Six steps: (1) Declare the incident and set severity (SEV-1/2/3). (2) Assign an Incident Commander — they coordinate, they don't fix. (3) Open a dedicated channel (Slack/Zoom). (4) Stream updates to the status page every 30 min. (5) Fix → verify → resolve. (6) Postmortem within 48 hours: timeline, root cause, action items. A blameless culture is non-negotiable.
Below: details, example, related terms, FAQ.
Free online tool — health checker: instant results, no signup.
# Incident template (Slack)
:rotating_light: SEV-2 incident declared
**Impact**: 20% of API requests returning 500
**Started**: 14:23 UTC
**IC**: @alex
**Channel**: #inc-2026-04-18-db
**Status page**: https://status.example.com/i/abc123
# Updates every 30 min
14:23 Declared, investigating
14:38 DB connection pool exhausted
14:52 Rolled back deploy 07f2
15:02 Recovery confirmed, monitoring
15:30 Resolved, postmortem 2026-04-20To run an effective incident response, follow a structured approach: identify the incident, contain it, eradicate the cause, recover systems, and conduct a post-incident review. Utilize frameworks like NIST SP 800-61 for guidance and tools like SIEM for monitoring. A typical incident response time should aim for less than 30 minutes for containment and under 24 hours for recovery.
Identifying an incident is the first critical step in your incident response plan. Utilize monitoring tools such as Splunk or ELK Stack to detect anomalies in your systems. Key indicators of compromise (IoCs) include unusual logins, unexpected outbound traffic, or changes in file integrity. Once an incident is identified, immediate containment is crucial. This can involve isolating affected systems from the network.
For example, if a suspicious process is detected, use the following command to isolate a Linux server:
sudo iptables -A INPUT -s -j DROPThis command blocks incoming traffic from a specific IP address, helping to prevent further damage. Additionally, ensure that you log all containment actions for later analysis.
After containment, the next step is eradication. This involves removing the root cause of the incident, which may include deleting malware, patching vulnerabilities, or changing compromised credentials. For instance, if a vulnerability in a web application is exploited, apply the relevant patches immediately. Use a command like:
sudo apt-get update && sudo apt-get upgradeto update your system packages in a Debian-based environment.
Once eradication is complete, recovery can begin. This typically involves restoring systems from clean backups and monitoring them closely for any signs of residual issues. It’s important to validate that all systems are functioning normally before reconnecting them to the network.
Finally, conduct a post-incident analysis to review the incident response process. Document the timeline of events, the effectiveness of the response, and identify areas for improvement. Utilize frameworks such as the NIST Cybersecurity Framework to guide your analysis. Conducting this review not only improves your future incident response efforts but also helps in compliance with regulations such as GDPR or CCPA.
Health Score is a comprehensive assessment of site technical health across 20+ parameters: SSL, security headers, response speed, SEO technical factors, and availability.
20+ parameters in one number: SSL, headers, speed, SEO technical factors.
Each parameter with explanation — what is checked, what was found, how to fix.
Compare Health Score at different dates — see progress or regression.
Set up automated Health Score checks and get notified when the score drops.
quick pre-release audit
technical baseline score
client site check
header security audit
Health Score check history and real-time site health monitoring.
Sign up freeCulture + a written standard. Focus on the system, not the person. "What let this bug happen?" instead of "who screwed up?"
SEV-1: 48 hours. SEV-2: one week. SEV-3: optional. Timeboxing beats depth.
PagerDuty / Opsgenie — on-call routing. Jeli, incident.io — full incident platforms. Slack Workflow Builder for small teams.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.