ControlMonkey now supports LaunchDarkly Disaster Recovery, enabling teams to automatically back up and restore critical LaunchDarkly configurations, including feature flags, segments, and views.

LaunchDarkly controls feature rollout and targeting rules in real time, yet its configuration layer is rarely protected by a resilience solution.

Why do you need a resilience solution for LaunchDarkly? 

Feature flag platforms like LaunchDarkly are deeply embedded in your production environment meaning misconfigurations or compromises can have immediate, widespread impact.

 Here are some of the key risks teams face:

• Ransomware or account takeover –  What happens if your LaunchDarkly account is compromised? An attacker could modify or disable critical flags, impacting availability and user experience. 
• Cyber attacks / malicious actors – Unauthorized changes to feature flags can be used to expose functionality, bypass controls, or disrupt your application. 
• Human error –  Even experienced engineers can make mistakes – accidentally toggling the wrong flag or applying changes to the wrong environment. 
• Over-permissive AI agents – With the rise of AI-assisted workflows (e.g., LaunchDarkly MCP server), agents operating with admin-level permissions can unintentionally introduce risky or large-scale changes.

ControlMonkey helps teams safeguard LaunchDarkly by protecting the operational logic that defines how features are released, who sees them, and how changes are rolled out.

Examples of protected LaunchDarkly configurations include:

• Feature flags controlling runtime application behavior
• Targeting rules defining rollout logic and user exposure
• Segments used for user targeting and progressive delivery
• Views organizing feature management workflows

With this capability, teams can:

• Automatically back up LaunchDarkly configurations
• Track changes to feature flags and targeting over time
• Recover quickly from accidental changes or deletions
• Reduce risk across production release processes
• Restore feature flags and targeting logic without manual reconstruction

How LaunchDarkly Disaster Recovery Works

From discovery to recovery, ControlMonkey ensures LaunchDarkly configurations are always backed up, versioned, and ready to restore in minutes. Here is the full process:

Snapshot and Backup

• ControlMonkey continuously captures the state of LaunchDarkly configurations and creates versioned snapshots.
• This provides a reliable historical record of feature flags, segments, and targeting logic across environments.

Recover – Feature Flags, Segments, and Views

• If configurations are deleted or misconfigured, teams can restore them from a known-good snapshot in minutes.
• This eliminates manual rebuilding of feature flags and targeting rules—reducing recovery time and avoiding errors.

Review & Govern

• The ControlMonkey Cloud Resilience Dashboard provides visibility into disaster recovery readiness across infrastructure and SaaS platforms like LaunchDarkly.
• Teams can monitor protection coverage and identify resilience gaps before incidents occur.

Stay Ahead with Darkly Disaster Recovery

Feature management platforms like LaunchDarkly are critical to modern software delivery. Yet while organizations focus on application code and infrastructure, the configuration layer that controls feature rollout and targeting often remains unprotected.

ControlMonkey ensures LaunchDarkly configurations are protected alongside infrastructure and SaaS platforms. By continuously backing up configuration states and enabling rapid restoration, teams can recover quickly from outages, misconfigurations, and unintended changes—and maintain control over production behavior.

Ready to take control? Explore LaunchDarkly Disaster Recovery today.

ControlMonkey now supports Snowflake Disaster Recovery, enabling teams to automatically back up and restore critical Snowflake configurations including roles, warehouses, schemas, and access policies when mistakes or incidents occur.

Snowflake powers some of the most critical data workloads in the cloud, yet its configuration layer is rarely protected by a cyber resilience solution.

Introducing Snowflake Configuration Disaster Recovery

ControlMonkey helps teams safeguard Snowflake environments by protecting the operational configuration that keeps data platforms running.

Examples of protected Snowflake configurations include:

• Roles and grants controlling data access
• Warehouses powering compute workloads
• Databases and schemas organizing data environments
• Resource monitors and policies managing usage and governance
• Platform configuration settings critical to operational stability

With this capability, teams can:

• Automatically back up Snowflake configuration
• Track configuration changes over time
• Recover quickly from accidental changes or deletions
• Reduce operational risk across data infrastructure
• Restore Snowflake environments without manual reconstruction

How Snowflake Disaster Recovery Works

ControlMonkey connects to Snowflake using secure APIs and automatically discovers configuration assets across the Snowflake environment. This discovery process maps the operational structure of the data platform, including access controls, compute resources, and governance settings.

These configurations define how Snowflake environments operate and are essential for governance, access control, and workload management.

Snapshot and Backup

ControlMonkey continuously captures the configuration state of Snowflake resources and creates versioned snapshots of those configurations.

This provides a reliable historical, good-know state record of Snowflake configurations.

Recover – Roles, Warehouses, Schemas, and Policies

If roles, warehouses, schemas, or policies are deleted or misconfigured, teams can quickly restore them from a known-good snapshot, recovering Snowflake configuration in minutes.

This eliminates the need for manual reconstruction of complex platform settings.

Review & Govern

The ControlMonkey Cloud Resilience Dashboard provides visibility into disaster recovery readiness across cloud infrastructure, observability platforms, and SaaS tools like Snowflake.

Teams can monitor protection coverage and identify resilience gaps before incidents occur.

Stay Ahead with Snowflake Disaster Recovery

Data platforms like Snowflake are critical to modern cloud operations. Yet while organizations protect data, the configuration layer often remains vulnerable.

ControlMonkey ensures Snowflake configurations are protected alongside infrastructure and SaaS platforms. By continuously backing up configuration states and enabling rapid restoration, teams can recover quickly from ransomware, cyber attacks, AI agents and configuration mistakes and maintain operational continuity.

Ready to be Cyber Resilient?

Explore Snowflake Disaster Recovery with ControlMonkey today.

Observability Disaster Recovery is the new addtioan to Controlmonkey DR Soultion. Modern cloud operations rely heavily on observability. During incidents, dashboards, alerts, and monitoring rules are often the first place engineers turn to understand what’s happening.

Yet the configurations behind these systems – dashboards, alert policies, monitors, and escalation rules – are rarely protected by disaster recovery.

Introducing Observability Configuration Disaster Recovery

ControlMonkey now extends Cloud Configuration Disaster Recovery to observability platforms, protecting monitoring environments across Datadog, New Relic, Dynatrace, Grafana Cloud, and Splunk.

ControlMonkey automatically captures daily snapshots of observability configurations so teams can restore monitoring environments and maintain operational visibility during incidents.

Observability DR Key capabilities:

• Protect operational knowledge
  Backup dashboards, monitors, alert rules, and escalation policies created over years of operational tuning.
  
• Restore monitoring environments quickly
  Recover observability configurations from versioned snapshots instead of rebuilding manually.
  
• Detect configuration drift in monitoring systems
  Track changes across observability platforms and identify unexpected modifications.
  
• Ensure monitoring visibility during incidents
  Maintain access to critical dashboards and alerts when diagnosing outages.
  
• Extend disaster recovery beyond infrastructure
  Protect the broader cloud control plane including infrastructure, network, and observability configuration.

How does Observability Configuration Disaster Recovery Works?

ControlMonkey Cloud DR solution continuously captures configuration snapshots from supported observability platforms.

Each snapshot records the structure and settings of monitoring environments, including:

• Dashboards and visualizations
• Alert rules and alert routing policies
• Monitors across metrics, logs, and traces
• Notification channels and escalation policies
• Service monitoring and APM configurations
• Click on the image to enlarge

These configurations are versioned and stored securely, allowing teams to compare changes over time and restore previous configurations when needed.

If dashboards are deleted, alerts are misconfigured, or monitoring rules break during an incident, engineers can restore observability configurations directly from a previous snapshot – without manually rebuilding monitoring environments.

Why Disaster Recovery for the Observability Layer?

Traditional disaster recovery focuses on restoring data, storage, and infrastructure.

But modern cloud environments rely on far more than compute resources. The cloud control plane – including monitoring configuration – contains the operational knowledge engineers depend on to diagnose and resolve incidents.

With ControlMonkey, teams can:

• Maintain versioned backups of observability environments
• Detect configuration changes and drift
• Restore monitoring systems quickly during incidents
• Ensure DR visibility by having clear Resilience Score
  

By extending configuration disaster recovery to observability, ControlMonkey helps teams maintain operational continuity across the entire cloud environment.

During incidents, engineers rely on monitoring systems to understand what’s happening – yet observability configurations themselves are rarely protected by disaster recovery. As a CTO, I know firsthand how valuable it would have been to restore dashboards and monitoring environments instantly instead of rebuilding them under pressure.

Ori Yemini

CTO

Real-World Impact: Datadog dashboards, monitors, and alerting policies

Our Datadog dashboards, monitors, and alerting policies represent years of operational knowledge and tuning. Losing that configuration during an incident would significantly impact our ability to diagnose issues quickly. With ControlMonkey, we know our observability configurations are versioned and recoverable, ensuring we maintain visibility when it matters most<br />

Doron Gutman

Director of DevOps and DevSecOps

Ready to be Cyber Resilient?

Explore Cloud Configuration Disaster Recovery for Observability or schedule a demo today.

Reference Table: Key APM Configurations Used in Observability Platforms

Modern cloud operations rely on observability platforms like Dynatrace to detect incidents and maintain service reliability. But while infrastructure and data may be protected, monitoring configurations themselves are often not recoverable.

With ControlMonkey, teams can now extend Cloud Disaster Recovery to Dynatrace configuration backup – ensuring dashboards, alerts, monitors, and metrics can be restored instantly in case of incidents, misconfigurations, or ransomware.

Introducing Dynatrace Configuration Backup & Recovery

ControlMonkey now protects critical Dynatrace configurations as part of its Cloud Disaster Recovery platform.

Key capabilities include:

• Automated backup of Dynatrace dashboards, metrics, monitors, and alerts
• Versioned snapshots of monitoring configurations
• Rapid recovery of observability environments after incidents
• Resilience Score across monitoring platforms
• Unified disaster recovery method across cloud infrastructure and SaaS tools

How Dynatrace Disaster Recovery Works

ControlMonkey continuously protects Dynatrace configuration so teams can restore their monitoring environment to a known-good state when incidents occur.

Discover Dynatrace configurations

ControlMonkey connects to Dynatrace using secure APIs and automatically discovers configuration assets including dashboards, monitors, alerts, and metrics.

Snapshot and Backup

On a continuous basis, ControlMonkey captures the exact configuration state of Dynatrace resources and creates versioned snapshots of those configurations.

Recover 

If dashboards, monitors, or alerts are deleted or misconfigured, teams can quickly restore them from a good known snapshot – recovering observability environments in minutes.

Review & Govern

The ControlMonkey Cloud Resilience Dashboard provides visibility into DR readiness across cloud infrastructure and SaaS tools, helping teams identify gaps before incidents occur.

Stay Ahead with Dynatrace Disaster Recovery

As a CTO, I’m proud to introduce this capability. In my previous roles, having the ability to quickly recover from mistakes and investigate configuration changes would have saved days of troubleshooting and manual work

Ori Yemini

CTO

Observability platforms are critical for detecting and resolving incidents. If monitoring configurations are lost during an outage or attack, recovery becomes significantly harder.

ControlMonkey ensures Dynatrace configurations are protected alongside infrastructure and SaaS platforms. By continuously backing up configuration states and enabling rapid restoration, teams can maintain operational visibility even during critical incidents.

This extends disaster recovery beyond data and infrastructure – ensuring the monitoring systems themselves are resilient.

Ready to be Cyber Resilient?

Explore Dynatrace Disaster Recovery with ControlMonkey today.

Cloud Resilience Dashboard gives organizations a measurable view of their configuration disaster recovery posture across cloud accounts and 3rd party services.

It introduces a single, actionable metric – Resilience Score – representing the percentage of discovered resources that are backed up and recoverable from a known-good snapshot.

For the 1st time Cloud executives can understand their resilience score in a single view.

Introducing the Cloud Resilience Dashboard

The dashboard is designed to answer critical operational and executive questions instantly:

• What percentage of our cloud infrastructure is actually DR-ready?
• Where are our configuration blind spots?
• Did our DR coverage regress this week? Why?
• Are unmanaged (non-IaC) resources included in DR coverage?
• Are our 3rd party vendors (e.g Datadog, Cloudflare, Okta) configurations ready for DR?

The Resilience Score reflects continuous discovery and snapshot coverage across:

• Cloud infrastructure (AWS, Azure, GCP) –  Infrastructure environments with DR enabled
• 3rd Party Accounts — SaaS and external platforms with DR enabled
  • Network configurations
  • Identity providers
  • Monitoring platforms
  • More

If a resource does not have a recoverable snapshot, it lowers the score. Gaps are immediately visible.

From Snapshot to Measurable Resilience

ControlMonkey daily snapshots guarantee resilience across cloud and 3rd parties. But as a CIO/CISO, you need a metric you can report back to your risk committee/board of directors. What matters is coverage, consistency, and visibility.The Cloud Resilience Dashboard connects snapshot activity to a measurable outcome – your Resilience Score.

Benefits of the dashboard for CIO and CISO:

• Quantify the percentage of infrastructure that is truly recoverable
• Detect newly added resources that are not yet protected
• Identify partial DR configurations at the account level
• Monitor coverage trends over time
• Validate that unmanaged (non-IaC) resources are included

You can also search and filters (Vendor, DR Status, Labels) allow teams to quickly locate exposed accounts and prioritize action.

Configuration recovery becomes measurable and governed – you have a clear idea of your RTO and RPO of your cloud.

Built for Governance and Executive Reporting

The Cloud Resilience Dashboard transforms configuration disaster recovery into a tracked governance metric.

Ready to measure your configuration DR readiness? Explore the Cloud Resilience Dashboard today.

ControlMonkey now extends Cloud Configuration Disaster Recovery to leading network vendors, including Cloudflare, Fastly, Akamai, and F5 – bringing visibility and automated recovery to routing, DNS, and edge configurations.

As cloud environments scale, disaster recovery can’t stop at data. While organizations invest heavily in data backup and ransomware protection, network configuration often remains outside formal disaster recovery strategies.

In November 2025, an internal configuration change led to a global withdrawal of routing prefixes, disrupting Cloudflare’s 1.1.1.1 DNS resolver worldwide. Applications became unreachable — even though data and workloads remained intact. The failure wasn’t infrastructure. It was network configuration.

Introducing Network Configuration Disaster Recovery

With ControlMonkey, teams can restore networking policies and routing configurations directly from versioned configuration snapshots  significantly reducing manual rebuild efforts and accelerating recovery time.

Additional capabilities include:

• Automated configuration recovery: Restore routing tables, security groups, DNS records, firewall rules, and edge policies from versioned snapshots.
• Time machine for Networking configuration: easily track changes over time, restore previous configuration with a click of a button.
• Real-time drift detection:Continuously monitor cloud and network configuration changes to prevent risky modifications from escalating into outages.
• Recovery readiness visibility:Centralized insight into configuration coverage and restore capability across cloud and edge environments.
• Improved RTO/RPO confidence: Reduce downtime caused by manual network rebuilds and accelerate restoration of reachable production environments.

How It Works – Network Configuration Backup

To protect backup configurations, ControlMonkey uses a structured Cloud disaster recovery process: Discover existing configurations, Snapshot them as versioned recovery points, Recover when incidents occur, and continuously Review readiness.

1) Discover

Using read-only API access, ControlMonkey continuously discovers routing rules, DNS records, firewall policies, CDN configurations, and edge definitions across supported vendors.

2) Snapshot

Exact configuration states are captured daily and converted into versioned, deployable definitions. Each snapshot represents a deterministic recovery point.

3) Recover

When incidents occur, teams can restore specific routing tables, DNS zones, firewall rules, or full network environments – manually or automatically.

4) Review & Govern

Executives and DevOps leaders gain a single view of DR readiness across cloud, SaaS, identity, and network control planes.

With ControlMonkey, network resilience becomes measurable.

Why This Matters? Network Configuration Disaster Recovery

Most cloud disaster recovery strategies stop at data backup. But when routing policies change or DNS records are deleted:

• Teams don’t know exactly what existed
• Recovery depends on tribal knowledge
• Manual rebuilds extend RTO and RPO
• Applications remain unreachable despite healthy infrastructure

Customer Perspective

As a SaaS platform, our availability depends heavily on Cloudflare and our network configuration. Traditional backup solutions didn’t address how we would recover routing policies or edge configurations in the event of an incident. ControlMonkey gives us confidence that our Cloudflare configurations are backed up and recoverable.

Doron Gutman

Director of DevOps and DevSecOps

Stay Ahead with Control-Plane Disaster Recovery

If you or your team back up your data, don’t leave your network configuration exposed. Your Disaster recovery plan is not complete until you can answer:
What is our RTO and RPO for network  configuration?

With ControlMonkey Network Disaster Recovery you can:

• Gain measurable visibility into cloud, SaaS, identity, and network DR readiness
• Eliminate configuration blind spots across routing, DNS, and edge layers
• Reduce outage risk caused by misconfiguration and manual rebuilds
• Improve RTO and RPO confidence with deterministic, versioned recovery points
• Ensure reachability – not just data recovery  during incidents

Ready to close the network recovery gap

Get a free cloud DR Assessment to review your network configuration in case of incident

Microsoft Entra ID configurations are too critical to leave not backup or unversioned. With ControlMonkey’s new Entra ID support, your identity layer now receives structured backup, visibility, and recovery coverage – just like your data and cloud infrastructure.

Why Backup and Govern Your Entra ID?

Entra ID defines who can access production systems, cloud resources, and business applications. Yet many identity changes still happen manually – without versioning, drift visibility, or rollback capabilities.

Backing up and governing Entra ID ensures:

• Configuration Cyber Resilience – Recover users, roles, groups, and policies after mistakes or incidents.
• Change Visibility – Track and review identity configuration changes over time.
• Drift Detection – Identify manual changes that bypass Infrastructure as Code.
• Audit Readiness and guardrails  – Have a clear RTO/RPO number for your Idindy layer.  Apply the same compliance guardrails across identity and infrastructure.

Introducing Support for Cyber Resilience

ControlMonkey now supports Microsoft Entra ID backup and recovery.
With this release, teams gain:

• Entra ID Visibility Inventory – Full visibility into users configuration, groups, roles polices, enterprise applications, and policies.
• IaC Blind Spot Detection – See which Entra ID resources are IaC-managed and which are not.
• Daily Entra ID Backup Snapshots – Automated configuration backups.
• Disaster Recovery Time Machine – Restore Entra ID to a previous known-good state 
• Import to IaC – Bring unmanaged identity resources under IaC control.
  

Daily configuration versioning allows teams to investigate access history, recover from misconfigurations, and ensure compliance without manual reconstruction.

Identity Resilience Meets Cloud Governance

See how ControlMonkey reduces risk and brings cyber resilience  daily backup to Entra ID. Turn your identity configuration into code – and your code into control.

Book Intro Call

Azure teams often rely on Bicep alongside Terraform for managing their infrastructure with code, and without unified visibility, recovery gaps go unnoticed until it’s too late.

ControlMonkey now supports Azure Bicep as part of its IaC coverage model, extending visibility and disaster recovery awareness to Azure-native infrastructure.

This capability is available to all ControlMonkey customers starting today.

Key benefits Azure Bicep Backup & Visibility:

• Full visibility into Azure resources managed by Bicep
• Clear separation between codified and non-codified infrastructure
• Improved disaster recovery readiness for Azure-native stacks
• Reduced blind spots during ransomware or cyber incidents
• IaC visibility and recovery coverage across Terraform, CloudFormation, and Bicep

Cloud Infrastructure with Full IaC Visibility

Codified infrastructure can be restored after configuration loss or compromise. Unmanaged resources lack a reliable recovery path.

By including Azure Bicep in its IaC coverage, ControlMonkey helps teams:

• Understand recovery readiness across Azure environments
• Identify hidden DR risks caused by non-codified resources
• Strengthen cloud governance without forcing tool migrations
• Plan incident response with confidence during cyber or ransomware event.

This helps teams understand recovery readiness in environments that use multiple IaC frameworks.

Ready to see what’s recoverable and what isn’t?

Explore Azure Bicep visibility in ControlMonkey today.

In most cloud environments, no system actually stores your cloud architecture relationships.

Security groups, routing rules, IAM permissions, load balancers, and SaaS configurations exist – but the relationships between them are not saved anywhere. When a security incident or outage occurs, teams discover too late that there is no historical record of how resources were connected, what depended on what, or how access paths were structured at the time things worked.

Introducing Architecture Time Machine

Architecture Time Machine is a capability within the ControlMonkey IaC Automation Platform that preserves your cloud architecture and security posture on a timeline.

Architecture Time Machine extends ControlMonkey’s Cloud Resilience platform by preserving your cloud architecture and resource dependencies over time, not just the resources themselves.

With daily environment snapshots, you can move backward on a timeline and explore how your infrastructure was connected at any point in time.

Key benefits:

• Rewind cloud architecture in time – View how resources and dependencies looked on any given day.
• Explore historical dependencies – Understand what was connected to what before a change or incident.
• Speed up incident investigation – Quickly answer “what changed?” without guesswork.
• Visualize complex environments – Interactive dependency graphs make large architectures easier to reason about.
• Reduce recovery blind spots – Restore with architectural confidence, not assumptions.

Who Benefits from Architecture Time Machine

Cloud & DevOps Managers – Get immediate answers during incidents. Understand what changed without relying on tribal knowledge or manual reconstruction.

Security & Compliance Teams – Validate historical configurations for audits (SOC, PCI, internal reviews) and investigate configuration drift over time.

Cloud Architects – Review how architecture evolved over time, Identify unintended complexity, sprawl, or anti-pattern, Use historical views to guide standardization and governance decision

CIO & CISO:

• Gain confidence that cloud recovery is predictable and provable
• Reduce operational and compliance risk tied to configuration loss
• Understand recovery readiness without diving into technical detail

Controlmonkey Cloud Disaster Recovery – for Configuration

When traffic drops, services break, or behavior changes unexpectedly, the root cause is often a dependency change – a security group update, a route table modification, or a detached resource.

Architecture Time Machine helps you:

• Improve visibility into historical cloud states
• Reduce risk during incident response and postmortems
• Strengthen alignment between IaC, reality, and recovery
• Scale cloud environments with confidence, knowing you can always look back

Get Started: Cloud DR Readiness Assessment

Before the next audit or incident, understand your real recovery risk.

The Cloud DR Readiness Assessment gives security and compliance leaders a clear, executive-level view of cloud configuration recovery — without disrupting production.

ControlMonkey is proud to announce that we’ve achieved the AWS Resilience Competency, a newly launched recognition for technology partners who demonstrate deep expertise and proven success in helping customers build, operate, and scale resilient cloud environments on AWS.

This achievement highlights our commitment to delivering enterprise-grade resilience, governance, and automation solutions, ensuring our customers are always prepared, protected, and able to recover quickly with zero disruption.

What is the AWS Resilience Competency?

The AWS Resilience Competency recognizes partners who excel at helping organizations improve resilience across their AWS environments.

Earning this competency validates that ControlMonkey meets AWS’s highest standards for:

• Technical proficiency in resilience engineering
• Proven customer outcomes across real-world production environments
• Innovation in disaster recovery automation and cyber resilience
• Strengthening multi-account, multi-region resiliency at scale
  

This competency also acknowledges our leadership in fully automated Disaster Recovery for Cloud infrastructure and 3rd party vendors (e.g., Datadog, Cloudflare, Okta, etc.), enabling organizations to achieve 100% cloud resilience with push-button failover, continuous validation, and compliance-by-design.

Validated by AWS – Trusted by Leading Enterprises.

With the AWS Resilience Competency, ControlMonkey reinforces its position as a trusted partner for Cloud resilience and DR,giving DevOps, platform, and SRE teams the confidence and tooling they need to keep their cloud running flawlessly.

Achieve 100% Cloud Resilience with ControlMonkey

100% cloud resilience starts with complete visibility into your asset inventory, daily snapshots of your entire footprint, and one-click recovery. ControlMonkey ensures your entire cloud environment is always recoverable, governed, and reproducible-across clouds and critical third-party services. By eliminating blind spots and manual risk, teams can recover instantly, operate confidently, and stay compliant even during failures or human error.

• 100% Disaster-ready Infra: Automatically back up your entire cloud footprint with daily Terraform-based snapshots. 
• One-click recovery-In the event of a malicious actor, ransomware or even an honest mistake, instantly restore an entire environment or specific set of resources.
• Full visibility to any blind spots – Identify infrastructure that’s currently not codified and poses a risk to your resilience posture. Get real-time notifications for any drift events and ClickOps activity in your environments to identify non-compliant activity.
• Standardize and Secure Your Infrastructure: Generate IaC in one click by automatically importing all existing resources.
• Gain full visibility, governance, and control across your infrastructure.

Watch our recent Video testimonial with Block describing how they achieve 100% cloud resilience with the ControlMonkey platform. 

Read Block Full Case Study

Want a clear view of your resilience posture?

Contact us for an Cloud DR Risk Assessment Report highlighting coverage gaps, unmanaged resources, and recovery risks.