write-incident-runbook

Create structured incident runbooks with diagnostic steps, resolution procedures, escalation paths, and communication templates for effective incident response. Use when documenting response procedures for recurring alerts, standardizing incident response across an on-call rotation, reducing MTTR with clear diagnostic steps, creating training materials for new team members, or linking alert annotations directly to resolution procedures.

9 stars

Best use case

write-incident-runbook is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Create structured incident runbooks with diagnostic steps, resolution procedures, escalation paths, and communication templates for effective incident response. Use when documenting response procedures for recurring alerts, standardizing incident response across an on-call rotation, reducing MTTR with clear diagnostic steps, creating training materials for new team members, or linking alert annotations directly to resolution procedures.

Teams using write-incident-runbook should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/write-incident-runbook/SKILL.md --create-dirs "https://raw.githubusercontent.com/pjt222/agent-almanac/main/i18n/caveman-lite/skills/write-incident-runbook/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/write-incident-runbook/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How write-incident-runbook Compares

Feature / Agentwrite-incident-runbookStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Create structured incident runbooks with diagnostic steps, resolution procedures, escalation paths, and communication templates for effective incident response. Use when documenting response procedures for recurring alerts, standardizing incident response across an on-call rotation, reducing MTTR with clear diagnostic steps, creating training materials for new team members, or linking alert annotations directly to resolution procedures.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Write Incident Runbook

Create actionable runbooks that guide responders through incident diagnosis and resolution.

## When to Use

- Documenting response procedures for recurring alerts or incidents
- Standardizing incident response across on-call rotation members
- Reducing mean time to resolution (MTTR) with clear diagnostic steps
- Creating training materials for new team members on incident handling
- Establishing escalation paths and communication protocols
- Migrating tribal knowledge to written documentation
- Linking alerts to resolution procedures (alert annotations)

## Inputs

- **Required**: Incident or alert name/description
- **Required**: Historical incident data and resolution patterns
- **Optional**: Diagnostic queries (Prometheus, logs, traces)
- **Optional**: Escalation contacts and communication channels
- **Optional**: Previous incident post-mortems

## Procedure

### Step 1: Choose Runbook Template Structure

> See [Extended Examples](references/EXAMPLES.md#step-1-runbook-template-examples) for complete template files.

Select an appropriate template based on incident type and complexity.

**Basic runbook template structure**:
```markdown
# [Alert/Incident Name] Runbook
## Overview | Severity | Symptoms
## Diagnostic Steps | Resolution Steps
## Escalation | Communication | Prevention | Related
```

**Advanced SRE runbook template** (excerpt):
```markdown
# [Service Name] - [Incident Type] Runbook

## Metadata
- Service, Owner, Severity, On-Call, Last Updated

## Diagnostic Phase
### Quick Health Check (< 5 min): Dashboard, error rate, deployments
### Detailed Investigation (5-20 min): Metrics, logs, traces, failure patterns
# ... (see EXAMPLES.md for complete template)
```

Key template components:
- **Metadata**: Service ownership, severity, on-call rotation
- **Diagnostic Phase**: Quick checks → detailed investigation → failure patterns
- **Resolution Phase**: Immediate mitigation → root cause fix → verification
- **Escalation**: Criteria and contact paths
- **Communication**: Internal/external templates
- **Prevention**: Short/long-term actions

**Got:** Template selected matches incident complexity, sections appropriate for service type.

**If fail:**
- Start with basic template, iterate based on incident patterns
- Review industry examples (Google SRE books, vendor runbooks)
- Adapt template based on team feedback after first use

### Step 2: Document Diagnostic Procedures

> See [Extended Examples](references/EXAMPLES.md#step-2-complete-diagnostic-procedures) for complete diagnostic queries and decision trees.

Create step-by-step investigation procedures with specific queries.

**Six-step diagnostic checklist**:

1. **Verify Service Health**: Health endpoint checks and uptime metrics
   ```bash
   curl -I https://api.example.com/health  # Expected: HTTP 200 OK
   ```
   ```promql
   up{job="api-service"}  # Expected: 1 for all instances
   ```

2. **Check Error Rate**: Current error percentage and breakdown by endpoint
   ```promql
   sum(rate(http_requests_total{status=~"5.."}[5m]))
   / sum(rate(http_requests_total[5m])) * 100  # Expected: < 1%
   ```

3. **Analyze Logs**: Recent errors and top error messages from Loki
   ```logql
   {job="api-service"} |= "error" | json | level="error"
   ```

4. **Check Resource Utilization**: CPU, memory, and connection pool status
   ```promql
   avg(rate(container_cpu_usage_seconds_total{pod=~"api-service.*"}[5m])) * 100
   # Expected: < 70%
   ```

5. **Review Recent Changes**: Deployments, git commits, infrastructure changes

6. **Examine Dependencies**: Downstream service health, database/API latency

**Failure pattern decision tree** (excerpt):
- Service down? → Check all pods/instances
- Error rate elevated? → Check specific error types (5xx, gateway, database, timeouts)
- When did it start? → After deployment (rollback), gradual (resource leak), sudden (traffic/dependency)

**Got:** Diagnostic procedures are specific, include expected vs actual values, guide responder through investigation.

**If fail:**
- Test queries in actual monitoring system before documenting
- Include screenshots of dashboards for visual reference
- Add "Common mistakes" section for frequently missed steps
- Iterate based on feedback from incident responders

### Step 3: Define Resolution Procedures

> See [Extended Examples](references/EXAMPLES.md#step-3-complete-resolution-procedures) for all 5 resolution options with full commands and rollback procedures.

Document step-by-step remediation with rollback options.

**Five resolution options** (brief summary):

1. **Rollback Deployment** (fastest): For post-deployment errors
   ```bash
   kubectl rollout undo deployment/api-service
   ```
   Verify → Monitor → Confirm resolution (error rate < 1%, latency normal, no alerts)

2. **Scale Up Resources**: For high CPU/memory, connection pool exhaustion
   ```bash
   kubectl scale deployment/api-service --replicas=$((current * 3/2))
   ```

3. **Restart Service**: For memory leaks, stuck connections, cache corruption
   ```bash
   kubectl rollout restart deployment/api-service
   ```

4. **Feature Flag / Circuit Breaker**: For specific feature errors or external dependency failures
   ```bash
   kubectl set env deployment/api-service FEATURE_NAME=false
   ```

5. **Database Remediation**: For database connections, slow queries, pool exhaustion
   ```sql
   -- Kill long-running queries, restart connection pool, increase pool size
   ```

**Universal verification checklist**:
- [ ] Error rate < 1%
- [ ] Latency P99 < threshold
- [ ] Throughput at baseline
- [ ] Resource usage healthy (CPU < 70%, Memory < 80%)
- [ ] Dependencies healthy
- [ ] User-facing tests pass
- [ ] No active alerts

**Rollback procedure**: If resolution worsens situation → pause/cancel → revert → reassess

**Got:** Resolution steps are clear, include verification checks, provide rollback options for each action.

**If fail:**
- Add more granular steps for complex procedures
- Include screenshots or diagrams for multi-step processes
- Document command outputs (expected vs actual)
- Create separate runbook for complex resolution procedures

### Step 4: Establish Escalation Paths

> See [Extended Examples](references/EXAMPLES.md#step-4-complete-escalation-guidelines) for full escalation levels and contact directory template.

Define when and how to escalate incidents.

**When to escalate immediately**:
- Customer-facing outage > 15 minutes
- SLO error budget > 10% depleted
- Data loss/corruption or security breach suspected
- Unable to identify root cause within 20 minutes
- Mitigation attempts fail or worsen situation

**Five escalation levels**:
1. **Primary On-Call** (5 min response): Deploy fixes, rollback, scale (up to 30 min solo)
2. **Secondary On-Call** (auto after 15 min): Additional investigation support
3. **Team Lead** (architectural decisions): Database changes, vendor escalation, incidents > 1 hour
4. **Incident Commander** (cross-team coord): Multiple teams, customer comms, incidents > 2 hours
5. **Executive** (C-level): Major impact (>50% users), SLA breach, media/PR, outages > 4 hours

**Escalation process**:
1. Notify target with: current status, impact, actions taken, help needed, dashboard link
2. Handoff if needed: share timeline, actions, access, remain available
3. Don't go silent: update every 15 min, ask questions, provide feedback

**Contact directory**: Maintain table with role, Slack, phone, PagerDuty for:
- Platform/Database/Security/Network teams
- Incident Commander
- External vendors (AWS, database vendor, CDN provider)

**Got:** Clear criteria for escalation, contact information readily accessible, escalation paths aligned with organizational structure.

**If fail:**
- Validate contact information is current (test quarterly)
- Add decision tree for when to escalate
- Include examples of escalation messages
- Document response time expectations for each level

### Step 5: Create Communication Templates

> See [Extended Examples](references/EXAMPLES.md#step-5-complete-communication-templates) for all internal and external templates with full formatting.

Provide pre-written messages for incident updates.

**Internal templates** (Slack #incident-response):

1. **Initial Declaration**:
   ```
   🚨 INCIDENT: [Title] | Severity: [Critical/High/Medium]
   Impact: [users/services] | Owner: @username | Dashboard: [link]
   Quick Summary: [1-2 sentences] | Next update: 15 min
   ```

2. **Progress Update** (every 15-30 min):
   ```
   📊 UPDATE #N | Status: [Investigating/Mitigating/Monitoring]
   Actions: [what we tried and outcomes]
   Theory: [what we think is happening]
   Next: [planned actions]
   ```

3. **Mitigation Complete**:
   ```
   ✅ MITIGATION | Metrics: Error [before→after], Latency [before→after]
   Root Cause: [brief or "investigating"] | Monitoring 30min before resolved
   ```

4. **Resolution**:
   ```
   🎉 RESOLVED | Duration: [time] | Root Cause + Impact + Follow-up actions
   ```

5. **False Alarm**: No impact, no follow-up needed

**External templates** (status page):
- **Initial**: Investigating, started time, next update in 15 min
- **Progress**: Identified cause (customer-friendly), implementing fix, estimated resolution
- **Resolution**: Resolved time, root cause (simple), duration, prevention measures

**Customer email template**: Timeline, impact description, resolution, prevention, compensation (if applicable)

**Got:** Templates save time during incidents, ensure consistent communication, reduce cognitive load on responders.

**If fail:**
- Customize templates to match company communication style
- Pre-fill templates with common incident types
- Create Slack workflow/bot to populate templates automatically
- Review templates during incident retrospectives

### Step 6: Link Runbook to Monitoring

> See [Extended Examples](references/EXAMPLES.md#step-6-alert-integration-examples) for complete Prometheus alert configuration and Grafana dashboard JSON.

Integrate runbook with alerts and dashboards.

**Add runbook links to Prometheus alerts**:
```yaml
- alert: HighErrorRate
  annotations:
    runbook_url: "https://wiki.example.com/runbooks/high-error-rate"
    dashboard_url: "https://grafana.example.com/d/service-overview"
    incident_channel: "#incident-platform"
```

**Embed quick diagnostic links in runbook**:
- Service Overview Dashboard
- Error Rate Last 1h (Prometheus direct link)
- Recent Error Logs (Loki/Grafana Explore)
- Recent Deployments (GitHub/CI)
- PagerDuty Incidents

**Create Grafana dashboard panel** with runbook links (markdown panel listing all incident runbooks with on-call and escalation info)

**Got:** Responders can access runbooks directly from alerts or dashboards, diagnostic queries pre-filled, one-click access to relevant tools.

**If fail:**
- Verify runbook URLs are accessible without VPN/login
- Use URL shorteners for complex Grafana/Prometheus links
- Test links quarterly to ensure they don't break
- Create browser bookmarks for frequently used runbooks

## Validation

- [ ] Runbook follows consistent template structure
- [ ] Diagnostic procedures include specific queries and expected values
- [ ] Resolution steps are actionable with clear commands
- [ ] Escalation criteria and contacts are current
- [ ] Communication templates provided for internal and external audiences
- [ ] Runbook linked from monitoring alerts and dashboards
- [ ] Runbook tested during incident simulation or actual incident
- [ ] Feedback from responders incorporated into runbook
- [ ] Revision history tracked with dates and authors
- [ ] Runbook accessible without authentication (or cached offline)

## Pitfalls

- **Too generic**: Runbooks with vague steps like "check the logs" without specific queries are not actionable. Be specific.
- **Outdated information**: Runbooks referencing old systems or commands become useless. Review quarterly.
- **No verification steps**: Resolution without verification leads to false positives. Always include "how to confirm it's fixed."
- **Missing rollback procedures**: Every action should have a rollback plan. Don't trap responders in worse state.
- **Assuming knowledge**: Runbooks for experts only exclude junior engineers. Write for the least experienced person on rotation.
- **No ownership**: Runbooks without owners become stale. Assign team/person responsible for updates.
- **Hidden behind auth**: Runbooks inaccessible during VPN/SSO issues are useless during crisis. Cache copies or use public wiki.

## Related Skills

- `configure-alerting-rules` - Link runbooks to alert annotations for immediate access during incidents
- `build-grafana-dashboards` - Embed runbook links in dashboards and diagnostic panels
- `setup-prometheus-monitoring` - Include diagnostic queries from Prometheus in runbook procedures
- `define-slo-sli-sla` - Reference SLO impact in incident severity classification

Related Skills

write-vignette

9
from pjt222/agent-almanac

Create R package vignettes using R Markdown or Quarto. Covers vignette setup, YAML configuration, code chunk options, building and testing, and CRAN requirements for vignettes. Use when adding a Getting Started tutorial, documenting complex workflows spanning multiple functions, creating domain-specific guides, or when CRAN submission requires user-facing documentation beyond function help pages.

write-validation-documentation

9
from pjt222/agent-almanac

Write IQ/OQ/PQ validation documentation for computerized systems in regulated environments. Covers protocols, reports, test scripts, deviation handling, and approval workflows. Use when validating R or other software for regulated use, preparing for a regulatory audit, documenting qualification of computing environments, or creating and updating validation protocols and reports for new or re-qualified systems.

write-testthat-tests

9
from pjt222/agent-almanac

Write comprehensive testthat (edition 3) tests for R package functions. Covers test organization, expectations, fixtures, mocking, snapshot tests, parameterized tests, and achieving high coverage. Use when adding tests for new package functions, increasing test coverage for existing code, writing regression tests for bug fixes, or setting up test infrastructure for a package that lacks it.

write-standard-operating-procedure

9
from pjt222/agent-almanac

Write a GxP-compliant Standard Operating Procedure (SOP). Covers regulatory SOP template structure (purpose, scope, definitions, responsibilities, procedure, references, revision history), approval workflow design, periodic review scheduling, and operational procedures for system use. Use when a new validated system requires operational procedures, when existing informal procedures need formalisation, when an audit finding cites missing procedures, when a change control triggers SOP updates, or when periodic review identifies outdated procedural content.

write-roxygen-docs

9
from pjt222/agent-almanac

Write roxygen2 documentation for R package functions, datasets, and classes. Covers all standard tags, cross-references, examples, and generating NAMESPACE entries. Follows tidyverse documentation style. Use when adding documentation to new exported functions, documenting internal helpers or datasets, documenting S3/S4/R6 classes and methods, or fixing documentation-related R CMD check notes.

write-helm-chart

9
from pjt222/agent-almanac

Create production-ready Helm charts for Kubernetes application deployment with templating, values management, chart dependencies, hooks, and testing. Covers chart structure, Go template syntax, values.yaml design, chart repositories, versioning, and best practices for maintainable and reusable charts. Use when packaging a Kubernetes application for repeatable deployments, parameterizing manifests for multiple environments, managing complex multi-component applications with dependencies, or standardizing deployment practices with versioned rollback capability across teams.

write-continue-here

9
from pjt222/agent-almanac

Write a CONTINUE_HERE.md file capturing current session state so a fresh Claude Code session can pick up where this one left off. Covers assessing recent work, structuring the continuation file with objective, completed, in-progress, next-steps, and context sections, and verifying the file is actionable. Use when ending a session with unfinished work, handing off context between sessions, or preserving task state that git alone cannot capture.

write-claude-md

9
from pjt222/agent-almanac

Create an effective CLAUDE.md file that provides project-specific instructions to AI coding assistants. Covers structure, common sections, do/don't patterns, and integration with MCP servers and agent definitions. Use when starting a new project where AI assistants will be used, improving AI behavior on an existing project, documenting project conventions and constraints, or integrating MCP servers or agent definitions into a project workflow.

skill-name-here

9
from pjt222/agent-almanac

One to three sentences describing what this skill accomplishes, followed by key activation triggers. This field is the primary mechanism agents use to decide whether to activate the skill — it is read during discovery before the full body is loaded. Start with a verb. Include the most important "when to use" conditions inline. Max 1024 characters.

vishnu-bhaga

9
from pjt222/agent-almanac

Preservation and sustenance — maintaining working state under perturbation, memory anchoring, consistency enforcement, and protective stabilization. Maps Vishnu's sustaining presence to AI reasoning: holding what works steady, anchoring verified knowledge against drift, and ensuring continuity through change. Use when a working approach is at risk from scope creep, when context drift threatens verified knowledge, after shiva-bhaga dissolution to protect what survived, when a long session risks losing earlier decisions through context compression, or before making changes to a currently functioning system.

version-ml-data

9
from pjt222/agent-almanac

Version machine learning datasets using DVC (Data Version Control) with remote storage backends, build reproducible data pipelines with dependency tracking, integrate with Git workflows, and ensure data lineage for model reproducibility. Use when versioning large datasets that do not fit in Git, tracking data changes alongside code changes, ensuring ML experiment reproducibility, sharing datasets across team members, or auditing data lineage for compliance requirements.

verify-agent-output

9
from pjt222/agent-almanac

Validate deliverables and build evidence trails when work passes between agents. Covers expected outcome specification before execution, structured evidence generation during execution, deliverable validation against external anchors after execution, fidelity checks for compressed or summarized outputs, trust boundary classification, and structured disagreement reporting on verification failure. Use when coordinating multi-agent workflows, reviewing cross-agent handoffs, producing external-facing outputs, or auditing whether an agent's summary faithfully represents its source material.