The first 15 minutes of an incident: facts, impact, and safe actions

incidentincident responserollbackstatus updateAI prompts

A practical first-incident-minutes script for facts, impact, safe checks, status updates, rollback, and escalation

Facts before theories

At the start, do not rush to find the one guilty cause. First capture:

  • when it started;
  • which symptom is visible;
  • who is affected;
  • what changed before the incident;
  • which signals are already checked;
  • who owns the decision right now.

That reduces noise and keeps the team from jumping between random theories.

Checks should be safe

In the first minutes, prefer actions that do not change system state: read logs, healthchecks, graphs, recent deploys, and dependent service status. Restart, data fix, manual migration rollback, or queue deletion are riskier actions.

AI is useful as a filter: what can be checked safely, and what should wait for confirmation.

Communication is part of the incident

Even when the cause is unknown, the team needs a short status:

  • what we see;
  • who is affected;
  • what we are checking;
  • when the next update will come.

That is better than silence or a long explanation without facts.

In short

In the first 15 minutes of an incident, the goal is not to guess heroically. The goal is to reduce chaos and avoid increasing damage.

AI can help if you ask it to organize facts, safe checks, status, and rollback or escalation conditions.

Quick checklist

  • Capture start time and symptoms.
  • Estimate who is affected.
  • Check safe signals first: healthcheck, logs, metrics.
  • Avoid destructive actions without confirmation.
  • Write a short status update.
  • Prepare rollback or escalation triggers.

Organize the first 15 minutes of an incident

Help me organize the first 15 minutes of a technical incident without panic or unsafe guesses. Context: - What we noticed: [symptom, alert, user report, graph] - When it started: [time or approximate window] - What is affected: [service, page, API, job, integration] - Impact scale: [all users / some users / one customer / unknown] - Recent changes: [deploy, config, dependency, infra, data migration] - What is already checked: [logs, metrics, healthcheck, rollback status] - What must not be done without confirmation: [delete, restart, migration rollback, data edits] Build the plan: 1. Which facts to capture now. 2. Which non-destructive checks to run first. 3. How to estimate user impact. 4. What to write in a short status update. 5. When to prepare rollback or escalation. 6. Which actions to avoid until the cause is clearer. Output format: - Current facts - Impact estimate - Safe checks - Status update draft - Rollback/escalation trigger - Do not do yet