Incident Response

1---2name: incident-response3description: Run an incident response workflow — triage, communicate, and write postmortem. Trigger with "we have an incident", "production is down", an alert that needs severity assessment, a status update mid-incident, or when writing a blameless postmortem after resolution.4argument-hint: "<incident description or alert>"5---6 7# /incident-response8 9> If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../../CONNECTORS.md).10 11Manage an incident from detection through postmortem.12 13## Usage14 15```16/incident-response $ARGUMENTS17```18 19## Modes20 21```22/incident-response new [description]     # Start a new incident23/incident-response update [status]       # Post a status update24/incident-response postmortem            # Generate postmortem from incident data25```26 27If no mode is specified, ask what phase the incident is in.28 29## How It Works30 31```32┌─────────────────────────────────────────────────────────────────┐33│                    INCIDENT RESPONSE                               │34├─────────────────────────────────────────────────────────────────┤35│  Phase 1: TRIAGE                                                  │36│  ✓ Assess severity (SEV1-4)                                     │37│  ✓ Identify affected systems and users                          │38│  ✓ Assign roles (IC, comms, responders)                         │39│                                                                    │40│  Phase 2: COMMUNICATE                                              │41│  ✓ Draft internal status update                                  │42│  ✓ Draft customer communication (if needed)                     │43│  ✓ Set up war room and cadence                                   │44│                                                                    │45│  Phase 3: MITIGATE                                                 │46│  ✓ Document mitigation steps taken                               │47│  ✓ Track timeline of events                                      │48│  ✓ Confirm resolution                                            │49│                                                                    │50│  Phase 4: POSTMORTEM                                               │51│  ✓ Blameless postmortem document                                 │52│  ✓ Timeline reconstruction                                       │53│  ✓ Root cause analysis (5 whys)                                  │54│  ✓ Action items with owners                                      │55└─────────────────────────────────────────────────────────────────┘56```57 58## Severity Classification59 60| Level | Criteria | Response Time |61|-------|----------|---------------|62| SEV1 | Service down, all users affected | Immediate, all-hands |63| SEV2 | Major feature degraded, many users affected | Within 15 min |64| SEV3 | Minor feature issue, some users affected | Within 1 hour |65| SEV4 | Cosmetic or low-impact issue | Next business day |66 67## Communication Guidance68 69Provide clear, factual updates at regular cadence. Include: what's happening, who's affected, what we're doing, when the next update is.70 71## Output — Status Update72 73```markdown74## Incident Update: [Title]75**Severity:** SEV[1-4] | **Status:** Investigating | Identified | Monitoring | Resolved76**Impact:** [Who/what is affected]77**Last Updated:** [Timestamp]78 79### Current Status80[What we know now]81 82### Actions Taken83- [Action 1]84- [Action 2]85 86### Next Steps87- [What's happening next and ETA]88 89### Timeline90| Time | Event |91|------|-------|92| [HH:MM] | [Event] |93```94 95## Output — Postmortem96 97```markdown98## Postmortem: [Incident Title]99**Date:** [Date] | **Duration:** [X hours] | **Severity:** SEV[X]100**Authors:** [Names] | **Status:** Draft101 102### Summary103[2-3 sentence plain-language summary]104 105### Impact106- [Users affected]107- [Duration of impact]108- [Business impact if quantifiable]109 110### Timeline111| Time (UTC) | Event |112|------------|-------|113| [HH:MM] | [Event] |114 115### Root Cause116[Detailed explanation of what caused the incident]117 118### 5 Whys1191. Why did [symptom]? → [Because...]1202. Why did [cause 1]? → [Because...]1213. Why did [cause 2]? → [Because...]1224. Why did [cause 3]? → [Because...]1235. Why did [cause 4]? → [Root cause]124 125### What Went Well126- [Things that worked]127 128### What Went Poorly129- [Things that didn't work]130 131### Action Items132| Action | Owner | Priority | Due Date |133|--------|-------|----------|----------|134| [Action] | [Person] | P0/P1/P2 | [Date] |135 136### Lessons Learned137[Key takeaways for the team]138```139 140## If Connectors Available141 142If **~~monitoring** is connected:143- Pull alert details and metrics144- Show graphs of affected metrics145 146If **~~incident management** is connected:147- Create or update incident in PagerDuty/Opsgenie148- Page on-call responders149 150If **~~chat** is connected:151- Post status updates to incident channel152- Create war room channel153 154## Tips155 1561. **Start writing immediately** — Don't wait for complete information. Update as you learn more.1572. **Keep updates factual** — What we know, what we've done, what's next. No speculation.1583. **Postmortems are blameless** — Focus on systems and processes, not individuals.