Skip to content

Incident Response: from alert to postmortem

Key idea:

Six steps: (1) Declare the incident and set severity (SEV-1/2/3). (2) Assign an Incident Commander — they coordinate, they don't fix. (3) Open a dedicated channel (Slack/Zoom). (4) Stream updates to the status page every 30 min. (5) Fix → verify → resolve. (6) Postmortem within 48 hours: timeline, root cause, action items. A blameless culture is non-negotiable.

Below: details, example, related terms, FAQ.

Check your site →

Details

  • Severity matrix: SEV-1 (outage → all hands), SEV-2 (degradation), SEV-3 (minor)
  • Incident Commander coordinates, does not code — otherwise the team loses focus
  • Single source of truth: one channel (#inc-2026-04-18-db) + one doc
  • Internal vs external comms: status page + Twitter, no details until RCA
  • Postmortem: what happened, why, impact, action items (owner + due date)

Example

# Incident template (Slack)
:rotating_light: SEV-2 incident declared
**Impact**: 20% of API requests returning 500
**Started**: 14:23 UTC
**IC**: @alex
**Channel**: #inc-2026-04-18-db
**Status page**: https://status.example.com/i/abc123

# Updates every 30 min
14:23 Declared, investigating
14:38 DB connection pool exhausted
14:52 Rolled back deploy 07f2
15:02 Recovery confirmed, monitoring
15:30 Resolved, postmortem 2026-04-20

Related

TL;DR: How to Run an Incident Response

To run an effective incident response, follow a structured approach: identify the incident, contain it, eradicate the cause, recover systems, and conduct a post-incident review. Utilize frameworks like NIST SP 800-61 for guidance and tools like SIEM for monitoring. A typical incident response time should aim for less than 30 minutes for containment and under 24 hours for recovery.

Incident Identification and Containment

Identifying an incident is the first critical step in your incident response plan. Utilize monitoring tools such as Splunk or ELK Stack to detect anomalies in your systems. Key indicators of compromise (IoCs) include unusual logins, unexpected outbound traffic, or changes in file integrity. Once an incident is identified, immediate containment is crucial. This can involve isolating affected systems from the network.

For example, if a suspicious process is detected, use the following command to isolate a Linux server:

sudo iptables -A INPUT -s  -j DROP

This command blocks incoming traffic from a specific IP address, helping to prevent further damage. Additionally, ensure that you log all containment actions for later analysis.

Eradication, Recovery, and Post-Incident Analysis

After containment, the next step is eradication. This involves removing the root cause of the incident, which may include deleting malware, patching vulnerabilities, or changing compromised credentials. For instance, if a vulnerability in a web application is exploited, apply the relevant patches immediately. Use a command like:

sudo apt-get update && sudo apt-get upgrade

to update your system packages in a Debian-based environment.

Once eradication is complete, recovery can begin. This typically involves restoring systems from clean backups and monitoring them closely for any signs of residual issues. It’s important to validate that all systems are functioning normally before reconnecting them to the network.

Finally, conduct a post-incident analysis to review the incident response process. Document the timeline of events, the effectiveness of the response, and identify areas for improvement. Utilize frameworks such as the NIST Cybersecurity Framework to guide your analysis. Conducting this review not only improves your future incident response efforts but also helps in compliance with regulations such as GDPR or CCPA.

Score 0–100Unified site health score
SSL + SecuritySecurity and certificate status
PerformanceResponse speed and caching
SEO Signalsrobots.txt, sitemap, canonicals

Why teams trust us

100
point scale
SSL
SSL + HTTP headers
10+
scoring criteria
Free
no signup

How it works

1

Enter site URL

2

Analyse 10+ factors

3

Get overall score

What is Health Score?

Health Score is a comprehensive assessment of site technical health across 20+ parameters: SSL, security headers, response speed, SEO technical factors, and availability.

Comprehensive Score

20+ parameters in one number: SSL, headers, speed, SEO technical factors.

Detailed Breakdown

Each parameter with explanation — what is checked, what was found, how to fix.

Score Trends

Compare Health Score at different dates — see progress or regression.

Health Monitoring

Set up automated Health Score checks and get notified when the score drops.

Who uses this

Developers

quick pre-release audit

SEO

technical baseline score

Marketers

client site check

Security

header security audit

Common Mistakes

Ignoring red parametersA red parameter is a critical issue. Start fixing those, not the yellow ones.
Only checking homepageIssues may exist on subpages. Check key sections and landing pages.
Not re-checking after fixAfter each fix, rerun the check and verify the score improved.
Treating 80+ as good enoughAim for 95+. Every red item is a risk to SEO or security.

Best Practices

Fix by priorityRed > yellow > blue. Critical issues first.
Check regularlyWeekly Health Score check helps catch degradation before it affects SEO.
Use monitoringConnect an automated HTTP monitor — it will be the first to notice downtime.
Compare with competitorsCheck the Health Score of your nearest competitor — a great benchmark for prioritization.

Get more with a free account

Health Score check history and real-time site health monitoring.

Sign up free

Learn more

Frequently Asked Questions

Blameless postmortem?

Culture + a written standard. Focus on the system, not the person. "What let this bug happen?" instead of "who screwed up?"

How fast do I write the postmortem?

SEV-1: 48 hours. SEV-2: one week. SEV-3: optional. Timeboxing beats depth.

IR automation?

PagerDuty / Opsgenie — on-call routing. Jeli, incident.io — full incident platforms. Slack Workflow Builder for small teams.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.