Overview
Incidents are inevitable, but the quality of your incident response determines the impact scope and duration. A mature incident response framework can bring order to chaos — ensuring the right people do the right things, information flows where it needs to go, and recovery happens as fast as possible.
The reality many teams face during incidents: alert bombardment, chat channel flooding, unclear ownership, duplicate investigations, inconsistent external messaging, and inability to explain what happened after recovery. The root cause of these problems isn’t technical incompetence — it’s the lack of a structured response framework.
This article systematically covers how to build an executable incident response framework, covering severity grading, response role division, escalation path design, communication templates, timeline recording, and recovery strategies.
For a systematic methodology on incident response, see Google SRE Book - Managing Incidents and the Atlassian Incident Management Handbook.
1. Incident Severity Grading Standards
Why Grading Is Needed
Incident management without grading is no management at all. If every incident is treated as the highest priority, nothing is truly the highest priority. The essence of severity grading is resource scheduling priority — ensuring that with limited personnel, the most severe incidents get resources first.
SEV Grading Standards
Using the industry-standard SEV1-SEV4 four-level classification:
| Level | Definition | Impact Scope | Response SLA | Escalation Condition | Example |
|---|---|---|---|---|---|
| SEV1 | Production service completely unavailable or core functionality failed | All or large number of users affected, direct revenue loss | Immediate, <5min | Auto-escalate if no progress in 15min | Payment service down, database unavailable, all core APIs returning 5xx |
| SEV2 | Core functionality severely degraded | Some users affected, business functionality impaired | <15min | Auto-escalate if no progress in 30min | Payment success rate down 20%, P99 latency degraded 5x |
| SEV3 | Non-core functionality degraded or potential risk | Small number of users affected or no direct impact | <30min (business hours) | No auto-escalation | Non-critical service anomaly, disk usage at 80% |
| SEV4 | Optimization suggestion or known issue | No user impact | Next business day | No escalation | Alert threshold optimization, documentation updates |
Grading Determination Factors
Incident grading needs to consider multiple dimensions — it’s not determined by a single metric:
# Incident severity determination matrix
severity_matrix:
dimensions:
- user_impact: # User impact
none: 0
minimal: 1 # <1% of users affected
moderate: 2 # 1-10% of users affected
significant: 3 # 10-50% of users affected
severe: 4 # >50% of users affected
- business_impact: # Business impact
none: 0
low: 1 # Non-core functionality, no revenue impact
medium: 2 # Core functionality degraded, minor revenue impact
high: 3 # Core functionality failed, clear revenue loss
critical: 4 # Site-wide unavailability, severe revenue loss
- duration: # Duration (elapsed or estimated)
unknown: 3 # Unknown duration treated as high risk
brief: 1 # <5 minutes
short: 2 # 5-30 minutes
medium: 3 # 30 minutes - 2 hours
long: 4 # >2 hours
# The highest dimension determines SEV level
rule: "max(user_impact, business_impact) + duration_bonus"
# duration_bonus: if duration exceeds expectations, SEV is upgraded one level
Automated Grading
Ideally, incident severity should be automatically determined through alert rules:
# Prometheus alert auto-grading
groups:
- name: incident-severity
rules:
# SEV1: Critical service completely unavailable
- alert: SEV1CriticalServiceDown
expr: |
up{job="payment-service",env="production"} == 0
for: 1m
labels:
severity: SEV1
page: true
escalation: true
auto_bridge: true # Auto-create conference bridge
annotations:
summary: "Payment service completely unavailable"
impact: "All users unable to pay, direct revenue loss"
runbook: "https://wiki/runbooks/payment-service-down"
ic_rotation: "primary-oncall"
# SEV2: Error rate exceeds threshold
- alert: SEV2HighErrorRate
expr: |
sum(rate(http_requests_total{job="payment-service",status=~"5.."}[5m]))
/
sum(rate(http_requests_total{job="payment-service"}[5m])) > 0.05
for: 2m
labels:
severity: SEV2
page: true
escalation: false
annotations:
summary: "Payment service error rate exceeds 5%"
impact: "Some users experiencing payment failures"
runbook: "https://wiki/runbooks/high-error-rate"
# SEV3: Resource water level alert
- alert: SEV3DiskUsageHigh
expr: |
(1 - node_filesystem_avail_bytes / node_filesystem_size_bytes) * 100 > 80
for: 5m
labels:
severity: SEV3
page: false
notify: "#alerts-warn"
annotations:
summary: "Disk usage exceeds 80%"
runbook: "https://wiki/runbooks/disk-cleanup"
Grade Adjustment
Incident severity isn’t set in stone. As the situation develops, it needs to be dynamically adjusted:
Scenario: SEV3 disk alert
→ Investigation reveals disk is about to fill → Service may crash
→ Upgrade to SEV2
→ Disk fills up, service starts erroring
→ Upgrade to SEV1
Adjustment rules:
- Anyone involved in the response can suggest a grade adjustment
- The final decision rests with the Incident Commander (IC)
- Grade adjustments must be broadcast to all responders
- Upgrading is safer than downgrading — it’s better to over-respond than under-respond
2. Response Role Division
Core Roles
The following roles need to be clearly defined in incident response, each with clear responsibility boundaries:
| Role | Abbreviation | Responsibility | Required Profile |
|---|---|---|---|
| Incident Commander | IC | Unified command, decision-making, resource coordination | Experienced senior SRE/tech lead |
| Operations Lead | Ops | Execute technical operations, investigate and fix | On-Call engineer |
| Communications Lead | Comms | Internal and external communication, publish status updates | Technical communicator/PM with technical background |
| Scribe | Note taker | Record timeline, decisions, operations | Anyone who can type fast |
| Subject Matter Expert | SME | Provide domain-specific technical judgment | Owner of the relevant service |
Role Relationships
┌──────────────┐
│ IC │ ← Unified command, no hands-on operations
│ Commander │
└──────┬───────┘
│
┌───────────┼───────────┐
│ │ │
┌──────▼──────┐ ┌──▼───┐ ┌─────▼──────┐
│ Ops │ │Scribe│ │ Comms │
│ Operations │ │Notes │ │ Comms │
└──────┬──────┘ └──────┘ └────────────┘
│
┌──────▼──────┐
│ SME │ ← Join as needed, provide expert judgment
│ Expert │
└─────────────┘
Key principle: IC does not perform hands-on operations. The IC’s attention should be on the big picture — decisions, coordination, risk assessment. If the IC is typing commands to investigate, no one is watching the overall picture.
Detailed Role Responsibilities
Incident Commander (IC)
The IC is the soul of incident response. Not necessarily the most technical person, but the most capable of making decisions and coordinating.
IC’s core responsibilities:
- Confirm and grade the incident: After receiving an alert, quickly assess impact and determine SEV level
- Form the response team: Convene needed roles — Ops, Comms, SME
- Establish recovery strategy: Decide what to do first and what next, weigh risks
- Coordinate resources: Call in other teams, request additional resources
- Control the pace: Prevent chaos, ensure every operation has clear instructions and confirmation
- Decide on escalation: Determine if the incident needs to be upgraded or if more support is needed
- Declare recovery: Confirm the incident is resolved, end the response
IC behavioral guidelines:
ic_principles:
do:
- "Maintain a global perspective; don't get lost in details"
- "Give clear instructions: who does what by when"
- "Sync progress regularly: update status every 15 minutes"
- "Encourage information sharing: 'If you find something, tell me'"
- "Make decisions and own the consequences: 'Let's rollback first, then investigate'"
dont:
- "Don't perform hands-on technical operations"
- "Don't let multiple people operate the same system simultaneously"
- "Don't execute irreversible operations without confirmation"
- "Don't ignore anyone's information — even if it seems unimportant"
Operations Lead (Ops)
Ops is the executor, responsible for specific technical operations.
Ops’s core responsibilities:
- Execute investigation: Follow IC’s instructions or Runbook to investigate
- Execute fixes: Perform rollback, restart, scaling, rate limiting, etc.
- Report results: Immediately report results to IC after each operation
- Recommend solutions: Based on technical judgment, suggest recovery approaches to IC
Ops’s working style:
IC: "First check recent change records"
Ops: "At 10:00 a developer submitted a config change, modifying the database connection timeout"
IC: "Rollback that change"
Ops: "Rolling back... rollback complete, error rate is dropping"
Ops: "Error rate back to normal, P99 latency recovering to 180ms"
IC: "Good, observe for 10 minutes to confirm stability"
Communications Lead (Comms)
Comms is responsible for all internal and external communication. During large-scale incidents, communication itself is a full-time job.
Comms’s core responsibilities:
- Internal sync: Periodically sync incident status within the company
- External announcements: Publish notifications via status page and social media
- Management reporting: Report incident progress to technical management
- Filter information: Translate technical details into business language
Internal communication template:
## [SEV1] Payment Service Unavailable - Status Update #3
**Time**: 2026-07-10 15:00
**Level**: SEV1
**Status**: Investigating
### Current Situation
The payment service started returning large numbers of 5xx errors at 14:30, currently affecting approximately 15% of payment requests.
The SRE team is investigating and has初步 identified a correlation with a database configuration change at 14:00.
### In Progress
- Rolling back the database configuration change
- Estimated recovery within 15 minutes
### Impact Assessment
- Affected users: ~15% of payment requests failing
- Estimated revenue impact: ~¥XXK/hour
- Data impact: No data loss
### Next Update
15:15
External status page announcement:
## Service Disruption - Payment Functionality
We've detected that some users are experiencing issues with the payment functionality. Our technical team is urgently working on a fix.
**Impact scope**: Some users' payment requests may fail
**Start time**: 2026-07-10 14:30 UTC+8
**Current status**: Investigating
We will provide updates every 15 minutes. Thank you for your patience.
---
2026-07-10 14:35 - Issue confirmed, team is working on it
2026-07-10 14:50 - Root cause identified, fix being applied
2026-07-10 15:05 - Fix applied, verifying recovery
2026-07-10 15:15 - Service has been restored to normal
Scribe (Note Taker)
The Scribe’s responsibility is to record all key information during the incident, providing raw material for post-incident review.
What the Scribe needs to record:
# Incident Timeline Record
## Basic Information
- Incident ID: INC-2026-0710-001
- Level: SEV1
- Start time: 14:30
- Recovery time: 15:15
- Duration: 45 minutes
- IC: Zhang San
- Ops: Li Si
- Comms: Wang Wu
## Timeline
| Time | Event | Operator | Source |
|------|------|--------|------|
| 14:30 | Prometheus alert: Payment service error rate >5% | Auto alert | AlertManager |
| 14:32 | Zhang San responded to alert, confirmed as SEV1 | Zhang San | IM group |
| 14:33 | Zhang San formed response team: IC=Zhang San, Ops=Li Si, Comms=Wang Wu | Zhang San | Conference bridge |
| 14:35 | Li Si began investigation, checking Grafana monitoring | Li Si | Operation log |
| 14:37 | Li Si noticed abnormal database connection count | Li Si | Grafana |
| 14:40 | Li Si checked change records, found 14:00 database config change | Li Si | Git log |
| 14:42 | IC decided to rollback config change | Zhang San | Conference bridge |
| 14:45 | Li Si executed rollback | Li Si | kubectl |
| 14:48 | Error rate started dropping | Li Si | Grafana |
| 14:52 | Error rate back to normal, P99 latency still elevated | Li Si | Grafana |
| 15:00 | Latency returned to normal | Li Si | Grafana |
| 15:05 | Observed for 5 minutes, confirmed stable | Zhang San | - |
| 15:15 | IC declared incident resolved | Zhang San | IM group |
Role Rotation
Long incidents (>2 hours) require rotation of responders to prevent fatigue-induced judgment errors:
Incident lasts >2 hours:
→ IC hands off to backup IC
→ Ops hands off to backup Ops
→ 5-minute briefing during handoff: current status, what's being done, next steps
→ Outgoing responder rests at least 4 hours before returning
Incident lasts >6 hours:
→ Full team rotation
→ Consider requesting cross-team support
3. Escalation Path Design
Escalation Trigger Conditions
Escalation is not “asking for help when you can’t handle it” — it’s a resource调度 automatically triggered under clear conditions:
| Trigger Condition | Escalation Target | Delay |
|---|---|---|
| SEV1 alert | Primary On-Call | Immediate |
| Primary doesn’t respond in 5 min | Secondary On-Call | +5min |
| Secondary doesn’t respond in 5 min | SRE Team Lead | +10min |
| SEV1 no progress in 15 min | Service Owner + Engineering Director | +15min |
| SEV1 not resolved in 30 min | CTO | +30min |
| Impact exceeds 50% of users | All management | Immediate |
Escalation Matrix
# Escalation matrix
escalation_matrix:
SEV1:
step_1:
delay: 0min
targets:
- role: "Primary On-Call"
contact: "phone + pagerduty"
timeout: 5min
step_2:
delay: 5min # Primary didn't respond
targets:
- role: "Secondary On-Call"
contact: "phone + pagerduty"
timeout: 5min
step_3:
delay: 10min # Secondary didn't respond
targets:
- role: "SRE Team Lead"
contact: "phone"
timeout: 5min
step_4:
delay: 15min # Still no progress
targets:
- role: "Service Owner"
contact: "phone"
- role: "Engineering Director"
contact: "phone + im"
step_5:
delay: 30min # Still not resolved
targets:
- role: "CTO"
contact: "phone"
step_6:
delay: 60min # Long unresolved
targets:
- role: "All Hands"
contact: "mass notification"
SEV2:
step_1:
delay: 0min
targets:
- role: "Primary On-Call"
contact: "pagerduty + im"
timeout: 15min
step_2:
delay: 15min
targets:
- role: "Secondary On-Call"
contact: "pagerduty + phone"
step_3:
delay: 30min # No progress
targets:
- role: "SRE Team Lead"
contact: "im"
SEV3:
step_1:
delay: 0min
targets:
- role: "On-Call"
contact: "im only"
# Handle during business hours, no phone calls
Escalation Execution Principles
- Automation first: Use PagerDuty/Opsgenie or similar tools for automatic escalation, don’t rely on human judgment
- Better early than late: When in doubt about whether to escalate, escalate. The cost of delayed escalation is usually far greater than over-escalation
- Complete information: Every escalation must carry complete context — incident summary, current status, approaches already tried
- Don’t interrupt response: Escalation adds resources, doesn’t swap people — the escalated person joins the response; the original responder continues working
Escalation Notification Template
# Escalation Notification Template
## SEV1 Escalation: Payment Service Unavailable
**Incident summary**: Payment service has been returning large numbers of 5xx errors since 14:30, ~15% of users affected
**Current status**: Been investigating for 15 minutes, identified database config change, rollback in progress
**Approaches tried**:
1. Checked service logs - found database connection timeouts
2. Checked change records - 14:00 database config change
3. Rolling back configuration
**Help needed**: Need DBA team to confirm if rollback plan is safe
**IC**: Zhang San
**Conference bridge**: https://meet.example.com/incident-001
**Timeline document**: https://wiki/incidents/INC-2026-0710-001
4. Communication Templates and Standards
Communication Channel Design
Communication during incidents needs to be segmented by channel and audience:
| Channel | Audience | Content | Frequency |
|---|---|---|---|
| Conference bridge / War Room | Response team | Technical discussion, decisions, operational instructions | Continuous |
| IM group (#incident-xxx) | Response team + stakeholders | Technical details, operation logs | Real-time |
| IM group (#company-status) | Entire company | Non-technical status updates | Every 15-30 min |
| Status page (status.example.com) | External users | User-friendly incident notifications | Every 15-30 min |
| Social media | External users | Brief incident notifications | During major incidents |
| Management + key customers | Detailed impact assessment | During major incidents |
War Room Standards
The War Room is the command center for incident response — it can be a physical conference room or a virtual conference bridge.
War Room rules:
1. Only response roles enter the War Room (IC, Ops, Comms, Scribe, SME)
2. Others get information through the IM group, don't enter the War Room
3. Only discuss the current incident in the War Room, no other topics
4. All operational instructions come from the IC, no self-directed operations
5. All key decisions and operations are recorded by the Scribe
Status Update Template
# Incident Status Update Template
## [SEV Level] Incident Title - Update #N
**Time**: YYYY-MM-DD HH:MM
**Level**: SEVX
**Status**: [Investigating / In Progress / Recovering / Resolved]
**Duration**: XX minutes
### Current Situation
[One paragraph describing current status]
### Impact Scope
- Affected users: [percentage/count]
- Affected features: [list]
- Business impact: [quantified]
### In Progress
1. [Current action 1]
2. [Current action 2]
### Next Steps
1. [Planned action 1]
2. [Planned action 2]
### Estimated Recovery Time
[Estimated time or "Unable to estimate"]
### Next Update
[Time]
Communication Discipline
communication_discipline:
war_room:
- "Only talk about things related to the incident"
- "Speak up — even if you think it's not important"
- "If in doubt, ask the IC directly"
- "Announce before operating, confirm after operating"
im_channel:
- "Only the Comms role posts status updates"
- "Use thread replies for technical discussions"
- "Don't spam the channel — important information gets buried"
- "Screenshots must include timestamps"
examples:
good:
- "Ops: I executed a rollback on server-01, error rate dropped from 15% to 2%"
- "IC: Acknowledged. Li Si, continue observing for 5 minutes. Wang Wu, send a status update."
bad:
- "Ops: I think it might be a database issue" # ← Unfounded speculation
- "Someone: Oh no it's down again!!!" # ← Emotional outburst
- "Someone: This happened last time too" # ← Doesn't help current recovery
5. Timeline Recording
Why the Timeline Matters
Timeline recording is often neglected during incident response — because everyone is busy solving the problem, no one wants to stop and write notes. But the timeline is the cornerstone of post-incident review. Without an accurate timeline, the review becomes “everyone’s version of events.”
Three purposes of the timeline:
- Real-time reference: Helps IC and responders understand “what we’ve done and what the results were”
- Post-incident review: Core material for the Postmortem
- Compliance audit: Some industries require incident records to be retained for audit purposes
Timeline Recording Tools
# Timeline recording tool selection
timeline_tools:
real_time:
- tool: "Dedicated incident management tool (e.g., FireHydrant, Rootly)"
pros: "Structured, auto-correlates alerts and changes"
cons: "Requires pre-deployment and integration"
- tool: "Google Doc / collaborative document"
pros: "Zero deployment cost, everyone can edit simultaneously"
cons: "Unstructured, requires manual organization"
- tool: "IM group messages + Bot"
pros: "Responders already use IM, no extra effort"
cons: "Information scattered, requires later organization"
recommended: "IM group + Bot auto-recording, with collaborative document for structured organization"
Automated Timeline Collection
# Auto-collect timeline events from multiple data sources
class TimelineCollector:
def __init__(self, incident_id):
self.incident_id = incident_id
self.events = []
def collect_from_alertmanager(self, start_time, end_time):
"""Collect alert events from AlertManager"""
alerts = query_alertmanager(start_time, end_time)
for alert in alerts:
self.events.append({
"time": alert["starts_at"],
"type": "alert",
"description": alert["annotations"]["summary"],
"source": "AlertManager"
})
def collect_from_git(self, start_time, end_time):
"""Collect change events from Git"""
commits = query_git_log(start_time, end_time)
for commit in commits:
self.events.append({
"time": commit["timestamp"],
"type": "change",
"description": f"Code change: {commit['message']} ({commit['author']})",
"source": "Git"
})
def collect_from_ci_cd(self, start_time, end_time):
"""Collect deployment events from CI/CD"""
deploys = query_deployments(start_time, end_time)
for deploy in deploys:
self.events.append({
"time": deploy["timestamp"],
"type": "deploy",
"description": f"Deployment: {deploy['service']} {deploy['version']}",
"source": "CI/CD"
})
def collect_from_chat(self, incident_channel, start_time):
"""Collect manual records from IM group"""
messages = query_chat_history(incident_channel, start_time)
for msg in messages:
if msg.get("type") in ["action", "decision", "finding"]:
self.events.append({
"time": msg["timestamp"],
"type": msg["type"],
"description": msg["text"],
"source": msg["user"]
})
def generate_timeline(self):
"""Generate a sorted timeline"""
return sorted(self.events, key=lambda x: x["time"])
Timeline Recording Standards
Good timeline recording:
14:35 Checked Grafana monitoring, found DB connections spiked from 50 to 500 [Li Si]
14:37 Confirmed connection spike aligns with 14:00 config change [Li Si]
14:42 IC decided to rollback config change [Zhang San]
14:45 Executed kubectl rollout undo deployment/payment-svc [Li Si]
14:48 Error rate dropped from 15% to 2% [Li Si]
Bad timeline recording:
14:35 Looked at monitoring ← Looked at what? Found what?
14:42 Decided to rollback ← Who decided? Why?
14:45 Operated ← Operated what? On which system?
6. Recovery Strategies
Recovery Priority: Restore First, Fix Later
The first principle of incident response is restore service as quickly as possible, not find the root cause before fixing.
Wrong approach:
Incident occurs → Find root cause → 30 minutes searching → Found it → Fix → Recover
Total time: 45 minutes
Right approach:
Incident occurs → Quick assessment → Rollback recent changes → Recover → Then find root cause
Total time: 10 minutes
Recovery Strategy Decision Tree
Incident occurs
│
├─ Changes in the last 30 minutes?
│ ├─ Yes → Rollback changes → Observe if recovered
│ │ ├─ Recovered → Incident ends, analyze root cause afterward
│ │ └─ Not recovered → Continue investigation
│ │
│ └─ No → Check monitoring metrics
│ │
│ ├─ Resource exhaustion (CPU/memory/disk/connections)?
│ │ → Scale up/cleanup/restart → Observe if recovered
│ │
│ ├─ Dependency service anomaly?
│ │ → Switch to backup/degrade features → Observe if recovered
│ │
│ ├─ Traffic anomaly (spike/attack)?
│ │ → Rate limit/WAF block → Observe if recovered
│ │
│ └─ No obvious clues
│ → Restart service (last resort) → Observe if recovered
│ → If still not recovered, escalate per escalation matrix
Common Recovery Strategies
| Strategy | Suitable Scenario | Operation | Risk |
|---|---|---|---|
| Rollback | Change-induced incident | kubectl rollout undo | Low (if it was working before the change) |
| Scale up | Insufficient capacity | HPA scaling or manual node addition | Low |
| Degrade | Partial functionality failure | Disable non-core features, protect core | Medium (reduced user experience) |
| Rate limit | Traffic too high | Lower rate limit threshold | Medium (some users rejected) |
| Restart | Service stuck | kubectl delete pod | Medium (brief interruption) |
| Traffic switch | Single-region failure | Switch to backup region | High (requires multi-active architecture) |
| Data rollback | Data corruption | Restore database backup | High (may lose data) |
Recovery Verification
“Looks recovered” doesn’t mean “actually recovered.” Systematic verification is needed:
# Recovery verification checklist
recovery_verification:
technical_checks:
- "Error rate has returned to normal levels (<0.1%)"
- "Latency back within SLO (P99 < 200ms)"
- "All Pods in Running state"
- "Database connection count back to normal"
- "Queue backlog has been consumed"
business_checks:
- "User complaint volume dropped to normal levels"
- "Core business metrics recovered (e.g., checkout success rate >99.9%)"
- "Customer service team confirms user feedback is normal"
monitoring_checks:
- "Alerts have auto-cleared"
- "All metrics on monitoring dashboards are normal"
- "Black-box monitoring probes pass"
observation_period:
duration: "10-15 minutes"
purpose: "Confirm it's not an intermittent recovery"
action: "After IC declares recovery, continue observing for 30 minutes"
Post-Incident Wrap-Up
Post-recovery wrap-up steps:
1. IC declares incident resolved (IM group + conference bridge)
2. Comms publishes recovery announcement (status page + IM group)
3. Scribe finalizes the timeline
4. IC confirms all responders can rest
5. Create Postmortem ticket, set review date (within 3-5 business days)
6. If SEV1/SEV2, submit preliminary Postmortem within 24 hours
7. If there are temporary fixes (e.g., degraded features), record for later permanent fix
7. Incident Response Drills
Why Drills Are Necessary
An incident response framework can’t be used for the first time during a real incident. Regular drills reveal process issues and help the team stay calm during actual incidents.
Drill Types
| Type | Method | Frequency | Purpose |
|---|---|---|---|
| Tabletop exercise | Discussion-based, simulate incident scenarios, walk through process verbally | Quarterly | Validate process and role division |
| Functional drill | Simulate a single component (e.g., escalation notification) | Monthly | Validate toolchain and notification paths |
| Red-blue confrontation | Red team injects faults, blue team responds | Semi-annually | Validate end-to-end response capability |
| Chaos engineering | Auto-inject faults, validate self-healing | Continuous | Validate system resilience and monitoring coverage |
Tabletop Exercise Example
# Incident Response Tabletop Exercise
## Scenario
Friday afternoon at 17:00, the payment service suddenly starts returning large numbers of 5xx errors. Simultaneously, customer service reports a surge of user complaints about payment failures.
## Exercise Flow
### T+0 minutes: Alert triggered
- Facilitator: "17:00, AlertManager triggers SEV2 alert, payment service error rate 8%. Who is Primary On-Call?"
- Participant (playing On-Call): "I'm Primary, I received the alert."
### T+2 minutes: Response initiated
- Facilitator: "What do you do?"
- Participant: "Check Grafana to confirm alert accuracy, then..."
- Facilitator probes: "How many minutes until you respond? What if you don't respond in 5 minutes?"
### T+5 minutes: Grading and team formation
- Facilitator: "You confirm error rate is indeed 8%, affecting 8% of users. How do you grade it?"
- Participant: "SEV2. I need to form a response team..."
### T+15 minutes: Investigation
- Facilitator: "You checked monitoring and found database connections are normal, but Redis latency is spiking. What do you do?"
- Participant: "Check Redis status..."
### T+30 minutes: Escalation
- Facilitator: "It's been 30 minutes, problem still not solved. What should happen now?"
- Participant: "Per the escalation matrix, 30 minutes with no progress requires escalation to the SRE lead."
### Exercise Debrief
- Which steps went smoothly?
- Which steps got stuck? Why?
- What needs improvement in process/tools/communication?
Summary
The core value of an incident response framework is: bringing order to chaos. A good framework enables the team to collaborate efficiently under pressure, rather than each person fighting their own battle.
Key points:
- Grading is the foundation: Clear SEV grading provides a basis for resource调度; automated grading reduces human delay
- Role division is the core: IC commands without operating, Ops executes, Comms communicates, Scribe records — each sticks to their role
- Escalation must be automated: Don’t rely on human judgment; use tools for automatic escalation — better to over-escalate than to delay
- Communication needs channels: War Room for technical discussion, IM for status sync, status page for users — clear information flow
- Restore first, fix later: Rollback > degrade > restart > find root cause. Restoring service is always the first priority
- Timeline is the cornerstone: Record all key events in real-time, providing factual basis for post-incident review
- Drills are the safeguard: The framework can’t only be used during real incidents; regular drills ensure smooth operation when it matters
Remember: The quality of incident response is not determined by the person with the strongest technical skills, but by the person with the clearest process. When everyone knows what they should do, who they should communicate with, and when to escalate, incident recovery becomes a predictable engineering process rather than a chaotic firefight.
References & Acknowledgments
This article referenced the following materials during writing. We thank the original authors for their contributions:
- Google SRE Book - Managing Incidents — Google SRE Team, referenced for Google SRE Book - Managing Incidents
- Atlassian Incident Management Handbook — Atlassian, referenced for Atlassian Incident Management Handbook