![[DevOps Architecture] Incident Response](/uploads/2026/04/arch-intro-cat-devops.png)
About this article
As the twelfth installment of the âDevOps Architectureâ category in the series âArchitecture Crash Course for the Generative-AI Era,â this article explains incident response.
Incidents always happen. Designs that pray they donât crumble after they do. This article handles the sequence of detection, alerting, notification, response, recovery, and review, on-call regime, Severity definitions, and postmortem culture (the GitLab 2017 textbook case) - the systematization of noticing fast and recovering quickly.
What is incident response, anyway?
Imagine a fire departmentâs deployment system. You never know when a fire will break out, but the station has 24/7 duty rotations, deployment procedures, area maps, and past fire records ready to go. Itâs not individual bravery that makes a fire department effective â itâs the system that reliably extinguishes fires.
Incident response is the fire department of system operations. When failures or abnormal events occur, itâs the activity of systematizing the entire process from detection, notification, initial response, recovery, to review. It maintains processes, tools, and training that let whoever is on duty operate at consistent quality, running a learning cycle that prevents the same incident from happening twice.
Without an incident response system, every failure becomes a matter of a veteran pulling an all-nighter to heroically fix things. If that person is on vacation, recovery is delayed by hours, and the same failures repeat over and over.
Why incident response is needed
Response delay expands damage
In SaaS where 1 minute of downtime affects tens of thousands, 1 minute of response links directly to millions in losses. Fast detection and response defends company value.
Person-locking loses reproducibility
âVeteran fixed it overnightâ-type response collapses without the same person next time. Mechanisms letting anyone respond at the same quality are needed.
Recurrence prevention is the biggest value
The true purpose of incident response is recurrence prevention. Whether you can reflect lessons from one incident into system improvement is the dividing line.
Incident-response phases
Design incident response in 6 phases. With clear responsibles and procedures per phase, person-locking decreases.
| Phase | Content |
|---|---|
| Detection | Notice via monitoring / alerts |
| Triage | Judge severity / impact range |
| Response | Mitigation / recovery response |
| Communication | Stakeholder situation transmission |
| Resolution | Remove root cause |
| Post-mortem | Review and recurrence prevention |
Severity levels
Stage incident severity and vary response regime. Responding to all incidents at the same intensity exhausts personnel, so per-severity escalation is required.
| Level | Content | Response |
|---|---|---|
| SEV 1 | Total stop / major data loss | All hands, 24-hour response |
| SEV 2 | Major-feature failure | On-call + SRE immediate response |
| SEV 3 | Partial-feature failure | Respond within business hours |
| SEV 4 | Minor defect | Normal backlog |
Without pre-documenting severity-judgment criteria, judgment varies per site and chaos ensues.
On-call regime
On-call uses the same thinking as a fire-station rotation. Decide an on-call schedule covering 24/7, distribute load via rotation, and avoid concentration on a single person. Standard operational form for SRE organizations, treated as a central chapter in Googleâs SRE book.
| Design item | Content |
|---|---|
| Rotation | Weekly / bi-weekly is standard |
| Primary / Secondary | 2-stage backup |
| SLA | Within how many minutes for first response |
| Allowance | Compensation for nights / holidays |
| Handoff | Handover at shift change |
On-call is heavy load, so SREâs continuous effort is lowering on-call frequency via alert reduction and auto-recovery. Late-night calls 2+ times monthly is a sign of overload.
Promotion from alert to incident
Not all alerts are incidents. Many auto-recover or finish with response within business hours. Design discerning what should truly be an incident is needed.
| Situation | Response |
|---|---|
| Auto-recovery | Just record the alert |
| In-business-hours response possible | Create ticket |
| Immediate response needed | Declare incident |
| Severe damage | Major incident, all hands |
Incident declaration is an explicit act, flipping the switch of âstop normal operations and concentrate when declared.â
Command center (war regime)
For major incidents (SEV 1-2), launch an Incident Command Center (ICC) where all gather. Split roles for parallel work, clarifying âwhat to doâ for everyone.
| Role | Responsibility |
|---|---|
| Incident Commander (IC) | Overall command / decision |
| Operations Lead | Technical response |
| Communications Lead | Customer / internal communication |
| Scribe | Timeline recording |
Itâs important that IC doesnât make technical decisions, dedicating to overall situation grasp and decision-making. The division of labor leaving technical investigation to Operations Lead is efficient.
Notification and communication
Information transmission during incidents is as important as response itself. Without pre-deciding who, what, and when to communicate, info gets disparate among customers, management, and the field.
| Recipient | Content | Channel |
|---|---|---|
| Response team | Tech details / progress | Slack channel |
| Management | Impact range / ETA (Estimated Time of Arrival, recovery target time) | Email / Slack |
| Customers | Situation / recovery target | Status page |
| Support | FAQ / response template | Internal wiki |
Statuspage.io and Atlassian Statuspage are SaaS for customer-facing situation announcement, important tools maintaining trust during incidents.
Postmortems
Once an incident is resolved, always conduct review - the iron rule of Google SRE. Document âwhat happened,â âwhy it happened,â âhow to improveâ - turning into organizational asset.
| Item | Content |
|---|---|
| Overview | What, when, how much impact |
| Timeline | Time-of-day events |
| Root cause | Why it happened |
| Mitigation | Contents of first aid |
| Recurrence prevention | Permanent countermeasure |
| Improvement actions | Who by when |
The major principle is donât blame people (Blameless Post-mortem). Treat as system / process flaws, not individual fault.
Root cause analysis (RCA)
The technique of finding the true cause beyond surface causes is RCA (Root Cause Analysis). The â5 Whysâ of repeating âwhyâ 5 times is famous, but the reality in complex systems is combinations of multiple factors rather than single causes.
Symptom: DB went down
|- why? Connections overflowed
|- why? Connection leak in new feature
|- why? Not noticed in code review
|- why? Review viewpoints have no "connection management"
|- why? Review guide stayed oldThe true cause becomes the conclusion of flaw in review culture, not âcode bugâ - that becomes the improvement target.
Runbooks
Documented typical incident-response procedures are Runbooks. Write âif this alert fires, respond this way,â letting anyone respond at the same quality.
| Runbook contents | |
|---|---|
| Firing condition | Which alert |
| Initial check | What to verify |
| Diagnosis steps | Triage flow |
| Recovery steps | Commands to execute |
| Escalation criteria | When to whom |
Standard operation is placing in Notion / Confluence / Git repos, linked directly from alerts.
Decision criterion 1: org scale
Incident-response heaviness varies with scale. Small needs simplicity, large needs division-of-labor regime.
| Scale | Recommended |
|---|---|
| Startup | Slack + PagerDuty + Google Docs |
| Mid-size enterprise | PagerDuty + Statuspage + Notion |
| Large enterprise | ServiceNow / Jira Service Management |
| Global | Follow-the-Sun (relay daytime hours across regions) on-call regime |
Decision criterion 2: SLA strictness
Stricter customer SLA means stricter incident-response SLA.
| Customer SLA | Response regime |
|---|---|
| 99% | Business-hours response is enough |
| 99.9% | Night on-call needed |
| 99.95%+ | 24/7 dedicated SRE team |
| 99.99%+ | Per-region on-call + multi-layer SRE |
How to choose by case
Personal dev / small in-house tools
UptimeRobot + email/Slack notifications is enough. On-call regime unneeded, business-hours response OK. Place a simple Runbook in Notion to document personal knowledge and just prevent person-locking.
Startup / growth-stage SaaS
PagerDuty + Statuspage.io + Slack channel. 2-3 on-call weekly rotation, operate Blameless postmortems on Google Docs. Narrow SEV criteria to 3 stages (SEV 1/2/3) for simplicity.
Mid-size enterprise / microservices ops
PagerDuty / Opsgenie + Runbook as Code + game-day drills. Per-service on-call separation, Runbooks Git-managed with PR review, quarterly incident drills. SRE-dedicated team of 2-5 coordinates overall.
Finance / medical / global enterprise
ServiceNow / Jira Service Management + Follow-the-Sun + AIOps (AI for IT Operations). SEV 1 auto-notifies up to management, region-based on-call (Tokyo, Europe, North America) handoffs, regulator-reporting process also built in. Automate routine response with Resolve AI etc.
Incident-response numerical gates / SLA
Note: Industry baseline values as of April 2026. Will become outdated as technology and the talent market shift, so requires periodic updates.
Incident response doesnât function without numerically defining âwhat to do in how many minutes.â Below are industry-standard SLAs.
| Metric | SEV 1 | SEV 2 | SEV 3 | SEV 4 |
|---|---|---|---|---|
| First response (MTTA) | Within 5 min | Within 15 min | Within 1 hour | Next business day |
| Recovery (MTTR) target | Within 1 hour | Within 4 hours | Within 1 day | Within 1 week |
| Notification channel | PagerDuty + phone | PagerDuty | Slack | Jira |
| Escalation | Immediate + management | IC + OpsLead | On-call | In business hours |
| Postmortem | Required (within 1 week) | Required (within 2 weeks) | Optional | Unneeded |
| Status page | Immediate update | Update | As needed | Unneeded |
| Recurrence prevention | Company-wide rollout | Team rollout | Within team | - |
For on-call health metrics, late-night calls 2+ times monthly is a sign of overload, alert-firing rate 50%+ false positives means alert review, recurrence rate over 10% means revisiting postmortem quality. With AWSâs 4 golden signals (Latency / Traffic / Errors / Saturation) as basis, pre-define which SEV fires.
First response within 5 minutes is reliabilityâs lifeline. Systematize via Runbooks and on-call regime.
Incident-response pitfalls and forbidden moves
Typical accident patterns in incident response. All result in raising recurrence rate or exhausting the org.
| Forbidden move | Why itâs bad |
|---|---|
| Hunt for blame in postmortems | Hotbed of info-hiding, next incidents become invisible. Blameless is the rule |
| Leave everything to one veteran | Collapse on resignation, the 2019 US-major-bank insider-fraud pattern |
| Operate without on-call SLA | First response becomes hours, customer churn |
| Manage Runbooks in Word/PDF | Person-locked, irreproducible, AI canât run them |
| Leave SEV criteria to field judgment | Severity varies, response regime confused |
| Vague incident-declaration criteria | Either all-hands on every alert or missing major incidents - both extremes |
| Donât update status page | Customer-inquiry flood, trust collapse |
| No game-day drills | Canât move when SEV1 occurs, learning at first response |
| Postmortem written and done | Action items unimplemented, same incident recurs 3 months later |
| IC also does technical investigation | Canât grasp overall, response delayed |
| âVeteran fixing is fasterâ and person-lock | Collapse on resignation/vacation, org-wide response capability doesnât grow |
| âDo all recurrence-prevention measuresâ | Resources scatter, everything half-done; narrow to the 1-2 highest-impact measures |
The January 31, 2017 GitLab DB-deletion incident (engineer mistook prod and dev for rm -rf, 5 backup types all failed) is a case where the stance of livestreaming recovery work + publishing detailed postmortem - learning without hiding - was praised. In contrast, Uber 2016 data leak (initial concealment, paying attackers $100k for silence â subsequent litigation $148M settlement) showed the cost of concealment.
Incidents are on the premise of happening. Preparation to receive via mechanism and culture is everything.
AI decision axes
| AI-favored | AI-disfavored |
|---|---|
| AI-driven initial-diagnosis automation | Manual log analysis only |
| Code-ized Runbooks with auto-execution | Word / PDF Runbooks |
| AI-drafted postmortems | Manual timeline construction |
| Anomaly prediction and sign-detection | Post-hoc response only |
- Switch response regime by severity - pre-document SEV 1-4, donât respond to all incidents at same intensity
- Lower on-call load via alert reduction - 2+ late-night calls monthly is overload, prevent via auto-recovery
- Learn via Blameless postmortems - no blame-hunting, treat as system / process flaws
- Code-ize Runbooks and entrust to AI - routine response to AI, concentrate humans on judgment / recurrence prevention
AI automation of incident initial response
The initial response during incidents (identifying impact scope, collecting related logs, listing recent deploy changes) is an area AI can automate. Configurations where PagerDuty or OpsGenie alerts trigger AI to auto-execute the following are becoming widespread:
- Aggregate error logs from the last hour and generate a summary
- Retrieve recent deploy history and summarize changes
- Identify affected SLIs and notify via Slack
- Suggest Runbook execution if a matching one exists
AI covering the minutes it takes for the human on-call engineer to wake up and grasp the situation shortens MTTR.
AI generates postmortem drafts
Creating postmortems after incident response is time-consuming work involving timeline construction, impact-scope organization, and root-cause documentation. Passing Slack logs during incident response, alert history, and deploy logs to AI and auto-generating a postmortem draft (timeline, impact scope, direct cause, root cause, action-item proposals) significantly reduces documentation burden.
Humans review the AI-generated draft and focus on accuracy verification and action-item prioritization.
What to decide - what is your projectâs answer?
For each of the following, try to articulate your projectâs answer in 1-2 sentences. Starting work with these vague always invites later questions like âwhy did we decide this again?â
- Severity criteria (SEV 1-4 definitions)
- On-call regime (rotation, SLA)
- Notification tools (PagerDuty / Opsgenie)
- Command-center rules (declaration criteria, roles)
- Status page (customer info dissemination)
- Postmortem rules (Blameless, scope of disclosure)
- Runbook management (location, update rules)
Related Articles
https://en.senkohome.com/arch-intro-devops-devenv/ https://en.senkohome.com/arch-intro-devops-review/ https://en.senkohome.com/arch-intro-devops-slo/
Summary
This article covered incident response, including phases, SEV levels, on-call, command center, Blameless postmortems, Runbooks, and AIOps.
Switch regime by severity, lower on-call load via alert reduction, learn via Blameless postmortems, code-ize Runbooks and entrust to AI. That is the practical answer for incident response in 2026.
Next time weâll cover SRE practice (toil reduction, chaos engineering).
I hope youâll read the next article as well.
đ Series: Architecture Crash Course for the Generative-AI Era (65/89)