---
name: incident-analysis
description: Analyze and resolve production incidents using systematic investigation, root cause analysis, and autonomous remediation
---

# Incident Analysis and Resolution Skill

This skill guides you through systematic incident response, from initial alert to resolution and documentation.

## When to Use This Skill

Use this skill when:
- Production system is degraded or failing
- Users are reporting issues or errors
- Metrics show abnormal behavior
- Need to investigate and resolve incidents autonomously

## Incident Response Workflow

**MANDATORY FIRST STEP:**

Before using any tools, use the Read tool to read:
`.claude/skills/incident-analysis/phases/triage.md`

This file contains Phase 1 instructions and will tell you which file to read next.

**DO NOT proceed with tool calls until you've read Phase 1.**

The complete workflow consists of 6 phases:

1. **Triage & Assessment** (2-5 min) → `phases/triage.md`
2. **Investigation** (5-10 min) → `phases/investigation.md`
3. **Root Cause Analysis** (2-5 min) → `phases/rca.md`
4. **Remediation Planning** (2-3 min) → `phases/remediation.md`
5. **Execution** (2-5 min) → `phases/execution.md`
6. **Communication & Documentation** (3-5 min) → `phases/documentation.md`

Each phase file contains the "Next Step" section that directs you to the next phase file.

## Available Tools

MCP servers provide the necessary tools:
- **monitoring-analysis** server - System metrics, log analysis, health checks
- **workflow-orchestration** server - Incident tickets, remediation, notifications

Tools are available throughout all phases as needed.

## Key Principles

**Progressive Disclosure:** The phase files reveal detailed instructions progressively. Read each phase file in sequence - do not skip ahead or assume you know what to do.

**Autonomous Execution:** Make decisions based on evidence. Take action. Show reasoning.

**TodoWrite:** Create todos at start for all 6 phases. Update status as you progress.

## Success Criteria

Incident is resolved when:
- ✅ Root cause identified with 90%+ confidence
- ✅ Remediation executed and verified
- ✅ Metrics returned to baseline
- ✅ No new errors occurring
- ✅ Team notified and documented