Skill

incident-response-engineer

Operational incident response for triage, containment, communications, recovery, and postmortems. Use when coordinating outages or service degradation. NOT for code review or proactive security scanning.

Install

npx claudepluginhub wyattowalsh/agents --plugin agents

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Coordinate production incident response from first signal through recovery and

Supporting Assets

evals/evals.jsonreferences/comms-templates.mdreferences/containment-recovery-aids.mdreferences/severity-matrix.mdreferences/timeline-postmortem-examples.md

SKILL.md

Similar Skills

using-git-worktrees

Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.

superpowers

169.2k

subagent-driven-development

3 files

Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.

superpowers

169.2k

dispatching-parallel-agents

Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.

superpowers

169.2k

Stats

Stars2

Forks1

Last CommitApr 26, 2026

Actions

View Source View Plugin View on GitHub View README

Incident Response Engineer

Coordinate production incident response from first signal through recovery and postmortem.

Scope: Live operational incidents and service degradation. NOT for general code review (honest-review), proactive vulnerability scanning (security-scanner), or one-off bug fixing without incident coordination.

Canonical Vocabulary

Term	Definition
severity	Incident priority level based on business impact
impact	User-visible harm, revenue loss, or operational degradation
blast radius	The systems, regions, tenants, or users affected
containment	Short-term action that stops the incident from spreading
mitigation	Action that reduces impact before root cause is fully fixed
recovery	Restoring the service to accepted operating behavior
incident commander	The single coordinator for decisions and timeline
stakeholder update	Time-boxed status message for internal or external audiences
timeline	Ordered record of facts, decisions, and actions
action item	Concrete follow-up with owner and due date

Dispatch

$ARGUMENTS	Mode
`triage <signal>`	Classify the incident and establish the first response plan
`stabilize <incident>`	Contain impact and coordinate mitigation
`comms <incident>`	Draft internal or customer-facing updates
`postmortem <incident>`	Build the incident review and corrective actions
`review <timeline or runbook>`	Audit the handling of an incident
`drill <scenario>`	Run a tabletop or rehearsal plan
Natural language about a live outage	Auto-detect the closest mode
Empty	Show the mode menu with examples

Mode Menu

#	Mode	Example
1	Triage	`triage elevated 500s in eu-west checkout`
2	Stabilize	`stabilize auth outage caused by bad deploy`
3	Comms	`comms database failover affecting signups`
4	Postmortem	`postmortem queue backlog incident`
5	Review	`review incident timeline from 2026-03-12`
6	Drill	`drill primary region outage`

When to Use

A service is down, degraded, or violating its SLO
Multiple responders need a common incident structure
Stakeholder or customer updates must be issued on a cadence
A fix is known but risk must be managed during containment and recovery
The team needs a postmortem or tabletop exercise

Classification Gate

If the task is routine debugging or a one-off bug with no operational impact, use investigate.
If the task is proactive vulnerability discovery, threat modeling, or security scanning, use security-scanner.
If the task is code review, fix quality assessment, or pre-merge risk review, use honest-review.
If the task is telemetry design, alert architecture, or SLO definition outside an active incident, use observability-advisor.
If the task is vendor-specific dashboards, alarms, or log-platform setup, route to the relevant platform skill instead of incident-response-engineer.

Instructions

Mode: Triage

Start with verified facts only: symptoms, impacted systems, impacted users, and detection source.
Estimate severity from impact and blast radius, not gut feel. Use references/severity-matrix.md.
Name an incident commander and define the next decision checkpoint.
Identify containment options, the safest immediate mitigation, and what evidence would confirm or reject the current hypothesis.
Produce the first 15-minute response plan.

Mode: Stabilize

Separate containment from root cause work.
Prioritize actions that reduce user harm fastest: rollback, traffic shift, feature flag, dependency isolation, or failover. Use references/containment-recovery-aids.md.
Maintain a live timeline with timestamps, owner, and outcome for every meaningful action.
Reassess severity whenever blast radius changes.
Track three states explicitly: contained, partially recovered, fully recovered.

Mode: Comms

Identify audience: responders, executives, support, or customers.
State what is known, what users may observe, what the team is doing, and when the next update will arrive.
Avoid speculative root-cause claims.
Keep customer updates crisp and plain language. Use references/comms-templates.md.

Mode: Postmortem

Build the timeline from verified events, not memory alone. Use references/timeline-postmortem-examples.md.
Distinguish trigger, contributing factors, failed defenses, recovery actions, and lessons.
Convert lessons into action items with owner, due date, and measurable outcome.
Focus on system fixes, not blame.

Mode: Review

Read the timeline, updates, runbook, and follow-up actions. Compare against references/severity-matrix.md, references/comms-templates.md, and references/timeline-postmortem-examples.md.
Evaluate detection, triage speed, command structure, communications quality, recovery strategy, and action-item quality.
Present gaps as critical, warning, or info.

Mode: Drill

Define scenario, objective, and stop condition.
Simulate detection, role assignment, escalation, rollback, and customer comms using references/severity-matrix.md, references/comms-templates.md, and references/containment-recovery-aids.md.
Capture decision bottlenecks and missing runbook steps.

Output Requirements

Triage and stabilize outputs must include severity, blast radius, commander, next checkpoint, and immediate actions.
Comms outputs must include audience and next update time.
Postmortems must include action items with owners.

Critical Rules

Always distinguish fact, inference, and hypothesis.
Customer impact takes priority over elegant diagnosis.
Never claim a root cause publicly before the evidence supports it.
Every live incident needs a single incident commander.
Every meaningful action during response must land in the timeline.
Postmortems must produce owned corrective actions, not vague lessons.

Scaling Strategy

For a single-service incident, keep one commander, one timeline, one response channel, and one short update cadence.
For a cross-team incident, split containment, diagnosis, and communications into explicit workstreams while preserving a single commander and one source of timeline truth.
For a major incident, fix an update cadence, assign an owner for customer communications, and define the threshold for escalating executive visibility before ad hoc coordination fragments.

Reference Files

Use these only when the current mode needs deeper structure or reusable templates.

File	Purpose	Use when
`references/severity-matrix.md`	Severity calibration by impact, blast radius, and response posture	Triage, stabilize, drill, review
`references/comms-templates.md`	Internal, executive, support, and customer update templates with cadence guidance	Comms, stabilize, drill, review
`references/timeline-postmortem-examples.md`	Timeline structure, postmortem section examples, and action-item patterns	Postmortem, review
`references/containment-recovery-aids.md`	Decision aids for rollback, failover, dependency isolation, degraded mode, and recovery confirmation	Triage, stabilize, drill

Scope Boundaries

IS for: live outage coordination, mitigation strategy, stakeholder updates, postmortems, incident drills.

NOT for: vulnerability discovery, code review, or routine debugging without operational impact.