Stats
Actions
Tags
From devops-sre
Guide incident response as an Incident Commander with structured communication and coordination. Use this skill when there's an active incident, outage, service degradation, or production issue. Activate when: incident, outage, service down, production issue, SEV1, SEV2, pages, alerts firing, something broke, users complaining, error spike, latency spike.
How this skill is triggered — by the user, by Claude, or both
Slash command
/devops-sre:incident-commanderThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Lead incident response with structured communication, clear ownership, and systematic resolution.**
Lead incident response with structured communication, clear ownership, and systematic resolution.
The IC (Incident Commander) is responsible for:
The IC does NOT need to be the person fixing the problem.
| Level | Description | Response Time | Examples |
|---|---|---|---|
| SEV1 | Critical - Complete outage | Immediate | Total service down, data loss, security breach |
| SEV2 | Major - Significant impact | 15 min | Core feature broken, major degradation |
| SEV3 | Minor - Limited impact | 1 hour | Non-critical feature down, workaround exists |
| SEV4 | Low - Minimal impact | Best effort | Cosmetic, single user affected |
1. Acknowledge the alert
2. Quick assessment:
- What's broken?
- Who's affected?
- What's the blast radius?
3. Assign severity level
4. Declare incident if SEV1/SEV2
1. Create incident channel: #inc-YYYYMMDD-[brief-description]
2. Post initial summary (template below)
3. Page relevant teams if needed
4. Assign roles:
- IC (Incident Commander) - you or delegate
- Tech Lead - driving investigation
- Comms Lead - external communication
Initial Incident Post Template:
🚨 INCIDENT DECLARED
**Severity:** SEV-[X]
**Status:** Investigating
**Impact:** [Who/what is affected]
**Started:** [Time] UTC
**Current Understanding:**
[Brief description of symptoms]
**Roles:**
- IC: @[name]
- Tech Lead: @[name]
- Comms: @[name]
**Next Update:** [Time] (every 15-30 min for SEV1/2)
1. Gather data:
- Recent deployments?
- Configuration changes?
- External dependency issues?
- Error patterns in logs?
- Metrics anomalies?
2. Form hypothesis and test
3. Identify mitigation options:
- Can we rollback?
- Can we scale?
- Can we failover?
- Do we need a hotfix?
1. Choose mitigation approach
2. Communicate plan before executing
3. Execute with verification at each step
4. Monitor for improvement
5. Confirm resolution
1. Verify service is healthy
2. Update status page
3. Send resolution communication
4. Create postmortem ticket
5. Schedule postmortem meeting (within 48h for SEV1/2)
📊 INCIDENT UPDATE - [Time] UTC
**Status:** [Investigating/Identified/Mitigating/Resolved]
**Impact:** [Current impact]
**Update:**
[What we've learned, what we're doing]
**Next Steps:**
[What's happening next]
**Next Update:** [Time] UTC
✅ INCIDENT RESOLVED - [Time] UTC
**Duration:** [X hours Y minutes]
**Root Cause:** [Brief description]
**Resolution:** [What fixed it]
**Impact Summary:**
- Users affected: [number]
- Duration: [time]
- SLA impact: [yes/no]
**Next Steps:**
- Postmortem scheduled: [date/time]
- Postmortem doc: [link]
Thank you to everyone who helped respond.
| Role | Responsibility | Who |
|---|---|---|
| IC | Coordination, decisions, communication | Declared or on-call |
| Tech Lead | Investigation, fix implementation | SME for affected service |
| Comms Lead | Status page, customer comms | Support/Comms team |
| Scribe | Document timeline | Anyone available |
| Subject Matter Experts | Deep knowledge | Paged as needed |
Escalate to leadership when:
npx claudepluginhub latestaiagents/agent-skills --plugin devops-sreManages active production incidents through detection, triage, mitigation, communication, and resolution with structured roles and severity levels. Triggers on outage, P0/P1, downtime, on-call, service down.
Execute structured live incident response: declare severity, assign roles, mitigate, communicate, resolve, and run blameless postmortems for production incidents.
Runs incident response workflow: triage severity and roles, draft communications, track mitigation, generate blameless postmortem from alerts or status updates.