Chaos engineering is the practice of deliberately breaking parts of a system to learn whether the system as a whole can survive the failure. The Principles of Chaos Engineering, the field’s foundational statement, defines it as “the discipline of experimenting on a system in order to build confidence in the system’s capability to withstand turbulent conditions in production.” The emphasis on confidence and on production is deliberate: the goal is not to prove a component works in isolation but to discover, before a real outage does, how the whole system behaves when something fails.
The approach grew out of the move to large distributed systems, where failure of individual machines is not an exception but a constant background condition. In such systems it is impossible to reason your way to confidence that every failure mode is handled, because the interactions are too complex to enumerate. Chaos engineering responds by running controlled experiments: form a hypothesis about steady-state behavior, inject a realistic failure such as a lost server or a network delay, and observe whether the system continues to serve users as expected. A surprising result is a found weakness, ideally found on the engineers’ schedule rather than during a midnight incident.
The practice is most associated with Netflix and its Chaos Monkey tool. As the project’s own repository describes it, “Chaos Monkey randomly terminates virtual machine instances and containers that run inside of your production environment.” By making instance failure a routine, expected event rather than a rare crisis, Chaos Monkey forces engineers to build services that tolerate the loss of any single machine, so that the same failure occurring unexpectedly causes no user-visible harm. Netflix later expanded this into a family of tools, sometimes called the Simian Army, that inject larger and more varied failures.
Running such experiments in production is the controversial and essential part. The argument is that only production exercises the real configuration, real traffic, and real dependencies; a failure that a test environment shrugs off may still take down the live system. Mature chaos engineering therefore pairs production experiments with careful blast-radius control, the ability to abort quickly, and good observability, so that the cost of a discovered weakness is a contained experiment rather than a full outage.
Conceptually, chaos engineering is a direct application of fault injection raised to the level of whole systems, and it is the practical counterpart to ideas like normal accident theory: if complex, tightly coupled systems are prone to surprising failures, then the responsible move is to surface those failures deliberately and learn from them. Each experiment, like each blameless postmortem, turns a potential future incident into present knowledge about how the system really behaves.