Incident Response Plan: A Step-by-Step Guide for Web Teams
Why You Need an Incident Response Plan
Incidents happen. Servers crash, deployments break production, databases corrupt, certificates expire, DNS propagation fails, and DDoS attacks hit at 3 AM. The difference between teams that handle incidents well and teams that spiral into chaos is not technical skill — it is preparation.
An incident response plan (IRP) is a documented process that defines what happens when something goes wrong. It covers who is responsible, how communication flows, what actions to take at each stage, and how to learn from the incident afterward. Without one, every outage becomes an ad-hoc scramble where critical steps are forgotten, communication breaks down, and recovery takes far longer than necessary.
Incident Severity Levels
Not all incidents are equal. Define severity levels so the team knows how urgently to respond:
| Level | Name | Definition | Response Time | Example |
|---|---|---|---|---|
| SEV-1 | Critical | Complete service outage, data loss, security breach | Immediate (minutes) | Site down, database compromised |
| SEV-2 | Major | Significant degradation, major feature broken | Within 30 minutes | Payment processing failing, 50% error rate |
| SEV-3 | Minor | Partial degradation, workaround available | Within 2 hours | Slow page loads, one API документацию endpoint failing |
| SEV-4 | Low | Cosmetic issues, minor bugs | Next business day | UI glitch, non-critical feature broken |
Incident Response Roles
Clear roles prevent confusion during high-stress situations:
- Incident Commander (IC) — owns the incident from detection to resolution. Makes decisions, delegates tasks, and maintains the timeline. Does NOT do the technical debugging — their job is coordination
- Technical Lead — leads the investigation and fix. Communicates findings to the IC. May delegate specific tasks to other engineers
- Communications Lead — manages external communication: status page updates, customer notifications, social media responses. Keeps stakeholders informed without interrupting the technical team
- Scribe — documents everything in real time: timeline of events, actions taken, decisions made. This becomes the foundation of the post-incident review
For small teams, one person may cover multiple roles, but the IC and Technical Lead should always be separate people. The person debugging cannot simultaneously coordinate the response.
Phase 1: Detection
The faster you detect an incident, the less damage it causes. Detection sources:
- Automated monitoring — uptime checks, error rate alerts, latency thresholds. Tools like Enterno.io can detect downtime within minutes and notify your team via email, Slack, Telegram, or webhook
- Synthetic monitoring — scheduled checks that simulate user actions
- Real user monitoring (RUM) — client-side performance and error data
- Customer reports — support tickets, social media complaints
- Internal team reports — someone notices something is wrong during routine work
Goal: detect incidents within 5 minutes of onset. Customer reports mean your monitoring failed.
Phase 2: Triage and Assessment
Once detected, quickly assess the incident:
- What is the impact? (users affected, revenue impact, data at risk)
- What is the severity level?
- What is the likely scope? (single service, entire platform, specific region)
- Is it getting worse or stable?
Decision: assign severity, activate the IRP, designate the IC, and notify the on-call team.
// Example: Slack alert template for incident declaration
🚨 INCIDENT DECLARED
Severity: SEV-2
Summary: Payment API returning 500 errors for ~30% of requests
Impact: Users cannot complete purchases
IC: @jane
Tech Lead: @bob
Channel: #incident-20250315
Status Page: Updated to "Degraded Performance"Phase 3: Containment
Stop the bleeding before finding the root cause:
- Rollback — if the incident correlates with a recent deployment, roll back immediately. This is the fastest fix for deployment-related incidents
- Isolate — if one service is causing cascading failures, isolate it (circuit breaker, feature flag, DNS change)
- Scale — if traffic is the problem, scale up capacity (autoscaling, additional servers, CDN rules)
- Block — if under attack, block malicious traffic (WAF rules, IP blocking, rate limiting)
- Redirect — switch traffic to a backup system, failover region, or static maintenance page
The goal of containment is not to fix the problem permanently — it is to reduce impact immediately. A perfect fix that takes 2 hours is worse than a quick workaround that restores service in 10 minutes.
Phase 4: Resolution
With the immediate impact contained, work on the actual fix:
- Identify the root cause through logs, metrics, and traces
- Implement and test the fix in a staging environment if possible
- Deploy the fix with enhanced monitoring
- Verify the fix resolves the issue (check error rates, latency, user reports)
- Remove any temporary containment measures that are no longer needed
Phase 5: Communication
Communication happens throughout the incident, but escalates in this phase:
- Status page — update at every phase change (investigating, identified, monitoring, resolved)
- Internal updates — every 30 minutes during active incidents, or immediately at phase changes
- Customer communication — for SEV-1/SEV-2, proactive email to affected customers explaining impact and ETA
- Executive summary — brief update for leadership on business impact and timeline
// Status page update template
Title: Payment Processing Degraded
Status: Identified
Update: We have identified the root cause as a database
connection pool exhaustion following a traffic spike.
A fix has been deployed and we are monitoring recovery.
Estimated full resolution: 30 minutes.
Posted: 2025-03-15 14:30 UTCPhase 6: Post-Incident Review
The most important phase — and the most often skipped. Within 48 hours of resolution, hold a blameless post-incident review (also called a retrospective or post-mortem):
- Timeline — reconstruct exactly what happened, when, and what actions were taken
- Root cause analysis — use the "5 Whys" technique to dig beyond the immediate trigger
- What went well — what parts of the response worked? Which monitoring caught it early? Which runbooks were helpful?
- What went wrong — where did the response break down? What information was missing? What took too long?
- Action items — concrete, assigned, time-bound improvements to prevent recurrence
Key principle: blameless. The review examines systems and processes, not individuals. "Why did the system allow this?" not "Who caused this?"
Building Your IRP Checklist
Essential components of a complete incident response plan:
- Severity level definitions with response time SLAs
- On-call rotation schedule and escalation paths
- Role definitions (IC, Tech Lead, Comms Lead, Scribe)
- Communication templates for status page, email, and Slack
- Runbooks for common incident types (deployment failure, database outage, DDoS, certificate expiry)
- Access requirements — ensure on-call engineers have production access BEFORE an incident
- War room procedures — dedicated Slack channel, video call link, shared dashboard
- Post-incident review template and scheduling process
Conclusion
An incident response plan transforms chaotic firefighting into a structured, repeatable process. Define your severity levels, assign clear roles, document your runbooks, and practice regularly. Invest in monitoring (with tools like Enterno.io) so detection is fast. And never skip the post-incident review — it is how teams get better at handling the incidents that will inevitably come.
Check your website right now
Check now →