원클릭으로
incident-response
Structured incident investigation and resolution
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Structured incident investigation and resolution
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Create Architecture Decision Record
Design API contracts with OpenAPI specifications
Assess architecture decisions tradeoffs and edge cases
Design database schemas with migrations and repository interfaces
Break requests into parallel tasks for team execution
Audit dependencies for vulnerabilities and plan upgrades
| name | incident-response |
| description | Structured incident investigation and resolution |
| allowed-tools | Read, Edit, Write, Bash, Glob, Grep |
Structured workflow for investigating production incidents, identifying root causes, implementing fixes, and writing post-mortems. Speed matters -- follow the steps in order but don't over-analyze before acting.
Immediately determine the scope and severity of the incident:
| Question | How to Answer |
|---|---|
| Which tenants are affected? | Check error logs filtered by tenant_id, check monitoring dashboards |
| What functionality is broken? | Check health endpoints, test critical paths, review error types |
| When did it start? | Check deploy timestamps, metric anomaly detection, first error log |
| Is it getting worse? | Check error rate trend over last 15 minutes |
| Is there a workaround? | Assess if affected users can use alternative paths |
Severity Classification:
| Severity | Criteria | Response |
|---|---|---|
| SEV-1 | Service down, data loss, security breach, all tenants affected | All hands, continuous updates every 15 min |
| SEV-2 | Major feature broken, significant tenant subset affected | Dedicated team, updates every 30 min |
| SEV-3 | Minor feature degraded, few tenants affected | Next business day, update on resolution |
| SEV-4 | Cosmetic issue, no functionality impact | Backlog, fix in next sprint |
Output: Impact assessment with severity, affected tenants/features, and timeline.
Gather all available diagnostic data BEFORE making changes:
Logs:
# Recent error logs (adjust for your logging system)
# Filter by time window, error level, and affected service
Look for:
Metrics:
Traces:
Recent Changes:
# Recent deployments
git log --oneline --since="24 hours ago"
# Recent config changes
# Check deployment pipeline logs
# Recent infrastructure changes
# Check Terraform/Kubernetes change logs
Output: Evidence document with logs, metrics, traces, and timeline.
Use the 5 Whys methodology to dig past symptoms to the root cause:
Problem: Users getting 500 errors on /api/v1/projects
Why? -> Project service is returning errors
Why? -> Database queries are timing out
Why? -> Connection pool is exhausted
Why? -> A migration added a long-running query without an index
Why? -> Migration review process didn't include EXPLAIN ANALYZE
Root Cause: Missing index on new column, migration review gap
Rules:
Common root cause categories:
Output: Root cause analysis with 5 Whys chain and contributing factors.
Apply the MINIMUM change needed to resolve the incident:
Rules:
Fix Checklist:
[ ] Fix is minimal and targeted (no refactoring, no extra changes)
[ ] Fix addresses the root cause (not just the symptom)
[ ] Test suite passes with the fix
[ ] Fix has been tested in staging
[ ] Rollback plan documented
Before deploying to production:
If the fix can't be verified in staging (data-specific issue), document the risk and get approval before deploying to production.
Deploy the fix to production with enhanced monitoring:
Deployment Checklist:
[ ] Fix deployed to production
[ ] Enhanced monitoring in place (watch error rate, latency)
[ ] Watch for 15 minutes post-deploy
[ ] Error rate returned to baseline
[ ] Latency returned to baseline
[ ] No new error types appearing
[ ] Affected tenants verified working
Watch period: Minimum 15 minutes for SEV-1/SEV-2, 5 minutes for SEV-3/SEV-4.
Create a blameless post-mortem document:
## Post-Mortem: [Incident Title]
### Date: YYYY-MM-DD
### Severity: SEV-X
### Duration: X hours Y minutes
### Author: [Name]
### Summary
[1-2 sentence description of what happened]
### Impact
- **Tenants affected**: X (Y% of total)
- **Duration**: HH:MM to HH:MM UTC
- **User-facing impact**: [What users experienced]
- **Data impact**: [Any data loss or corruption]
### Timeline (UTC)
| Time | Event |
|------|-------|
| HH:MM | First error logged |
| HH:MM | Alert fired |
| HH:MM | Investigation started |
| HH:MM | Root cause identified |
| HH:MM | Fix deployed to staging |
| HH:MM | Fix deployed to production |
| HH:MM | Incident resolved |
### Root Cause
[5 Whys analysis]
### Contributing Factors
- [Factor 1]
- [Factor 2]
### What Went Well
- [Positive aspect 1: e.g., "Alerting caught the issue within 2 minutes"]
- [Positive aspect 2]
### What Could Be Improved
- [Improvement 1]
- [Improvement 2]
### Action Items
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| Add missing index | @dev | YYYY-MM-DD | TODO |
| Add EXPLAIN ANALYZE to migration review checklist | @team | YYYY-MM-DD | TODO |
| Add monitoring for connection pool exhaustion | @devops | YYYY-MM-DD | TODO |
| Add integration test for this scenario | @tester | YYYY-MM-DD | TODO |
### Lessons Learned
[Key takeaways for the team]
Write post-mortem to docs/spec/.llm/completed/postmortem-YYYY-MM-DD-short-description.md.