The 34x price hike isn't the problem

Opening Claim

Hetzner increased dedicated server prices by 34x. That is the confirmed fact. Everything that follows is about what that single action reveals, not about the size of the number.

The cost increase is the visible event. The exposure is structural. A vendor moved a price by a factor of 34 and the customer absorbed it, because the customer held no position from which to refuse. The price is the symptom. The condition is dependency. When one provider can change your cost base by that margin and you have no enforcement against it, you do not control that boundary. The provider does.

Treat this as an operational risk, not a procurement complaint. Cost is how this surfaced. It is not the failure. The failure is that a single external party held unilateral control over a critical input, and that control was only made observable when it was used. The control existed before the price moved. The increase did not create the exposure. It demonstrated it.

This is the pattern that matters: consolidation onto a single provider concentrates control in that provider. Identity is the boundary, and in this relationship the boundary was never the customer’s to hold. The customer ran on infrastructure it did not control, under terms it could not enforce. A 34x move is what it looks like when the party holding the boundary decides to use it.

The Original Assumption

The assumption underneath single-vendor consolidation is that provider pricing power is bounded. Organizations consolidate onto one provider to reduce operational complexity, standardize tooling, and lower per-unit cost. The trade is explicit: fewer providers, less surface to manage, simpler operations. The assumption embedded in that trade is that the provider will not, or cannot, exercise control in a way the customer cannot absorb.

That assumption treats the vendor relationship as a partnership with shared incentives. It is not. It is a trust relationship in which one party sets the terms and the other accepts them. Consolidation does not reduce risk. It concentrates it. Each workload moved onto a single provider increases the blast radius of any action that provider takes. The convenience is real. The control transfer is also real, and it runs in one direction.

The second assumption is that cost stability is a property of the infrastructure. It is not. Cost stability is a property of the contract and the enforcement behind it. If the terms permit a unilateral change, then stability was never guaranteed. It was assumed. An assumption is not a control. A control that is not enforced is not a control, and a price expectation that the customer cannot enforce is not protection. It is exposure that has not yet been triggered.

The third assumption is that the customer holds the exit. In a consolidated single-provider design, migration cost, data gravity, and operational entanglement raise the cost of leaving to the point where exit stops being a real option. When exit is not viable, the customer cannot refuse a change in terms. The provider holds the boundary, sets the terms, and holds the exit. Whether any specific exit barrier applied here is not confirmed. The structural pattern is.

What Changed

What changed is confirmed and narrow: the price of dedicated servers increased by 34x. That is the externally observable behavior. A cost input that customers depended on moved by a factor of 34, and customers running on that infrastructure were subject to the new figure.

What that demonstrates is that the provider held unilateral pricing control and exercised it. The boundary that determined the customer’s cost base sat with the provider, not the customer. The increase is direct evidence of where the control lived. Before the change, the location of that control was a design assumption. After the change, it is a demonstrated fact. The same control existed the entire time. It was simply not visible until it was used.

Several conditions around this change are not confirmed and must be treated as such. Whether the increase applies to all dedicated server tiers or a subset is not confirmed. Whether it applies to existing contracts, new orders, or both is not confirmed. The notice period given is not confirmed. Whether the change is reversible or permanent is not confirmed. The timeline over which it took effect is not confirmed. Absence of these details is a condition, not a gap to be filled. State what is known and mark the rest unconfirmed.

What is known is sufficient to act on. A single provider changed a critical cost input by 34x, and customers on that provider had no enforcement against the change. That is the demonstrable fact. It does not require any inferred attacker, timeline, or scope to be operationally significant. The mechanism is the dependency itself. The provider held the boundary, and when the boundary was the provider’s to move, it moved.

Mechanism of Failure

The failure mechanism is dependency on an input governed entirely by an external party, with no enforcement on the customer side. The externally observable behavior is narrow and confirmed: the price of dedicated servers moved by 34x, and customers running on that infrastructure were subject to the new figure. That behavior is only possible if the control over the price sat with the provider. The customer’s cost base was an output of the provider’s decision. It was not a term the customer could hold.

The mechanism is not the size of the change. A 34x move and a 2x move run through the same mechanism. The boundary that determined the customer’s cost sat with the provider, and the customer had no enforcement point. Enforcement means the ability to refuse the change, or to bound it through a term that binds the other party. No such enforcement was observable. The price changed and the customer absorbed it. Absorption is the observable signal that no enforceable term existed on the customer’s side.

This is control concentration made visible, not control that moved. The control did not shift when the price shifted. It was already with the provider. The dependency placed it there, and a critical input governed by a party outside the customer’s control boundary is the failure, independent of when the figure changed. The price change did not create that position. It demonstrated it. A control that exists only on the provider’s side is not a shared control. It is the provider’s control, and the customer’s expectation that it would not be used was an assumption. An assumption is not a control.

The Parallel Pattern

Price is one term among many that this relationship governs. The mechanism is unilateral control over a dependency the customer cannot enforce against, and that mechanism is not specific to cost. Every term governed by the same relationship sits on the same boundary. If the provider held unilateral control over the cost input, the provider holds unilateral control over every term the customer cannot enforce. That is logically necessary from the mechanism, not a separate claim. The boundary that moved the price is the same boundary that governs availability, access, and continuation of service.

The same mechanism appears wherever a critical input is concentrated in a single external party with no enforceable term on the customer side. The input can change. The mechanism does not. The defining condition is concentration plus absence of enforcement. When both are present, the customer’s operation is an output of the provider’s decisions. The provider does not have to act against the customer for this to be exposure. Exposure is the structural position, not the intent behind any single action. The 34x change demonstrates the position. It does not define the limit of what the position permits.

Concentration of control is concentration of failure. A single provider holding all terms of a critical dependency is a single point of control, and a single point of control is a single point of failure. The blast radius of any provider action covers everything the customer runs on that provider. The boundaries that should be the customer’s to hold, identity, access, and continuity, sit with an external party in this design. If the system allows that party to set a term unilaterally, that term will be set on that party’s schedule, not the customer’s. The price increase is one expression of that. Whether the same control is exercised against any other term is not confirmed. That it can be is necessary from the mechanism.

Operator Position

The finding is flat. The customer does not control a boundary it depends on. A single provider held unilateral control over a critical input, and the customer had no enforcement against it. The 34x increase is confirmation of where the control lived. It is not the problem. The problem is the position. This is a control event, not a cost event, and reading it as a procurement matter mislabels the exposure.

What must now be true is enforceability. A boundary that cannot be enforced is not a boundary. Either the terms binding the provider are enforceable by the customer, or the customer holds a viable exit, or the dependency is exposure that has not yet been triggered. A price expectation the customer cannot enforce is not a control. A single-provider design with no enforceable term and no tested exit is a design in which the provider holds the customer’s operation. That is dependency with control running in one direction. It is not a partnership, and treating it as one is the error that the price change exposed.

Identity is the boundary, and in this relationship the boundary was never the customer’s. Controls that are not enforced are not controls, and an assumption of provider restraint is not a control. The work is to make the boundary enforceable: enforceable terms, redundant providers, or a migration path priced and tested before it is needed. Whether any of those existed here is not confirmed. What is confirmed is that on this provider, the customer held none of them when the price moved. Treat single-provider concentration as a control failure until an enforceable boundary is in place. The provider changed the price because it could. The capability remains with the provider. Whether it is exercised again is not confirmed. That it can be is. Until the customer holds an enforceable boundary, the terms are the provider’s to set.