The layer of first failure is a metric, the diagnostic result a thorough DDoS test is built to locate. It identifies which tier in the stack breaks first as attack load rises: the network link, the kernel connection-tracking table, the load balancer, the TLS terminator, the application worker pool, or the database. A stack does not fail uniformly; one component reaches its knee point before the others, and that component determines the whole system's ceiling.
Why it matters in DDoS testing
Knowing where a stack breaks first turns a vague "we went down" into an actionable target. Adding origin capacity is wasted effort if the conntrack table saturates before CPU does, or if a single rate-limit threshold trips before bandwidth is touched. A test escalates load while instrumenting each tier, so the binding constraint is observed rather than guessed, and the next hardening dollar lands where it removes the actual bottleneck.
How attack classes stress different tiers is detailed in Understanding DDoS Attack Vectors.