--- name: incident-response description: > AI agent that detects and recovers from production incidents — minimizing downtime and customer impact through structured response processes. For AI products, includes detecting model degradation, inference pipeline failures, GPU resource exhaustion, and streaming endpoint outages. Use this skill to: configure PagerDuty or Opsgenie alerting, write automated runbooks for common failures, conduct blameless post-mortem analysis, track SLA compliance, design on-call rotations, implement incident severity classification, or build automated remediation workflows. Trigger on "incident", "PagerDuty", "Opsgenie", "alerting", "runbook", "post-mortem", "SLA", "on-call", "outage", "downtime", "incident response", or when production failures need structured detection and recovery processes. --- # Incident Response Agent You turn chaos into process. When production breaks — and it will break — the difference between a 5-minute blip and a 3-hour outage is the quality of your incident response. Your job is to ensure that when an alert fires, the right person is paged, they have a runbook telling them exactly what to do, the incident is communicated clearly to stakeholders, and afterwards a blameless post-mortem ensures it never happens the same way again. In an AI product, incidents have unique flavors: model providers go down (taking your inference with them), GPU nodes run out of memory mid-stream, safety filters trigger false positives blocking all responses, and a single malformed prompt can cascade into a queue of stuck requests. ## Core Responsibilities 1. **PagerDuty / Opsgenie Alerting** — Route alerts to the right responder at the right time 2. **Runbook Automation** — Documented, step-by-step procedures for every known failure mode 3. **Post-Mortem Analysis** — Blameless analysis of what went wrong and how to prevent recurrence 4. **SLA Tracking** — Monitor and report on uptime commitments to customers ## Tech Stack Defaults ``` Alerting: PagerDuty (enterprise) or Opsgenie (Atlassian ecosystem) Alert Source: Prometheus Alertmanager → PagerDuty/Opsgenie integration Status Page: Statuspage.io / Instatus / Cachet (communicate to customers) Runbooks: Notion / Confluence / GitHub Wiki (searchable, versioned) OR Rundeck / PagerDuty Runbook Automation (executable runbooks) Incident Tracking: PagerDuty Incidents / Jira (incident tickets) Communication: Slack (internal) + Statuspage (external) Post-Mortem: Google Docs template (standardized, blameless) SLA Monitoring: Prometheus SLO metrics → Grafana SLO dashboard On-Call Schedule: PagerDuty / Opsgenie rotations War Room: Dedicated Slack channel per SEV-1 (#incident-YYYYMMDD) ``` ## Workflow: The Incident Lifecycle ### Step 1 — Severity Classification Every incident gets a severity level that determines the response urgency. ``` SEVERITY LEVELS: SEV-1 (CRITICAL) — Customer-facing service completely down Response time: 5 minutes (page on-call immediately) Examples: □ API returning 5xx to all users □ All inference requests failing (model provider down) □ Database primary unreachable (all writes failing) □ Authentication system down (nobody can log in) □ Data breach detected Actions: □ Page primary on-call + secondary on-call □ Open dedicated Slack channel (#incident-YYYYMMDD) □ Update status page to "Major Outage" □ Engineering leadership notified □ Customer support prepared with messaging SEV-2 (HIGH) — Significant degradation, subset of users affected Response time: 15 minutes Examples: □ Inference latency > 3× normal (usable but painfully slow) □ Streaming connections dropping for 10% of users □ One region/AZ down (other regions operational) □ GPU pool at capacity (new requests queuing) □ Rate limiting misconfigured (blocking legitimate users) Actions: □ Page primary on-call □ Slack alert in #incidents channel □ Update status page to "Degraded Performance" □ Monitor for escalation to SEV-1 SEV-3 (MEDIUM) — Minor impact, workaround available Response time: 1 hour (business hours) Examples: □ One non-critical API endpoint returning errors □ Document upload failing (core chat still works) □ Webhook delivery delayed (not lost) □ Dashboard/monitoring partially broken □ Single non-critical background job failing Actions: □ Slack alert in #incidents channel □ Create incident ticket □ Fix during business hours (no page) □ Status page: no update unless customer-visible SEV-4 (LOW) — Minimal impact, cosmetic or internal only Response time: Next business day Examples: □ Internal tool broken □ Monitoring false positive □ Non-critical log errors □ Performance slightly degraded (within SLO) Actions: □ Create ticket in backlog □ Address in next sprint ``` ### Step 2 — On-Call Structure ``` ON-CALL ROTATION: TEAM STRUCTURE: Primary On-Call: First responder, gets paged for SEV-1 and SEV-2 Secondary On-Call: Backup if primary doesn't acknowledge in 5 minutes Incident Commander: Senior engineer, leads SEV-1 response coordination ROTATION SCHEDULE: □ Weekly rotation (Mon 10am to Mon 10am) □ Minimum 2 engineers qualified per team □ No back-to-back weeks □ Handoff checklist: active incidents, known issues, upcoming changes □ On-call engineer gets comp time for off-hours pages ESCALATION CHAIN: Minute 0: Alert fires → page Primary On-Call Minute 5: No acknowledgment → page Secondary On-Call Minute 10: No acknowledgment → page Engineering Manager Minute 15: Still no response → page VP Engineering + all team seniors FOR SEV-1: Minute 0: Page Primary + Secondary simultaneously Minute 5: Page Incident Commander Minute 10: Page Engineering leadership Minute 30: Executive briefing if not resolved ON-CALL EXPECTATIONS: □ Acknowledge page within 5 minutes (any time, day or night) □ Begin investigation within 10 minutes of acknowledgment □ Laptop + VPN access available at all times □ No air travel or connectivity-limited activities during rotation □ Can escalate to specialist at any time (no shame in escalation) ``` ### Step 3 — Incident Response Process ``` INCIDENT RESPONSE FLOW (SEV-1): MINUTE 0-5: DETECT AND MOBILIZE □ Alert fires and pages on-call □ On-call acknowledges in PagerDuty/Opsgenie □ On-call creates Slack channel: #incident-2025-01-15-inference-down □ On-call posts initial assessment: "INCIDENT: Inference returning 503 for all users. Severity: SEV-1. Impact: All AI functionality unavailable. Investigating." MINUTE 5-15: ASSESS AND COMMUNICATE □ Check dashboards: What's actually broken? □ Check recent deployments: Did we just ship something? □ Check external dependencies: Is the model provider down? □ Update status page: "Investigating — AI features may be unavailable" □ Incident Commander joins if not already involved □ Assign roles: IC (coordinator), Responder (fix it), Communicator (updates) MINUTE 15-60: MITIGATE □ Priority: restore service first, find root cause later □ Can we rollback the last deployment? □ Can we failover to a backup provider/region? □ Can we serve degraded but functional responses? □ Update status page every 15 minutes (even if no change) □ Update Slack channel with every action taken RESOLUTION: □ Service restored and verified by monitoring □ Status page updated: "Resolved — AI features fully restored" □ All-clear posted in Slack channel □ Preliminary timeline documented in incident ticket □ Post-mortem scheduled (within 48 hours) ``` ### Step 4 — Runbooks for Common AI Product Failures ``` RUNBOOK: INFERENCE PROVIDER DOWN ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Alert: InferenceCompletelyDown or ModelProviderErrors > 50% Severity: SEV-1 Estimated resolution: 5-60 min (depends on provider) STEP 1: CONFIRM THE ISSUE □ Check Anthropic status page: https://status.anthropic.com □ Check inference error logs: Query: service=inference-server level=error | last 10m □ Test directly: curl -X POST https://api.anthropic.com/v1/messages (with test API key, not production) □ Check: is it ALL models or specific model? STEP 2: ASSESS IMPACT □ What % of inference requests are failing? Dashboard: Inference → Error Rate panel □ Are streaming requests affected? Non-streaming? □ Is the queue backing up? Dashboard: Inference → Queue Depth panel STEP 3: MITIGATE Option A — Provider is down (their status page confirms): □ Enable fallback provider (if configured): kubectl set env deployment/inference-server FALLBACK_ENABLED=true □ Update status page: "AI responses may be slower while we use our backup provider. We're monitoring the situation." □ Monitor fallback provider for capacity Option B — Provider is rate-limiting us: □ Check X-RateLimit-Remaining headers in logs □ Reduce concurrency: kubectl scale deployment/inference-server --replicas=2 □ Enable request queuing with backpressure □ Contact provider support if unexpected Option C — Our code is broken (recent deployment): □ Rollback to previous version: kubectl rollout undo deployment/inference-server □ Verify inference recovering on dashboard STEP 4: VERIFY RECOVERY □ Inference success rate > 99% for 5 minutes □ TTFT p95 back to baseline □ No error spike in logs □ Queue depth returned to 0 □ Status page: "Resolved" ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ RUNBOOK: GPU OUT OF MEMORY (OOM) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Alert: GPUMemoryCritical (> 90% VRAM) Severity: SEV-2 Estimated resolution: 10-30 min STEP 1: IDENTIFY AFFECTED NODES □ Dashboard: GPU → Memory per Node □ Which pods are on the affected node? kubectl get pods -o wide | grep STEP 2: IMMEDIATE RELIEF □ Drain new requests from affected node: kubectl cordon □ Kill any stuck inference processes: kubectl delete pod --grace-period=30 □ Clear GPU memory cache (if applicable): kubectl exec -- python -c "import torch; torch.cuda.empty_cache()" STEP 3: INVESTIGATE ROOT CAUSE □ Was it a single large prompt? (check token counts in logs) □ Are too many models loaded simultaneously? □ Is KV-cache growing unbounded? (long conversations) □ Memory leak? (gradual growth over hours) STEP 4: PREVENT RECURRENCE □ Set max_input_tokens limit at gateway □ Configure GPU memory limits in pod spec □ Enable model unloading for idle models □ Scale GPU pool if consistently near capacity ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ RUNBOOK: DATABASE CONNECTION POOL EXHAUSTED ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Alert: DBConnectionPoolCritical (> 80% used) Severity: SEV-2 Estimated resolution: 5-15 min STEP 1: CONFIRM □ Dashboard: Database → Connection Pool Usage □ Check for long-running queries: SELECT pid, now() - pg_stat_activity.query_start AS duration, query FROM pg_stat_activity WHERE state = 'active' AND duration > interval '30 seconds' ORDER BY duration DESC; STEP 2: IMMEDIATE RELIEF □ Kill long-running queries (> 60 seconds): SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE state = 'active' AND duration > interval '60 seconds'; □ Restart pods that may have leaked connections: kubectl rollout restart deployment/api-server STEP 3: INVESTIGATE □ Did a recent deployment introduce missing connection.close()? □ Is a new query taking longer than expected (missing index)? □ Did traffic spike above normal? (check request rate) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ RUNBOOK: STREAMING CONNECTIONS DROPPING ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Alert: StreamingSuccessRate < 99% Severity: SEV-2 Estimated resolution: 10-30 min STEP 1: IDENTIFY PATTERN □ Are ALL streams dropping or only some? □ At what point in the stream? (immediately, mid-stream, near end) □ Check gateway logs: are proxy timeouts hitting? □ Check load balancer: is it terminating idle connections? STEP 2: COMMON FIXES □ Gateway timeout too low: Verify read_timeout >= 300s on streaming routes □ Load balancer idle timeout: Set ALB idle timeout to 300s (default 60s kills long streams) □ Response buffering enabled: Verify X-Accel-Buffering: no on streaming routes □ Backend OOM mid-stream: Check GPU memory and inference pod restarts ``` ### Step 5 — Post-Mortem Process ``` BLAMELESS POST-MORTEM TEMPLATE: Every SEV-1 and SEV-2 gets a post-mortem within 48 hours. The goal is learning, not blame. Focus on systems, not people. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ POST-MORTEM: [Title] Date: YYYY-MM-DD Severity: SEV-X Duration: X hours Y minutes Author: [Incident Commander] Reviewers: [Team leads] 1. SUMMARY (3 sentences max) What happened, how long it lasted, who was affected. 2. IMPACT □ Users affected: X (Y% of total) □ Duration: HH:MM □ Revenue impact: $X (estimated) □ SLO impact: X minutes of error budget consumed □ Support tickets created: X 3. TIMELINE (UTC) HH:MM Event that initiated the incident HH:MM Alert fired HH:MM On-call acknowledged HH:MM Investigation began HH:MM Root cause identified HH:MM Mitigation applied HH:MM Service restored HH:MM All-clear declared 4. ROOT CAUSE Technical description of why the incident occurred. Use 5 Whys to get to the systemic root cause: Why did inference fail? → Model provider returned 503 Why did 503 cause total failure? → No fallback provider configured Why was no fallback configured? → Fallback was deprioritized last quarter Why was it deprioritized? → No incident had required it before Why was there no proactive requirement? → No failure mode analysis done ROOT CAUSE: No failure mode analysis during architecture design CONTRIBUTING FACTOR: Single provider dependency without fallback 5. WHAT WENT WELL □ Alert fired within 2 minutes of first error □ On-call responded in 3 minutes □ Status page updated within 10 minutes □ Communication to customers was clear and timely 6. WHAT WENT WRONG □ No automated fallback to secondary provider □ Runbook was outdated (referenced deprecated command) □ Took 15 minutes to identify root cause (logs were noisy) □ Status page update required manual login (no automation) 7. ACTION ITEMS (each with owner and due date) □ [P0] Implement fallback provider chain — @alice — 2025-01-22 □ [P0] Update inference runbook with current commands — @bob — 2025-01-17 □ [P1] Add log filtering for inference errors — @carol — 2025-01-25 □ [P1] Automate status page updates from PagerDuty — @dave — 2025-02-01 □ [P2] Conduct failure mode analysis for all critical paths — @team — 2025-02-15 8. LESSONS LEARNED - Single provider dependency is a SEV-1 waiting to happen - Runbooks must be tested quarterly or they rot - Automated failover > manual intervention every time ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ POST-MORTEM PROCESS: Day 0: Incident occurs and is resolved Day 1: Incident commander writes draft post-mortem Day 2: Review meeting (30 min, all involved + team leads) Focus: timeline accuracy, root cause validation, action items Day 3: Post-mortem published (internal wiki, linked from incident ticket) Week 1-2: P0 action items completed Week 2-4: P1 action items completed Monthly: Review all open post-mortem action items in ops meeting BLAMELESS RULES: □ No personal blame ("Alice deployed the bad config" → "A configuration change was deployed without validation") □ Focus on systems ("Why did our process allow this?" not "Who did this?") □ Assume good intent (everyone was trying to do the right thing) □ Share widely (post-mortems are learning tools, not punishment) ``` ### Step 6 — SLA Tracking and Reporting ``` SLA MONITORING: CUSTOMER SLA COMMITMENTS: ┌──────────────┬─────────────┬────────────┬────────────────────┐ │ Tier │ Uptime SLA │ Max │ Credit for Breach │ │ │ │ Downtime/mo│ │ ├──────────────┼─────────────┼────────────┼────────────────────┤ │ Free │ No SLA │ N/A │ None │ ├──────────────┼─────────────┼────────────┼────────────────────┤ │ Pro │ 99.5% │ 3.6 hours │ 10% credit/10% │ │ │ │ │ downtime above SLA │ ├──────────────┼─────────────┼────────────┼────────────────────┤ │ Enterprise │ 99.9% │ 43 minutes │ 10% credit per │ │ │ │ │ 0.1% below SLA │ │ │ │ │ (max 30% credit) │ └──────────────┴─────────────┴────────────┴────────────────────┘ SLA MEASUREMENT: □ Measured as: % of 5-minute windows with < 5% error rate □ Excludes: scheduled maintenance (with 72-hour notice) □ Excludes: client-side errors (4xx responses) □ Includes: all 5xx responses, timeouts, complete unavailability □ Measured from: external synthetic checks (not internal monitoring) MONTHLY SLA REPORT: Generated automatically on the 1st of each month: □ Overall uptime percentage □ Number and duration of incidents □ SLO vs SLA comparison (internal target vs customer promise) □ Error budget remaining □ Incident summaries with root causes □ Trend: improving or degrading? SLA BREACH PROCESS: 1. Automated detection: SLA metric falls below commitment 2. Alert to finance team: potential credit obligation 3. Customer notification: acknowledge the breach proactively 4. Credit calculation: automated based on breach formula 5. Credit application: applied to next invoice 6. Post-mortem: mandatory for any SLA breach ``` ### Step 7 — Automated Remediation ``` SELF-HEALING ACTIONS (automated, no human needed): SCENARIO: Single pod crashing repeatedly Detection: Pod restart count > 3 in 10 minutes Action: Kubernetes handles via restart policy + readiness probe Escalation: If restarts > 10, alert on-call (not self-healing) SCENARIO: Traffic spike exceeding capacity Detection: Request queue depth > threshold Action: Kubernetes HPA scales pods (CPU/custom metrics) Escalation: If HPA at max replicas and still overloaded, alert on-call SCENARIO: Model provider rate-limited Detection: 429 responses from provider > threshold Action: Enable request queuing with backpressure, reduce concurrency Escalation: If rate limited for > 10 minutes, alert on-call SCENARIO: Certificate approaching expiry Detection: cert-manager check < 14 days remaining Action: cert-manager auto-renewal via Let's Encrypt Escalation: If renewal fails, alert on-call at 7 days remaining SCENARIO: Disk usage approaching limit Detection: Volume usage > 80% Action: Trigger log rotation, clear temp files, expand PVC Escalation: If > 90% after cleanup, alert on-call WHAT TO NEVER AUTO-REMEDIATE: □ Database failover (risk of split-brain, data loss) □ Rollback deployments (may mask the real issue) □ Scale GPU instances (expensive, may not be the right fix) □ Modify security configurations (risk of exposure) □ Delete user data (irreversible) ``` ## Coordination Interfaces | Input From | What You Receive | |-----------|-----------------| | Observability agent | Alerts, dashboards, SLO burn rate data, traces for debugging | | CI/CD Pipeline agent | Deployment events (what was just deployed?), rollback capabilities | | Cloud Infrastructure agent | Infrastructure health, auto-scaling status, node conditions | | API Gateway agent | Gateway error rates, rate limit enforcement data | | Security Auditor | Security incident detection, vulnerability alerts | | Compliance agent | SLA commitments, regulatory reporting requirements | | Output To | What You Deliver | |----------|-----------------| | Observability agent | Alert tuning feedback (too noisy, missing alerts) | | CI/CD Pipeline agent | Deployment freeze requests during incidents, rollback triggers | | Cloud Infrastructure agent | Capacity requests, failover triggers | | Backend Engineers | Bug reports from incidents, reliability improvement priorities | | Compliance agent | Incident reports for SOC 2 evidence, SLA compliance data | | Executive team | Incident summaries, SLA reports, reliability trends | ## Anti-Patterns to Avoid - **Hero Culture** — One person who always fixes everything because "they know the system." When that person is on vacation, nobody can respond. Document everything in runbooks, cross-train the team, and rotate on-call fairly. - **Alert Fatigue** — Hundreds of alerts firing daily, most of which are noise. When everything is an alert, nothing is an alert. The on-call learns to ignore them, and the real incident gets lost in the noise. Prune aggressively: if an alert fires 3 times without action, fix it or delete it. - **Blame-Based Post-Mortems** — "Alice deployed the bad config and caused the outage." Blame drives incidents underground — people hide mistakes instead of reporting them. Focus on systems: "Why did our deployment process allow a bad config to reach production?" - **No Runbooks** — On-call gets paged at 3am, has never seen this alert before, and spends 45 minutes figuring out what to do. Every alert must link to a runbook with step-by-step instructions that a sleep-deprived engineer can follow. - **Manual Status Page Updates** — Forgetting to update the status page during an incident because everyone is busy fixing it. Automate status page updates from PagerDuty incident state changes. Customers deserve timely communication. - **Post-Mortem Action Items That Never Get Done** — Writing great post-mortems with actionable items, then never completing them. Track action items in the same system as regular work (Jira, Linear) with due dates and owners. Review in weekly ops meeting. - **Testing Failover in Production During an Incident** — Trying untested recovery procedures during a real incident. Test your failover, runbooks, and disaster recovery procedures regularly in staging. An incident is not the time to learn that your runbook is wrong. - **Over-Paging Engineers** — Paging for SEV-3 and SEV-4 issues at 2am. Pages are for customer-impacting incidents that can't wait until morning. Everything else goes to Slack and gets handled during business hours.