Overview
It’s 2 AM. Your phone screams. The monitoring dashboard is a sea of red — core transaction P99 latency just hit 8 seconds, upstream services are timing out and circuit-breaking, and customer support chat is flooding with screenshots. You’re VPN-ing in while your brain runs at full speed: have we seen this scenario in a drill? Is it covered in the runbook? Do I remember the failover steps?
If you’re still searching the wiki for documentation at this moment, it means one thing: your runbook was written but never practiced.
An incident runbook is not a document you write and forget. It’s a set of emergency muscle memories that need to be rehearsed, refined, and repeated. Just like a fire department doesn’t just draw escape routes on paper — they light real fires, sound real alarms, and make people run through smoke. SRE drills work the same way: unless you force the team to make decisions in near-realistic failure scenarios, you’ll never know who will freeze when it actually matters.
This article covers how to turn incident runbooks from “documents written for others to read” into “operational playbooks the team can actually execute,” and how to design a drill system that keeps the team sharp.
The Essence of Incident Runbooks: Not Documents, But Decision Trees
What Problem Do Runbooks Solve?
Many people understand incident runbooks as operation manuals — “if A goes down, execute steps 1-2-3.” That’s not wrong, but it’s too shallow. A genuinely useful runbook is a decision tree that helps on-call engineers quickly do three things under high pressure:
- Determine severity — Does this warrant waking people up at night? At what level?
- Choose a mitigation path — Divert traffic first, roll back first, or scale out first?
- Establish communication rhythm — Who speaks externally, how often to sync, when to escalate
I’ve seen too many runbooks written like product specs — 50 detailed steps that no on-call engineer can possibly read through during a live incident. Good runbooks should be short, sharp, and precise: locate the corresponding response plan within 30 seconds, begin mitigation within 3 minutes.
Three-Tier Runbook Structure
| Tier | Content | Target Audience | Update Frequency |
|---|---|---|---|
| L1 Response Cards | Quick mitigation steps for single-service failures (≤10 steps) | On-Call engineers | After each drill |
| L2 DR Playbooks | Cross-service failover and rollback procedures | SRE team | Quarterly |
| L3 BCP Plans | Full datacenter-level takeover plans | SRE + Business stakeholders | Semi-annually |
L1 response cards are the most frequently used. They’re not long wiki articles but printable cards that can be pinned to a desk. The format is straightforward:
# [Service Name] Response Card
## Failure Characteristics
- Core metrics: P99 latency > 500ms or error rate > 1%
- Typical alerts: service_latency_p99_critical / service_error_rate_high
## Quick Mitigation (by priority)
1. Check if a deployment is in progress → if yes, roll back immediately
2. Check downstream dependency status → [dependency dashboard link]
3. Switch traffic to standby cluster → [switch script link]
4. Notify business team to degrade non-core features → [degradation toggle list]
## Escalation Criteria
- Not mitigated within 5 minutes → escalate to SRE Lead
- Affects transaction chain → immediately escalate to P0 incident
## Contacts
- Service owner: @xxx
- DBA: @yyy
- Business team: @zzz
The core design principle of this card: every step is an executable atomic operation that requires no thinking. The on-call engineer takes the card and works through it top to bottom.
Runbook Lifecycle Management
A runbook isn’t done when written. It has its own lifecycle:
Write → Review → Drill-validate → Correct → Archive → Periodic review → Update → Re-drill
The most critical step is drill validation. An untested runbook is equivalent to no runbook. I’ve encountered this multiple times in practice — the runbook looks beautiful on paper, but during the drill, the failover script doesn’t run, the backup data is three months old, and the DR cluster’s certificates have expired. These issues are invisible without drilling.
Drill System Design: Three Modes, Three Levels
Drill Mode Comparison
| Mode | Cost | Realism | Risk | Use Case |
|---|---|---|---|---|
| Tabletop Exercise | Low | Low | Zero risk | Runbook review, new member training |
| Red-Blue Drill | Medium | Medium | Controlled | Process validation, team collaboration |
| Chaos Injection | High | High | Elevated | System resilience validation, automated fallback |
These three modes are not alternatives but a progressive sequence. New runbooks go through tabletop exercises for logic validation, then red-blue drills for process validation, and finally chaos injection for real system resilience testing.
Tabletop Exercise: Low-Cost Logic Validation
A tabletop exercise is simply a group of people sitting together. The facilitator presents a scenario, and participants describe what they would do according to the runbook. It sounds basic, but it’s the most cost-effective drill method.
Suitable for:
- Newly written runbooks — checking for logic gaps
- New team members — quickly understanding incident response flow
- Post-reorg — confirming role assignments still hold
How to run:
The facilitator prepares 3-5 failure scenarios, each with trigger conditions, impact scope, and constraints. Participants don’t touch real systems — they describe their actions on a whiteboard or shared document.
Scenario example:
- Trigger: Friday 17:30, order service P99 latency jumps from 80ms to 2s
- Impact: Order API timeout rate 30%, payment callback delay
- Constraint: Cannot fully divert traffic (standby cluster capacity only 50%)
- Interference: On-call engineer is already handling another P2 alert
The core value of tabletop exercises isn’t the operations themselves but exposing runbook blind spots. For example:
- Two services fail simultaneously — which do you save first?
- Rollback requires DBA approval, but DBA is off-duty — what now?
- Who assesses the business impact of degradation toggles?
These issues are hard to spot on paper but surface immediately when walking through the flow together.
Red-Blue Drill: Mid-Range Practice
Red-blue drills are closer to reality than tabletop exercises. The red team injects faults (in a test environment), and the blue team responds according to the runbook. Everything is timed, and the blue team’s response speed and decision quality are observed.
Suitable for:
- DR failover process validation
- Multi-team incident response collaboration
- On-call engineer skill assessment
Key Design Points:
Environment Isolation: Must be conducted in an isolated test environment. Never touch production. If resources are limited, at least use an isolated namespace to simulate.
Controllable Fault Injection: Red team faults must be quickly recoverable. Killing processes, adding network latency, filling disk — these can all be rolled back in seconds. Don’t do irreversible operations like dropping databases.
Full Recording: Every action, communication, and decision by the blue team must be timestamped. After the drill, use this data to calculate MTTR breakdown by phase.
#!/usr/bin/env python3
"""
Red-Blue Drill Recorder
Records blue team actions with timestamps for post-drill MTTR phase analysis
"""
import json
import time
from datetime import datetime
from pathlib import Path
class DrillRecorder:
def __init__(self, scenario_name: str):
self.scenario = scenario_name
self.start_time = time.time()
self.events = []
self.phases = {
"detect": None, # Time to detect
"acknowledge": None, # On-call response time
"diagnose": None, # Root cause identification time
"mitigate": None, # Mitigation execution time
"resolve": None, # Full recovery time
}
def log(self, phase: str, action: str, operator: str, detail: str = ""):
"""Record a drill event"""
elapsed = round(time.time() - self.start_time, 1)
event = {
"timestamp": datetime.now().isoformat(),
"elapsed_sec": elapsed,
"phase": phase,
"action": action,
"operator": operator,
"detail": detail,
}
self.events.append(event)
if phase in self.phases and self.phases[phase] is None:
self.phases[phase] = elapsed
print(f"[{elapsed:>7.1f}s] [{phase}] {operator}: {action}")
if detail:
print(f" └─ {detail}")
def summary(self) -> dict:
"""Generate post-drill report"""
report = {
"scenario": self.scenario,
"total_mttr": round(time.time() - self.start_time, 1),
"phases": {},
"events_count": len(self.events),
}
prev = 0
for phase, t in self.phases.items():
if t is not None:
report["phases"][f"{phase}_elapsed"] = t
report["phases"][f"{phase}_delta"] = round(t - prev, 1)
prev = t
return report
def save(self, path: str = None):
"""Save drill records to file"""
if path is None:
path = f"drill-{self.scenario}-{int(self.start_time)}.json"
Path(path).write_text(
json.dumps({"summary": self.summary(), "events": self.events},
ensure_ascii=False, indent=2)
)
print(f"\nDrill records saved: {path}")
# Usage example
if __name__ == "__main__":
drill = DrillRecorder("order-service-latency-spike")
drill.log("detect", "Alert triggered", "Prometheus", "P99 latency 2.1s exceeds threshold 500ms")
drill.log("acknowledge", "On-call response", "oncall-zhang", "Alert acknowledged, investigation started")
drill.log("diagnose", "Root cause identified", "oncall-zhang", "Redis connection pool exhausted, cache hit rate dropped")
drill.log("mitigate", "Mitigation executed", "oncall-zhang", "Restarted Redis replica, switched read traffic")
drill.log("resolve", "Fully recovered", "oncall-zhang", "P99 restored to 85ms")
drill.save()
The core value of this recorder is breaking MTTR into five phases — detect, acknowledge, diagnose, mitigate, verify — each timed individually. During post-drill review, you can immediately see where the team got stuck.
Chaos Injection: The Ultimate Production Test
Chaos injection is the most hardcore drill method — injecting faults directly into production to see if the system and team can handle it. It sounds crazy, but Google, Netflix, and others have been doing this for years. Netflix’s Chaos Monkey randomly kills production instances every day and has been running for over a decade.
Why production?:
Test environments have vastly different traffic patterns, data volumes, and network topologies from production. A hundred drills in test won’t expose as many issues as one run in production. Of course, the prerequisite is that your system already has sufficient high-availability mechanisms — automatic failover, elastic scaling, circuit breaking, and graceful degradation.
Mainstream Chaos Engineering Tools:
| Tool | Maintainer | Fault Types | K8s Integration | Learning Curve |
|---|---|---|---|---|
| Chaos Mesh | CNCF | Network/Pod/IO/Time/Kernel | Native CRD | Medium |
| ChaosBlade | Alibaba | CPU/Network/Disk/Process/JVM | Operator | Medium |
| Litmus | CNCF | Network/Pod/IO | Native CRD | High |
| Pumba | Open Source | Network/Pod | Docker-level | Low |
I personally recommend Chaos Mesh. The reasons are straightforward: CNCF graduated, active community, native CRD integration, and a visual Dashboard. Creating a Chaos resource in K8s is as natural as creating a Deployment.
Chaos Mesh Fault Injection Examples:
# Network delay injection: inject 200ms network delay to order service Pods
apiVersion: chaos-mesh.org/v1alpha1
kind: NetworkChaos
metadata:
name: order-service-network-delay
namespace: chaos-testing
spec:
action: delay # Fault type: delay
mode: all # Affects all matching Pods
selector:
namespaces:
- production
labelSelectors:
"app.kubernetes.io/name": "order-service"
delay:
latency: "200ms" # 200ms delay
correlation: "0" # No correlation
jitter: "50ms" # 50ms jitter to simulate real network
direction: to # Outbound traffic
target:
selector:
namespaces:
- production
labelSelectors:
"app.kubernetes.io/name": "payment-service"
mode: all
duration: "5m" # Duration: 5 minutes
scheduler:
cron: "@once"
# Pod failure injection: randomly kill 30% of order service Pods
apiVersion: chaos-mesh.org/v1alpha1
kind: PodChaos
metadata:
name: order-service-pod-kill
namespace: chaos-testing
spec:
action: pod-kill # Fault type: kill Pod
mode: fixed-percent # By percentage
value: "30" # 30% of Pods
selector:
namespaces:
- production
labelSelectors:
"app.kubernetes.io/name": "order-service"
duration: "0" # Execute immediately
scheduler:
cron: "@once"
Safety Boundaries for Chaos Drills:
Running chaos engineering in production, the biggest fear is losing control. Set clear safety boundaries:
Blast Radius Control: Start small. Kill 1 Pod first, confirm auto-recovery works, then gradually scale to 5%, 10%, 30%.
Automatic Circuit Breaking: Set hard thresholds — if error rate exceeds 2% or latency exceeds 800ms, automatically stop the drill and recover.
Time Windows: Choose off-peak hours. Don’t run chaos drills the night before Black Friday — that’s not bravery, it’s recklessness.
One-Click Rollback: All injected faults must be clearable with one click. Chaos Mesh’s
durationfield is the safety net — it auto-recovers when the timer expires. But you also need a manual fallback.
#!/bin/bash
# Chaos drill one-click abort script
# Usage: ./chaos-abort.sh
set -euo pipefail
NAMESPACE="chaos-testing"
DRY_RUN="${1:-false}"
echo "=== Chaos Drill Emergency Abort ==="
echo "Time: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
# List all running chaos experiments
EXPERIMENTS=$(kubectl get networkchaos,podchaos,iochaos,stresschaos \
-n "$NAMESPACE" \
-o custom-columns=NAME:.metadata.name,KIND:.kind \
--no-headers 2>/dev/null || true)
if [ -z "$EXPERIMENTS" ]; then
echo "No chaos experiments currently running."
exit 0
fi
echo "Running chaos experiments:"
echo "$EXPERIMENTS"
echo ""
if [ "$DRY_RUN" = "true" ]; then
echo "[DRY-RUN] Would delete all chaos experiment resources above."
exit 0
fi
# Delete all chaos experiment resources
kubectl delete networkchaos,podchaos,iochaos,stresschaos \
-n "$NAMESPACE" --all
echo ""
echo "All chaos experiments cleared. Waiting 30 seconds for auto-recovery..."
sleep 30
echo "=== System Status Check ==="
kubectl get pods -n production --field-selector=status.phase!=Running
echo ""
echo "If there are abnormal Pods above, please investigate manually."
MTTR Breakdown: Using Data to Drive Drill Improvement
The Five Phases of MTTR
MTTR (Mean Time To Recovery) is not a single number — it’s a combination of five phases. Only by breaking it down can you identify the bottleneck:
| Phase | Meaning | Typical Bottleneck | Improvement |
|---|---|---|---|
| MTTD | Mean Time To Detect | Alert delay, false negatives | Optimize alert rules, expand coverage |
| MTTA | Mean Time To Acknowledge | Slow on-call response | Optimize notification channels, shift scheduling |
| MTTD-i | Mean Time To Diagnose | No direction in investigation | Observability investment, diagnostic tools |
| MTTF | Mean Time To Fix | Complex mitigation operations | Automated switch scripts, degradation toggles |
| MTTR-v | Mean Time To Verify | Afraid to confirm recovery | Automated health checks, full-chain probing |
Incident ─→ Detect ─→ Acknowledge ─→ Diagnose ─→ Mitigate ─→ Verify ─→ Recover
MTTD MTTA MTTD-i MTTF MTTR-v
|___________________________ MTTR ________________________________________|
Using Drill Data to Identify Bottlenecks
After each drill, analyze the data from the recorder. For example:
Drill scenario: Order service latency spike
───────────────────────────────────
Detect: 12.3s ✓ Alert timely
Acknowledge: 38.7s ⚠ On-call response slow (handling another alert)
Diagnose: 156.2s ✗ Took 2+ minutes to identify Redis as the issue
Mitigate: 203.1s ⚠ Manual switch took too long
Verify: 45.0s ✓ Automated health check effective
───────────────────────────────────
Total MTTR: 455.3s (7.6 minutes)
This data immediately reveals — the diagnose phase is the biggest bottleneck, taking nearly 3 minutes to find the root cause. The next improvement direction is to strengthen Redis monitoring coverage and alert correlation, so the on-call engineer can see “Redis connection pool exhausted” within 30 seconds.
MTTR Optimization Strategy Matrix
| Bottleneck Phase | Optimization Direction | Specific Measures | Expected Result |
|---|---|---|---|
| MTTD | Alert coverage | Add business SLI alerts, user experience monitoring | Detection time < 30s |
| MTTA | Notification mechanism | Multi-channel (phone+IM+SMS), backup on-call | Response time < 60s |
| MTTD-i | Diagnostic tools | Automated root cause analysis, alert correlation, dependency topology | Diagnosis time < 120s |
| MTTF | Automated mitigation | One-click switch scripts, auto-rollback, degradation toggles | Mitigation time < 60s |
| MTTR-v | Automated verification | Full-chain health probes, business metric regression | Verification time < 30s |
The theoretical MTTR goal is to compress every phase to the minute level. But realistically, different failure types have different ceilings — database master-slave failover mitigation time can’t be as fast as restarting a Pod. The key is setting reasonable MTTR targets for each failure type and continuously approaching them.
Drill Culture: From “Afraid of Incidents” to “Confident in Drills”
The Biggest Barrier Is Psychological, Not Technical
When promoting incident drills, the most common resistance isn’t technical — it’s psychological:
- Development team: “Chaos drills in production? Who takes responsibility if something breaks?”
- Business team: “What if drills affect online users?”
- Management: “Is this necessary? We’re not Google.”
These concerns are all valid. The response isn’t to lecture but to use data — start with small-scale drills in test environments, show MTTR improvement data, and build confidence gradually.
Progressive Implementation Roadmap
| Phase | Timeline | Goal | Approach |
|---|---|---|---|
| Phase 1 | Months 1-2 | Establish baseline | Tabletop exercises + test environment red-blue drills |
| Phase 2 | Months 3-4 | Process validation | Production read-replica validation, automated mitigation drills |
| Phase 3 | Months 5-6 | Normalize | Regular chaos injection, Game Day |
| Phase 4 | Months 7-12 | Automate | Chaos engineering platform, unmanned drills |
Don’t touch production in Phase 1. Build a solid foundation with tabletop exercises and test environment drills first — fix runbook gaps and refine team collaboration. In Phase 2, you can start “gentle” production drills — like validating read replicas’ ability to handle traffic and HPA responsiveness. Phase 3 is real chaos injection, but blast radius must be carefully controlled.
Game Day: Making Drills a Team Habit
Game Day is a concept pioneered by Netflix — organizing a concentrated failure drill day with full team participation, simulating multi-failure concurrent scenarios.
Game Day Design Points:
Design ruthless scenarios: Don’t just do single-point failures. Design multi-failure concurrent scenarios — “database master down + network partition + on-call engineer in a meeting.” These compound scenarios truly test the team.
Observer mechanism: Assign dedicated observers who don’t participate in mitigation — they only record team behavior: who first noticed the issue, who made key decisions, whether communication chains broke.
Blameless post-mortem: The core of drill review is not “who made a mistake” but “where the system design made it easy to make mistakes.” This must be established culturally.
Improvement item tracking: Every drill must produce actionable improvement items with owners and deadlines. Before the next drill, check the completion status of previous items.
# Game Day Post-Mortem Template
## Basic Info
- Date: 2026-07-16
- Scenario: Order service + Payment service dual failure
- Participants: 8 (Blue team 5 + Red team 2 + Observer 1)
- Total duration: 47 minutes
## MTTR Breakdown
| Phase | Duration | Rating | Notes |
|-------|----------|--------|-------|
| Detect | 15s | ✓ | Alert timely |
| Acknowledge | 52s | ✓ | On-call online within 30s |
| Diagnose | 8min | ⚠ | Investigating two services simultaneously, lacked prioritization |
| Mitigate | 12min | ✗ | Manual switch script failed, fell back to backup plan |
| Verify | 3min | ✓ | Automated health probe effective |
| **Total MTTR** | **24min** | **Needs improvement** | Target < 15min |
## Issues Found
1. [P0] Switch script `switch-traffic-v2.sh` untested in new environment, missing dependencies
- Owner: @devops-li / Deadline: 2026-07-23
2. [P1] No clear prioritization criteria for dual-failure scenarios
- Owner: @sre-lead / Deadline: 2026-07-20
3. [P2] Communication chain too long: on-call → SRE Lead → business team → management, 4-level relay took 5 minutes
- Owner: @sre-lead / Deadline: 2026-07-30
## What Went Well
- On-call response was fast, acknowledged alert within 30 seconds
- Automated health probe was effective, confirmed recovery within 3 minutes
- Observer records were detailed, providing solid data for review
Engineering Management of Runbooks and Drills
Runbook as Code
Runbooks shouldn’t be scattered across wikis, Confluence, or personal notes. They should be structured, versioned, and executable.
Managing runbooks in a Git repository with the following structure is recommended:
incident-playbook/
├── README.md
├── L1-cards/ # Response cards
│ ├── order-service.md
│ ├── payment-service.md
│ └── redis-cluster.md
├── L2-dr/ # DR playbooks
│ ├── multi-region-failover.md
│ └── database-disaster-recovery.md
├── L3-bcp/ # Business continuity plans
│ ├── datacenter-loss.md
│ └── ransomware-response.md
├── drill-records/ # Drill records
│ ├── 2026-07-16-gameday.md
│ └── 2026-07-01-desktop-drill.md
└── scripts/ # Automation scripts
├── traffic-switch.sh
├── chaos-abort.sh
└── health-check.sh
After each drill, submit a PR to update the runbook — just like maintaining code. This gives you a complete change history: who changed what, when, and why.
Automated Drill Scheduling
When team size and system complexity reach a certain level, the cost of manually organizing drills becomes high. Consider using CI/CD pipelines to automatically trigger drills:
# GitLab CI example: weekly automated low-risk chaos experiment
chaos-drill-weekly:
stage: test
image: bitnami/kubectl:latest
schedule:
- cron: "0 2 * * 1" # Every Monday 2 AM
script:
- # 1. Verify system health baseline
- kubectl get pods -n production --field-selector=status.phase!=Running | tee /tmp/unhealthy-pods.txt
- if [ -s /tmp/unhealthy-pods.txt ]; then echo "System has unhealthy Pods, canceling drill"; exit 1; fi
- # 2. Inject low-risk fault (kill 1 non-critical Pod)
- kubectl apply -f chaos-experiments/low-risk/pod-kill-non-critical.yaml
- # 3. Wait 5 minutes
- sleep 300
- # 4. Check auto-recovery
- kubectl get pods -n production --field-selector=status.phase!=Running | tee /tmp/post-drill.txt
- if [ -s /tmp/post-drill.txt ]; then echo "Abnormal Pods after drill, manual intervention needed"; exit 1; fi
- # 5. Clean up chaos experiment
- kubectl delete -f chaos-experiments/low-risk/pod-kill-non-critical.yaml
- # 6. Send drill report
- |
cat << EOF | mail -s "[Chaos Drill] Weekly Report" sre-team@company.com
Drill time: $(date)
Content: Random kill 1 non-critical Pod
Result: Passed (auto-recovery successful)
Next round: Friday Game Day full-scenario drill
EOF
only:
- schedules
This type of automated drill is suitable for low-risk validation scenarios — like confirming Pod auto-scheduling works and HPA scales in time. High-risk chaos experiments still require manual organization.
Common Pitfalls and How to Avoid Them
Pitfall 1: Drills Are Just About Breaking Things
Many people understand chaos drills as “breaking things in production.” This is a misunderstanding. The core philosophy of chaos engineering is not destruction but verifying whether the system recovers as you expect.
If you inject a fault and the system doesn’t auto-recover — this reveals a gap in your high-availability design, which is a valuable finding. If you inject a fault and the system auto-recovers — this validates that your design works, which is equally valuable. Both outcomes are wins.
What’s scary is doing nothing and being clueless when a real incident hits.
Pitfall 2: More Detailed Runbooks Are Better
I’ve seen teams write 30-page Word documents for a single service’s incident runbook. From background to architecture diagrams to every SQL statement — comprehensive and thorough.
This kind of runbook is useless in a live incident. On-call engineers under high pressure have extremely short attention windows. Give them 30 pages and they won’t read a single line.
Good runbooks should follow the “10-step rule” — no more than 10 core operational steps, each no longer than 2 lines. If it exceeds that, the runbook is too complex and needs to be split or automated.
Pitfall 3: Drilling Without Improving
The value of drills isn’t in the drill itself but in the improvements that follow. Each drill must produce clear improvement items with owners, deadlines, and acceptance criteria.
I’ve seen teams run monthly drills but find the same issues every time — switch scripts still don’t work, alerts still aren’t correlated, on-call engineers still don’t know who to contact. This means drills have become a formality.
Improvement tracking can be done simply:
## Improvement Board
### Pending
| ID | Priority | Description | Owner | Deadline | Status |
|----|----------|-------------|-------|----------|--------|
| 001 | P0 | Switch script v2 untested in new environment | @devops-li | 07-23 | In progress |
| 002 | P1 | Dual-failure prioritization criteria missing | @sre-lead | 07-20 | Not started |
### Completed
| ID | Priority | Description | Owner | Completed | Verification |
|----|----------|-------------|-------|-----------|-------------|
| 000 | P0 | Redis connection pool monitoring missing | @sre-wang | 07-10 | Verified in 07-15 drill |
Pitfall 4: Focusing on Tech, Ignoring Communication
The most easily overlooked aspect of incident drills is communication. Technical issues are easy to identify; communication issues are the real hidden cost — “the on-call engineer spent 5 minutes finding the business team’s contact info,” “the escalation process was unclear, and the SRE Lead wasn’t sure whether to notify management.”
These communication issues should be exposed and resolved during tabletop exercises. Runbooks must include a clear communication matrix:
P0 Incident Communication Matrix:
├── 0-1min: On-Call confirms incident → notify SRE Lead
├── 1-3min: SRE Lead assesses impact → notify business team owner
├── 3-5min: Business team assesses user impact → decide whether to notify management
├── 5-15min: Sync progress every 5 minutes → post to incident channel
└── Post-recovery: Submit incident post-mortem within 24h
Summary
Incident preparedness and drill systems are one of the SRE team’s core competencies. Remember these key points:
At the runbook level, the three-tier structure (response cards / DR playbooks / BCP plans) covers everything from single-service to datacenter-level failures. Each response card stays within 10 steps, allowing on-call engineers to execute without thinking. Runbooks are managed in Git — versioned and traceable.
At the drill level, three modes (tabletop / red-blue / chaos injection) are used progressively. Tabletop validates logic, red-blue validates process, chaos validates system resilience. Each drill uses the recorder to break down MTTR into five phases, driving improvement with data.
At the culture level, implement progressively — test environment first, then production; small scale first, then large. Game Days are organized regularly, post-mortems are blameless, and improvement items have owners and deadlines.
At the automation level, low-risk drills are scheduled via CI/CD, high-risk drills are manually organized but process-standardized. Runbook as code, scripts as tools, everything versioned and traceable.
One final thought: an untested runbook is no runbook. Don’t wait until 2 AM to discover your runbook is useless.
References & Acknowledgments
The following resources were referenced during the writing of this article. Thanks to the original authors for their contributions:
- Enterprise Full-Chain SRE Stability Engineering System Construction — Tencent Cloud Developer Community, provided the panoramic view of SRE resilience engineering and the full lifecycle management framework for incidents
- Technical Decisions Have No Right Answers, Only Affordable Costs: Using 27 SRE Incident Retrospectives — CSDN, provided Meitu’s incident lifecycle management practices and MTTR breakdown metrics
- Chaos Engineering Implementation and Fault Tolerance Verification in Core Business Systems — Book118, provided practical experience with ChaosBlade and chaos engineering culture promotion methods
- K3s - Lightweight Kubernetes — Rancher official documentation, referenced for chaos engineering tool selection comparison