Confirm the incident is real, capture initial diagnostic data, and assess immediate user impact. The first responder provides ground truth — what's actually happening, not what dashboards suggest might be happening.

Incident Commander

Take ownership of the incident, classify severity, assess blast radius, and coordinate the response. The incident commander is the single point of authority — decisions flow through them to avoid confusion during high-pressure situations.

InvestigateAuto review

Root cause analysis, log analysis, and timeline reconstruction

Hats

Investigator

Reconstruct the incident timeline, form and test root cause hypotheses, and distinguish the root cause from contributing factors. Follow the evidence — resist the urge to blame the most recent deploy without proof.

Log Analyst

Deep-dive into logs, metrics, and traces to find concrete evidence supporting or refuting root cause hypotheses. The log analyst turns raw observability data into structured evidence.

Requires: incident-brief from Triage

MitigateAsk review

Apply immediate fixes to stop the bleeding — rollbacks, feature flags, scaling

Hats

Mitigator

Apply the fastest safe action to stop user-facing impact — rollback, feature flag, scaling, or hotfix. Speed matters, but so does not making things worse. Every action must be reversible.

Verifier

Confirm the mitigation actually stopped the user-facing impact. Use the same signals that detected the incident — if error rates triggered the alert, error rates should confirm the fix. Trust metrics, not assumptions.

Requires: root-cause from Investigate

ResolveAsk review

Implement permanent fix with proper testing and review

Hats

Engineer

Implement the permanent fix that addresses the root cause, not just the symptom. Write regression tests that would catch this failure mode. The mitigation bought time — now use it to do the job properly.

Reviewer

Review the permanent fix for correctness, completeness, and safety. Verify it addresses the root cause, not just the trigger. Ensure regression tests are meaningful and the deployment plan is sound.

Requires: mitigation-log from Mitigate

PostmortemExternal review

Document timeline, root cause, action items, and prevention measures

Hats

Action Item Tracker

Extract concrete, actionable follow-up items from the postmortem and ensure each one has an owner, priority, and tracking mechanism. Action items without owners are wishes, not commitments.

Postmortem Author

Write a blameless postmortem that tells the full story — what happened, why, how it was caught, how it was fixed, and what will prevent recurrence. The postmortem is for organizational learning, not individual accountability.

Requires: resolution-summary from Resolve

Incident Response Studio

Incident response lifecycle for managing production incidents from initial triage through root cause investigation, mitigation, full resolution, and postmortem documentation. Optimized for fast response with structured follow-through. Uses git persistence because incidents often result in code fixes.