Guide to incidents in production without the hype

When the pager rings at 3:17, nobody needs a speech. It needs a production incident guide that works under pressure, with clear roles, reliable signals and real ability to reduce impact while the system is still bleeding. The most expensive mistake is not the bug. It's the improvisation of a team that until then operated on the "we turn around" way.

Production incident is not only total unavailability. In SaaS, the damage usually starts earlier: p99 goes up, queues accumulate, database goes into containment, cache loses efficiency, external integrations degrade and support starts to receive signals of the problem before observability. If the answer depends on heroes, the system is already too expensive to operate.

What a production incident guide needs to resolve

A good guide is not a pretty document for auditing. It's an operational tool. It exists to reduce detection time, decision time and recovery time. If it doesn't help these three points, it's red tape.

In practice, this guide needs to answer simple questions. Who takes over coordination? Who investigates? Who's communicating? What time is rollback better than partial mitigation? When is it worth degrading functionality to preserve the core of the product? Without it, every incident becomes an assembly.

It also needs to reflect the actual architecture, not the architecture of the diagram. If the recurring bottleneck is in a specific reading in the database, in a consumer who saturates CPU or in a third-party dependency without correct timeout, the guide should incorporate this context. Generic Playbook does not save specific environment.

Before the incident: the answer starts in the operational drawing

Mature times treat incidents as part of the operation, not as an unlikely exception. This changes the way you prepare stack, monitoring and routine. The first step is to define what really matters. Not every alert deserves a pager. If everything alerts, nothing alerts.

The minimum cut-off usually includes critical journey SLOs, user symptom-based alerts and not only infrastructure, dependency service dashboards, and basic deploy audit trail. Latence without context deceives. High CPU without correlation with queue, throughput and error as well. The goal is not to collect metrics. It's seeing causality under pressure.

Another neglected point is access. On a lot of teams, the incident scale and no one is allowed to act. It waits for each other to approve access to the cluster, database, cloud provider or observability tool. In production, this type of bottleneck is process failure, not security. Control is necessary. Operational lockdown, no.

Runbooks help, but only when they're short and tested. A useful runbook tells you where to look first, what hypotheses to prioritize, what commands to execute, what risks there are in each action and in which condition to scale. If you need 20 minutes to understand the text, it failed.

Rating: severity cannot be opinion

Much of the confusion during incidents comes from bad classification. When severity is defined in the scream, the team loses energy discussing label as impact grows. The criterion needs to be objective and connected to the business.

If a critical payday has fallen for all users, the severity is high. If there is localized degradation with acceptable workaround, the response may be different. If the problem affects an enterprise client with a specific SLA, this goes into the calculation. The point is not to create a huge matrix. It's removing ambiguity.

A simple classification usually works better: user impact, coverage, estimated duration and risk of climbing. With this, the team defines itself as active war room, who enters the call and what cadence of communication to follow. Less debate, more execution.

Driving the incident: fewer people opining, more people operating

During the incident, role clarity is worth more than diffuse seniority. The incident commander coordinates. You're not necessarily the most senior person on the team or anyone who knows the broken component. It's who can keep focus, record decisions, organize investigation and avoid parallel chaos.

At the same time, someone needs to be the technical driver of mitigation. This person tests hypotheses, validates metrics, performs rollback, adjusts feature flag, drains traffic, workload scale, or active fallback. Mixing command with execution usually goes bad, because those who operate lose vision of the whole and those who coordinate go into too much detail.

Communication also needs owner. When no one takes over, three versions of the same incident appear on different channels. For customer, support and leadership, it destroys trust. The good message is short: impact, scope, action in progress, next update. No speculating causes root before there's evidence.

The technical flow that usually works

Every serious incident calls for a disciplined sequence. First, confirm symptom and extension. Is the error in frontend, API, queue, database, external provider or recent deploy? Then stabilize. Not always fixing fast is the best first move. Often, rollback, traffic limitation, feature deactivation or reduction of competition resolve the immediate impact.

Then comes the hypothesis-oriented investigation. Has anything changed in the last few minutes? Was there deploy, secret rotation, configuration change, abrupt load increase, cardinality growth in metrics, database lock, connection pool saturation, integration error? No explicit hypothesis, the team only sails dashboard.

Finally, record the timeline. Looks like detail, but it's not. During the incident, memory fails. Without minimal timeline, postmortem becomes inaccurate reconstruction and makes room for opinion transvestite indeed.

Where SaaS teams make the most mistakes

The classic error is to rely too much on infrastructure alert and less on actual user experience. Service may be "standing" and yet unusable, with p95 acceptable and p99 destroyed on critical routes. Another frequent mistake is to ignore non-obvious dependencies, such as asynchronous job that congests database and degrades online traffic.

It's also common to see teams treating rollback as shame. It's not. If the deploy made the scene worse, coming back is discipline. The problem is when the pipeline does not allow safe rollback, migrations are irreversible or the configuration is out of control. Then the incident reveals old operational debt.

There is still the case of the excess of people on the call. Ten people discussing hypothesis in parallel rarely accelerate recovery. Normally, they create noise, duplicate action and make someone execute command without alignment. Incident requires clear channel, clear command and clear log.

Postincident: learning without witch hunting

If the postmortem ends in "lack of attention," it's useless. Useful root cause is specific and actionable. It can be poorly configured timeout between services, absence of circuit breaker, Query without index, bad threshold alarm, deploy without canary, queue without backpressure or observability unable to separate symptom of cause.

The good postincident works in layers. The immediate trigger matters, but systemic factors matter more. Why did the problem go through a review? Why didn't you show up on staging? Why was the alert late? Why did mitigation depend on a person? That's the kind of question that elevates operational maturity.

Not all corrective action should become a project of months. Some have immediate feedback: improving critical journey dashboard, creating rollback runbook, reviewing pool limits, introducing feature flag, defining communication owner, testing failover. Others require greater investment, such as sharing databases, reviewing queue architecture or redesigning workload isolation. The point is to prioritize for real risk, not technical fascination.

How to evolve this guide without turning heavy process

A production incident guide needs to be light enough to be used and strong enough to sustain a stress operation. This requires continuous review based on actual incidents. Each relevant event should update some part of the team's operating system: alert, runbook, ranking, access, automation or communication flow.

Mature appears when the team stops depending on individual memory. When the new on-call can follow protocol without locking. When rollback is safe. When the dashboard answers the right question. When the CTO doesn't need to go into every crisis to unlock execution. It is at this point that reliability ceases to be heroic effort and becomes repeatable capacity.

For growing SaaS companies, this work usually competes with roadmap. Only that recurring incident also consumes roadmap, only in the most expensive way possible: interrupts sprint, corrupts confidence, push churn and wears good team. The choice is not between delivering product or structuring operation. Without mature operation, the product itself loses speed.

If your environment still depends on individual talent to cross at dawn, the problem is not only in the incident. It's in the system that allows it to repeat itself. A good guide does not eliminate crisis. It prevents every crisis from becoming improvised.

← All posts