee. That gives roughly 40% headroom for an unplanned traffic spike before you start to see latency degrade, which is the buffer most teams need to absorb a failover or a deploy gone slow.

Resilience patterns: retry+jitter, circuit breakers, graceful degradation

The library of resilience patterns that every distributed-system call site must implement is small and well-understood. The 2026 canonical references are the AWS Builders' Library articles Timeouts, retries, and backoff with jitter and Avoiding fallback in distributed systems. Both are mandatory reading and resolve a surprising number of production debates.

Exponential backoff with full jitter is the default retry policy for any cross-service call. The naive pattern (retry at 100ms, 200ms, 400ms, 800ms) is wrong because every client retries in lockstep — the dependency that just recovered from a momentary blip is hit by a synchronized retry storm and re-fails. Full jitter randomizes each retry's delay across the entire backoff window. The pseudocode:

import random
import time

BASE_MS    = 100      # initial delay
CAP_MS     = 20_000   # max delay (20s)
MAX_TRIES  = 5

def call_with_backoff(invoke):
    for attempt in range(MAX_TRIES):
        try:
            return invoke()
        except RetryableError:
            if attempt == MAX_TRIES - 1:
                raise
            # full jitter: sleep is uniform in [0, min(cap, base * 2^attempt)]
            ceiling = min(CAP_MS, BASE_MS * (2 ** attempt))
            sleep_ms = random.uniform(0, ceiling)
            time.sleep(sleep_ms / 1000.0)

What this gets right: a hard cap on the backoff window (without it, the 7th retry sleeps for 12.8 seconds and the request has long since timed out upstream); a hard cap on retry attempts (unbounded retries against a deeply broken dependency become a self-inflicted DDoS); full jitter — uniform random across [0, ceiling] — which is the variant the AWS article empirically recommends over decorrelated jitter for most workloads. The senior taste call: only retry on idempotent operations (or operations you can make idempotent with an Idempotency-Key header). Retrying a non-idempotent POST that may have succeeded server-side is how you get duplicate charges.

Circuit breakers sit one layer up. The pattern: track the failure rate over a rolling window; once failures exceed a threshold (e.g., 50% of the last 20 calls), open the breaker and fail subsequent calls fast without invoking the dependency at all. After a cooldown, transition to half-open and allow a small probe. If probes succeed, close. If they fail, re-open. The reference design is Michael Nygard's Release It! (2007); the most-cited modern implementation is Netflix Hystrix (now in maintenance) and its successor resilience4j on the JVM and Polly on .NET. The Python ecosystem in 2026 ships circuit breakers in tenacity, pybreaker, and the AWS SDK's built-in client-side rate-limiter.

Graceful degradation is the discipline of turning a failed dependency into a smaller (but still useful) response, not into a 500. The pattern: the recommendations service is down → still render the product page, just without recommendations. The reviews service is timing out → still render the page, with a "reviews unavailable" placeholder. The senior reading is that graceful degradation must be explicit — the user (or downstream service) must be able to tell that the response is degraded — and it must be tested, ideally under chaos.

The contrarian point that experienced SREs internalize: fallback paths in distributed systems are usually a liability, not an asset. Marc Brooker's AWS Builders' Library article makes the case directly. Fallbacks add a code path that almost never runs — which means it almost never gets tested, almost never gets reviewed, and almost certainly contains bugs nobody knows about. When the primary path fails, the fallback path inherits a failure mode it was never designed for and often makes the outage worse. The senior alternative: fail fast with a circuit breaker, return an explicit degraded response, and shed load. No silent fallback to a parallel implementation. The discipline is to make the degraded response a first-class concept in the API contract, not a hidden secondary code path.

Frequently asked questions

Where do I start with chaos engineering if my system has never seen it?: Start with a tabletop GameDay — no fault injection, just a written scenario walked through verbally. Pick a high-blast-radius dependency (auth, primary DB, payments), ask the team what happens if it disappears for 10 minutes, and write down where the answers diverge. The first three GameDays usually surface more reliability gaps than the next thirty. Once the team has detection and runbooks for the obvious failures, then introduce automated fault injection in a dev cluster, then staging, then production-canary. The Principles of Chaos document at principlesofchaos.org and the Gremlin chaos engineering primer cover the progression.
Litmus, Chaos Mesh, Gremlin, AWS FIS — which one should I pick?: If your workload is Kubernetes-native and you want CNCF open source, pick Chaos Mesh or Litmus — both are CNCF Incubating, both define experiments as Kubernetes CRDs, both have active communities. Chaos Mesh has a slightly nicer dashboard and broader fault catalog out of the box; Litmus has a stronger workflow engine and ChaosHub catalog. If you need a polished UX, halt buttons, and an enterprise safety story, Gremlin is the SaaS leader. If you are AWS-native and want fault injection that reaches into the AWS control plane (terminating EC2 instances, throttling EBS, failing over RDS), AWS FIS is the right tool — it's the only option that can natively pause an RDS replica or an EKS managed node group.
What is a steady-state hypothesis and why does it matter?: A steady-state hypothesis is a measurable prediction about system behavior under a chosen condition. The form is: 'under condition X, our steady-state metric Y stays within band Z.' Example: 'under 200ms added latency to the payments service, checkout p99 stays under 1.2s and conversion rate stays within 1% of baseline.' It matters because without a hypothesis, an experiment is just destruction — you cannot learn anything because you did not predict anything. The hypothesis is what makes chaos engineering scientific rather than recreational. The Principles of Chaos document is explicit on this.
What's the difference between full jitter and decorrelated jitter?: Both randomize retry delays to break synchronized retry storms. Full jitter sleeps for a uniform random duration in [0, min(cap, base * 2^attempt)] — each retry's delay is independent of the previous one. Decorrelated jitter sleeps for a uniform random duration in [base, min(cap, prev_sleep * 3)] — the next delay is bounded by a multiple of the previous delay. The AWS Builders' Library article on backoff with jitter empirically tests both and recommends full jitter for most workloads — it produces lower total work and lower client-side completion time across a broader range of contention scenarios. Decorrelated jitter is competitive in narrow regimes but full jitter is the safer default.
Why does the AWS Builders' Library argue against fallback in distributed systems?: Three reasons. First, fallback paths are rarely tested — they only run during failures, which are rare, which means the fallback code path is the buggiest code path in the codebase by the time you need it. Second, fallback masks failure rather than surfacing it — the alert that should have paged you doesn't fire because the fallback returned a 200, and now a degraded mode runs silently for days. Third, fallback paths often have correlated failure modes with the primary — if the primary DB is down because of a network partition, the fallback DB is probably also unreachable through the same partition. The Marc Brooker article 'Avoiding fallback in distributed systems' is the canonical reference. The senior alternative is fail-fast with circuit breakers and explicit degraded responses.
How do I set load-test thresholds that match production SLOs?: Express k6 thresholds as the same numbers your SLO document uses. If the SLO is p99 < 1s and error budget is 0.1%, your k6 thresholds are http_req_duration: ['p(99)<1000'] and http_req_failed: ['rate<0.001']. The load test then fails CI on any build that regresses past the SLO under the steady-state RPS the test simulates. The trap to avoid is loosening the thresholds because the test is flaky — flaky thresholds usually mean the test environment doesn't match production capacity, which means the test isn't measuring what you think it is. Fix the environment, not the thresholds.
When does a circuit breaker hurt more than it helps?: When it's tuned wrong. A breaker with too low a failure threshold opens on transient blips and keeps a healthy dependency offline. A breaker with too long a cooldown extends an outage past the dependency's actual recovery. A breaker on a non-idempotent operation interacts badly with retries (the breaker sees the dependency as down, the caller's retry logic sees the breaker rejection as retryable, and you get a thundering retry storm against the breaker itself). The senior tuning: failure threshold around 50% over a window of 20+ calls, cooldown around 30s, half-open probe of 1-3 requests, and never combine a breaker with an unbounded retry loop — the retry budget must respect the breaker.
How is graceful degradation different from a fallback?: Graceful degradation is an explicit contract: the API returns a smaller response that the client knows is degraded — a product page without recommendations is still a valid product page, the client renders it differently, the user sees an explicit 'recommendations unavailable' placeholder. Fallback is implicit substitution — the recommendations service failed, so a hidden secondary code path silently returned cached recommendations from yesterday and the client has no idea. Degradation is in the API contract; fallback hides under it. The AWS Builders' Library makes this distinction directly. Senior services build degradation into the protocol (a recommendations field that may be empty) rather than fallback into the implementation (a parallel recommendation engine nobody tested).

Sources

About the author. Blake Crosley founded ResumeGeni and writes about site reliability engineering, hiring technology, and ATS optimization. More writing at blakecrosley.com.