Incident Response: A Startup Playbook for 2026
May 26, 2026
Your startup is asleep except for the one engineer staring at a failing dashboard and a Slack thread that keeps growing by the minute. Payments are erroring. Login retries are spiking. Support just pasted a customer message that reads, “Is your system down?” Nobody cares whether the root cause is a bad deploy, a revoked token, a cloud outage, or a compromised account. They care whether you can stop the bleeding and keep the business functioning.
That's why incident response matters in a startup. It isn't a policy document for a compliance folder. It's the operating system for ugly mornings, missed handoffs, and the moment when one small technical failure turns into a customer problem, a revenue problem, and then a trust problem.
The cost of waiting is not abstract. SentinelOne reports that the global average cost of a data breach is $4.88 million in 2026, and that security teams take an average of 277 days to identify and contain a data breach according to its cyber security statistics overview. If stolen or lost credentials are involved, the same source says the average stretches even longer. Those figures matter even if your company is much smaller than the firms in those averages. The lesson is simple. Slow response is expensive, and not only in legal or security terms. It burns roadmap time, drags support into chaos, and forces founders to make high-stakes decisions with incomplete information.
A lot of founders hear “incident response” and picture enterprise theater. Massive binders. rigid approval chains. expensive tooling. That's not what a growth-stage company needs this quarter.
A good startup incident response plan is lighter than commonly assumed. You need clear roles, a short triage path, a few communication templates, and a realistic way to keep revenue, support, and engineering moving while part of the system is under stress. You don't need perfection. You need a plan that works at 3 AM when your best engineer is tired and your most important customer is awake.
Practical rule: If your response plan can't fit on a few pages and be used under pressure, it's too big for a startup.
The strongest startup teams treat incident response as a product problem and an operations problem, not just a security problem. They define ownership before the incident. They make alerts actionable. They know when to isolate a service, when to roll back, and when to keep monitoring. They write down what happened afterward and turn the findings into engineering work.
That's the 80/20 version. Lean, specific, and realistic.
When It All Breaks An Introduction for Founders
At a startup, incidents rarely arrive in a clean category. A database outage can look like a product defect. A credential issue can look like flaky infrastructure. A bad deploy can trigger support volume that feels like a marketing crisis because social posts start circulating before engineering even knows the full blast radius.
That ambiguity is what hurts small teams. The first mistake isn't usually technical. It's organizational. Five people start investigating different theories, nobody owns the timeline, the founder starts fielding customer messages directly, and the team loses the first half hour to noise.
The founder problem
Founders usually ask a sensible question: do we really need incident response yet?
Yes. Not because you're likely to have an enterprise-scale breach tomorrow, but because the same mechanics apply to startup-scale failures. Your auth provider starts rejecting sessions. Your background job queue stalls. Your primary database locks under unexpected load. Your payment gateway goes half-down, where retries succeed for some customers and fail for others. Those situations all need the same response muscle: decide who's in charge, confirm what's broken, contain the blast radius, communicate clearly, and recover without making the damage worse.
A founder doesn't need to become a security operator. A founder needs a company that doesn't freeze when something breaks.
Good enough beats theoretical
The useful version of incident response is boring by design. It tells the on-call engineer where to open the incident channel. It tells the incident commander who can approve a rollback. It tells support what they can say before root cause is known. It tells the CEO when to step in and when to stop interrupting the people fixing the issue.
Use practical examples, not abstract maturity models. If your team depends on Stripe, Auth0, AWS, Vercel, Cloudflare, GitHub Actions, and a production Postgres cluster, your incident response plan should mention those dependencies by name. If you use feature flags in LaunchDarkly or your own kill switch system, document which features can be disabled safely. If a migration can lock a critical table, say so explicitly.
What works in startups is clarity under pressure. What doesn't work is pretending you'll improvise well during a crisis.
The minimum standard
A good enough plan this quarter has a few traits:
- Named owners: One person runs the incident. One person handles communications. One person or team investigates the likely fault domain.
- Simple severity levels: Enough to distinguish a customer-visible outage from a contained internal problem.
- Prewritten actions: Roll back, disable, isolate, fail over, or monitor. Those should be decisions, not debates.
- Business continuity steps: Support, sales, and product need instructions too.
If you build only that, you're already ahead of many organizations that “know they should probably write a plan someday.”
Laying the Foundation Roles and Readiness
At 2:13 AM, checkout starts failing after a deploy. Revenue stops. Support sees tickets before engineering sees alerts. The engineer who merged the change is asleep, your founder is asking for updates in three Slack channels, and nobody knows who can roll back without waking the CTO. That is a roles problem before it becomes a debugging problem.
Startups do not need an enterprise incident program with ten handoffs and a formal command structure. They need a small set of decisions made ahead of time, by named people, with enough authority to protect revenue and keep customers informed. The 80/20 version is simple. Pick the few roles that reduce confusion, write down what each person can decide, and rehearse just enough that the first real incident does not become a meeting.
Pick three roles first
Three roles cover a surprising amount of ground for a small team.
Incident Commander
The Incident Commander runs the response. They set priority, keep the team focused, and decide what happens next. This person does not need to be the strongest debugger in the company. They do need the judgment to cut off side quests and the authority to pause deploys, approve rollback, or pull in extra help.
At a startup, this is usually the engineering lead, head of engineering, senior backend engineer, or CTO. During the incident, they should keep answering four questions:
- What is the customer and business impact right now?
- What changed recently?
- What action reduces risk in the next ten minutes?
- Who needs an update, and when?
If the Incident Commander disappears into logs for half an hour, the response usually fragments. Someone has to keep steering.
Communications Lead
Outages create a second incident inside the company. Sales wants to know what to tell prospects. Support wants a safe answer for angry customers. The founder wants to know whether to post on the status page. If nobody owns communication, engineers get interrupted by twenty people asking the same question.
For an early-stage team, the Communications Lead might be the founder, product lead, operations lead, or head of customer success. The title matters less than discipline. This person works from confirmed facts, timestamps updates, and resists the urge to promise an ETA before the team understands the failure.
They should own internal summaries, customer-facing updates, and support talking points. If your incident affects signups, billing, or API reliability, this role protects trust while engineering works.
Subject Matter Expert
The Subject Matter Expert goes deep on the likely fault domain. If a migration locked a critical Postgres table, the SME is the backend or database owner. If all login attempts start failing after an Auth0 config change, pull in the person who knows your auth flow and dashboard settings. If requests are timing out at the edge, the SME might be the engineer who manages Cloudflare, Vercel, or your load balancer.
Their job is diagnosis and execution. Their risk is tunnel vision. Keeping the SME separate from the Incident Commander helps because someone else can ask, "What is the fastest safe containment step?" instead of spending forty minutes proving a theory.
A startup RACI you can actually use
This is enough structure for many growth-stage teams handling customer-visible outages.
| Task | Incident Commander (IC) | Comms Lead | Subject Matter Expert (SME) | CEO/Founder |
|---|---|---|---|---|
| Declare incident severity | R | C | C | I |
| Open incident channel and war room | R | I | C | I |
| Investigate likely cause | C | I | R | I |
| Approve rollback or feature disable | A | I | R | C |
| Publish internal status update | C | R | I | I |
| Publish customer-facing update | C | R | I | A |
| Coordinate support talking points | I | R | I | C |
| Decide when incident is resolved | A | C | R | I |
| Schedule postmortem | R | I | C | I |
In a team of eight engineers, one person may hold two roles. That is fine. The rule is one clear owner per decision at incident time.
Write down authority, not just titles
Role charts fail when they stop at names. The missing piece is authority.
Add one line under each role in your runbook:
- Incident Commander: Can pause deployments, declare severity, assign responders, approve rollback, and call the incident resolved.
- Comms Lead: Can publish internal updates, update the status page, and send approved customer messaging.
- SME: Can execute preapproved containment steps such as reverting a release, disabling a feature flag, draining traffic, or isolating a dependency.
That saves real time. If your payment flow depends on Stripe and a recent release breaks webhook handling, the team should not need a fresh debate about whether to disable the new billing feature flag. If a bad GitHub Actions deployment pushed a broken config to production, rollback authority should already be clear. If an AWS security group change cuts off database access, the responder with the right context and access should be able to fix it immediately, not wait for someone to wake up.
Readiness means pre-deciding the obvious
A good startup runbook fits on one page. It should include:
- where the incident channel gets created
- who can page whom, and by what method
- who owns the status page
- who has AWS, GCP, Vercel, Cloudflare, Auth0, Stripe, and database console access
- which features can be disabled safely through LaunchDarkly or your own kill switch
- which systems are business-critical, and what "degraded but acceptable" looks like for each
Be specific. "Database issues" is too vague to help at 3 AM. "A migration can lock the subscriptions table and block renewals" is useful. "Cloudflare misconfiguration can serve stale assets but API traffic still works" is useful. "Auth0 outage means existing sessions may survive while new logins fail" is useful.
One more point matters for founders. Single points of failure are common in small teams, and they are rarely tools. They are people. If only one engineer knows how your production Postgres failover works, or only one person can change DNS, that is the readiness gap to fix this quarter.
This work also overlaps with basic operational discipline. Teams improving enterprise software security practices for growing engineering organizations usually get incident readiness as a side effect, because access is cleaner, ownership is clearer, and risky changes are easier to trace.
A startup does not need perfect coverage here. It needs enough structure that when something breaks, the team can protect the business while it fixes the system.
Setting Up Your Senses Detection and Alerting
Most startups don't have a detection problem. They have a signal problem.
They already collect logs in Datadog, CloudWatch, GCP Monitoring, Grafana, Sentry, New Relic, or Elastic. The issue is that the alerts fire on everything, nobody trusts them, and important warnings drown in low-value noise. That's how teams miss real incidents while chasing harmless spikes.
Microsoft notes that security teams may receive thousands of alerts in a day, many of them false positives, in the Exabeam explainer on the incident response process. The practical lesson for a startup is not “buy more tooling.” It's “decide what deserves a human at 3 AM.”
Start with the free and built-in paths
A lean setup often begins with tools you already pay for indirectly:
- CloudWatch or GCP Monitoring: Infrastructure health, instance failures, database pressure, queue lag, and network anomalies.
- Sentry: Exception spikes, release regressions, and endpoint-specific failures.
- Application metrics in Grafana or Datadog: Error rate, latency, saturation, and dependency health.
- Status checks from your cloud platform or CDN: External reachability and edge behavior.
- Audit logs from your identity provider: Suspicious access patterns, privilege changes, or unexpected token behavior.
If you're a small SaaS company, monitor customer pain, not just machine pain. That means login success, checkout completion, API error rate on key endpoints, webhook backlog, and job processing delay.
Make alerts actionable
A useful alert answers three questions immediately:
- What broke?
- Who should care first?
- What's the first investigation step?
“CPU high” is weak. “Primary database connection errors increased after release 2026.04.3” is useful. “Checkout API returning increased server errors in the last few minutes” is useful. “Authentication failures rising across all regions” is useful.
Don't route every alert to the same on-call path. Split them by function. App errors go to the product or backend on-call. Infrastructure failures go to platform. Suspicious auth behavior goes to whoever owns identity and access.
Triage rules matter more than dashboard beauty
Startups often overinvest in observability dashboards and underinvest in triage. The hard part isn't collecting telemetry. It's deciding which events become incidents.
Use a simple scoring model:
| Signal | Ask | Example decision |
|---|---|---|
| Customer impact | Can users complete a critical action? | Failed logins outrank a minor admin panel error |
| Business sensitivity | Does it affect payments, auth, or core data? | Payment retry failures escalate faster |
| Scope | One tenant, one region, or broad impact? | Single-tenant issue may stay under monitoring |
| Recoverability | Can you roll back or disable safely? | Feature flag off is faster than deep debugging |
Lightweight SLO thinking proves helpful. You don't need a formal reliability program to say, “If login errors rise above normal and customers can't authenticate, page someone.” Founders don't need to master reliability engineering jargon. They need to ask whether the team is monitoring the handful of user journeys that make the business work.
Teams trying to mature this part of operations often benefit from stronger performance monitoring practices, especially when they need to connect infrastructure events to customer-visible degradation.
If an alert doesn't imply a next action, it's probably a dashboard metric, not a pager event.
The First 60 Minutes Triage and Containment
The first hour decides whether the incident stays bounded or spreads into a company-wide mess. The wrong instinct is to search for root cause immediately. The right instinct is to establish control, understand impact, and reduce damage.
A startup doesn't need a military-style war room. It needs one communication channel, one decision-maker, and one running log of what's known.
Minute 0 to 10 Stabilize the response
When the incident is declared, the Incident Commander should do three things fast.
- Open a dedicated channel: Use a named Slack incident room and a video call if needed.
- Assign roles: Confirm who is IC, who is handling comms, and who is the initial SME.
- Freeze risky changes: Pause deploys, migrations, and nonessential infrastructure changes until the picture is clearer.
That freeze matters. Teams often make things worse by continuing unrelated changes while trying to investigate a failure.
A simple opening message works:
Severity under investigation. Customer impact appears to affect login and dashboard access. No additional deploys until cleared. SME is checking auth provider, recent release, and database health. Next update in 15 minutes.
Minute 10 to 25 Establish the blast radius
At this point, stop guessing and answer specific questions.
What is affected
Check your critical paths first. Can customers log in? Can they pay? Can they use the primary product workflow? Are internal operators blocked from helping them?
When did it start
Line up the timeline against likely triggers: recent deploy, infrastructure change, certificate renewal, third-party outage, credential rotation, feature flag rollout.
Who is affected
Look for pattern boundaries. Is this all users, one region, one customer segment, one browser path, one environment, or one integration?
That blast-radius work is often more valuable than early root-cause certainty. If you know only trial accounts are affected, or only webhook processing is delayed, you can make better business decisions immediately.
Minute 25 to 45 Contain before you fully understand
Containment is where startup teams often hesitate because they want proof. Don't wait for perfect certainty if the containment action is reversible and low-risk.
Common startup containment moves include:
- Rollback a deployment: Best when symptoms closely follow a release and rollback is safe.
- Disable a feature via flag: Useful when one subsystem is causing broad instability.
- Isolate a service: Remove a failing worker, background job, or microservice from the hot path.
- Revoke access or tokens: Appropriate when there's a strong signal of compromised credentials or broken auth behavior.
- Shift to degraded mode: Serve read-only access, queue noncritical work, or temporarily disable exports and syncs.
Here's a practical example.
Mini runbook for a database outage
| Step | Action | Why it helps |
|---|---|---|
| 1 | Confirm whether the database is down, saturated, or network-isolated | “Database is down” is often a symptom, not a diagnosis |
| 2 | Check recent deploys, migrations, and connection pool changes | Startup incidents often follow recent changes |
| 3 | Reduce write pressure if possible | Disable noncritical jobs and batch processors |
| 4 | Roll back the latest app change if timing lines up | Fastest path if the issue was introduced by release |
| 5 | Restore service in degraded mode if needed | Read-only product access may be better than full outage |
| 6 | Preserve logs and timeline notes | You'll need them for recovery and postmortem |
Minute 45 to 60 Decide what kind of incident this is
By the end of the first hour, the Incident Commander should be able to say one of three things:
- We identified the likely cause and containment is working.
- We haven't confirmed cause, but the blast radius is stable and the next actions are clear.
- The incident is escalating across systems, and we need broader business coordination now.
That third case is where founders often need to engage. Not to troubleshoot. To help prioritize business trade-offs, customer communication, legal review if needed, and executive decisions on things like pausing launches, delaying demos, or halting onboarding.
What works here is disciplined narrowing. What fails is everybody free-ranging across theories while customers wait.
Managing the Message Internal and Customer Communication
Customers will forgive some downtime. They won't forgive confusion, silence, or messages that sound evasive.
Communication during an incident is operational work, not PR garnish. It reduces duplicate questions, protects the engineering team's attention, and gives customers a reason to trust you even while something is broken.
What bad communication looks like
A weak startup update usually has one of two problems.
The first is false confidence: “We've identified the issue and it should be fixed shortly.” That line causes damage if you haven't confirmed the cause.
The second is vague defensiveness: “Some users may be experiencing issues.” If your core flow is failing, say so plainly.
Here's the difference.
Bad: “We are aware of a minor issue and investigating.”
Better: “We're investigating a service disruption affecting login and dashboard access. Engineers are actively working on containment. We'll share another update in 15 minutes.”
The better version tells customers what's broken, what you're doing, and when they'll hear from you again.
Internal updates should reduce interruptions
Your wider team does not need a stream of half-formed theories. They need a reliable summary they can use in sales calls, support tickets, and leadership decisions.
Use a fixed internal format:
- Current status: Investigating, contained, recovering, or resolved
- Customer impact: Which workflows are affected
- What changed since last update: New containment action, narrowed scope, or recovery progress
- What teams should do: Support macro, sales hold, pause on launch comms
- Next update time: Even if there's no major change
A sample internal update:
Incident status: contained.
Customer impact: login failures are reduced, but some sessions still require retry.
Current action: auth token refresh path has been disabled while the team validates recovery.
Team guidance: support should route affected customers to the prepared macro and avoid promising a full resolution time yet.
Next update: 10:30 AM.
Customer templates you can reuse
Status page update
“We're investigating an issue affecting login and parts of the application. Some users may see failed authentication attempts or delayed page loads. The team is actively working on mitigation. Next update in 15 minutes.”
Follow-up once contained
“We identified the failing component and have applied a containment step. Service is recovering, though some users may still see intermittent issues while systems stabilize. We're continuing to monitor closely.”
Support email for impacted customers
“Hi [Name], we're sorry for the disruption. We're currently handling an incident that has affected [specific workflow]. The team has applied an initial fix and is monitoring recovery. If you experienced failed actions during the incident window, our support team can help verify the current state and advise on any retry steps.”
A short explainer can also help teams align on tone and consistency:
Protect trust with disciplined honesty
Say what's known. Avoid root-cause claims until confirmed. Don't promise full resolution times unless engineering is confident. If there is data sensitivity, regulatory review, or customer-specific exposure involved, route messaging through the right decision-makers before publishing specifics.
A surprising number of incident communication failures happen because support, product, and founders all answer in different voices. One owner should write the source version, and everyone else should pull from it.
Learning from the Fire Postmortems and Metrics
Friday evening, the site is back up, alerts are quiet, and everyone wants to close the laptops and call it done. That is usually the moment a startup sets itself up to relive the same incident two weeks later.
The useful work starts after recovery. A postmortem gives a small team a way to turn a painful outage into fewer repeats, faster response, and less customer disruption next time. For a startup, that matters more than writing a polished document nobody reads. The goal is simple: capture what happened, decide what to fix this quarter, and assign owners.
Run the postmortem while the details still exist
Do it within a few days. Wait two weeks and the timeline gets fuzzy, Slack threads disappear into the scrollback, and people start telling a cleaner story than the one they experienced.
Keep the room small enough to make decisions. Include the incident lead, the engineer closest to the failure, and anyone who owns follow-up work. Pull in support, product, or a founder if the incident affected customers, revenue, or a launch. For an early-stage company, that cross-functional view matters because significant damage often comes from delayed invoices, missed demos, or support backlog, not just CPU graphs.
A simple agenda is enough:
| Section | What to capture |
|---|---|
| Timeline | What happened, in order |
| Impact | Customer and business effects |
| Detection | How the team first learned about it |
| Response | What actions were taken and why |
| What helped | Good decisions, tools, or safeguards |
| What failed | Gaps in process, tooling, or ownership |
| Follow-ups | Specific changes with owners |
Ask better questions than “who broke it?” Ask what made the failure possible, why detection took as long as it did, and what slowed recovery once the team understood the problem.
Write action items that can survive contact with a sprint plan
Weak postmortems die in Jira. The issue is rarely lack of insight. It is vague follow-up work with no owner, no deadline, and no business case.
“Improve monitoring” will sit untouched. “Add an alert for failed token refreshes on the login path, route it to the backend on-call, and test it in staging by Friday” has a chance.
Good startup follow-ups are usually small, targeted, and tied to a real pain point:
- Runbook gap: Document the rollback steps for schema-adjacent deploys.
- Access gap: Give a backup responder production access to logs, cloud consoles, and feature flags.
- Detection gap: Add an alert based on failed checkout attempts, not only infrastructure health.
- Comms gap: Create a support macro for degraded mode and refund requests.
- Architecture gap: Remove a single dependency from the authentication path.
If the incident involved a package update, CI/CD compromise risk, or a third-party integration behaving badly, review your broader software supply chain practices before the next release train picks up speed.
One sentence I keep coming back to is this: a postmortem without tracked tickets is only documentation.
Track a few metrics you will actually review
Small teams do not need a dashboard zoo. They need a short list that shows whether response is getting faster and whether the same class of problem is showing up again.
Start with:
- MTTD: How long it took to recognize there was an incident
- MTTR: How long it took to get service back to an acceptable state
- Escalation quality: Whether the right people were involved early enough
- Repeat patterns: Whether the same failure mode keeps returning
As noted earlier in the article, MTTD and MTTR are standard ways to measure incident response. They are useful because they force uncomfortable but practical conversations. Did the team miss obvious signals? Did alerts fire but route to the wrong place? Did recovery drag because only one engineer knew the rollback steps?
Use the metrics to improve the system, not grade people. A lower MTTD with a worse MTTR usually means detection improved but recovery is still too dependent on tribal knowledge. A decent MTTR with repeated customer confusion points to an operating problem, not a purely technical one. The fix might be a runbook, a support macro, or a cleaner ownership line, not another monitoring tool.
For startups, that is the 80/20 version of incident learning. Keep the review honest, keep the follow-ups small enough to ship, and make sure each incident leaves the company a little harder to break.
Beyond Technical Recovery Business Continuity Choreography
Most incident response guidance gets thin right when founders need it most. The servers may be recovering, but the business is still in motion. Customers are opening tickets. Sales has demos scheduled. The product team is about to ship. Finance may be waiting on billing exports. Support needs permissioned language. Engineering wants a quiet room. The company has to function anyway.
Many startup plans often break here. They treat incident response as a technical event with a communications appendix. In practice, it's a business continuity exercise with technical work at the center.
A major gap in mainstream incident response guidance is the lack of focus on business disruption and recovery choreography, especially the question of how to keep revenue, customer support, and product development moving while systems are impaired, as highlighted in the Wiz overview of incident response frameworks. That gap hits startups hard because a paused deployment pipeline or disabled auth system can create damage beyond the original event.
Think in business functions, not only systems
Ask a founder-style question during the incident: what must continue today even if part of the product is impaired?
For most growth-stage SaaS teams, the list looks like this:
- Support must answer customers consistently
- Sales must know what to say on live calls
- Engineering must protect focus and stop risky changes
- Product must defer launches that would confuse recovery
- Leadership must decide what business commitments get paused
That's not bureaucracy. It's damage control.
A practical coordination checklist
Support
Give support a single source of truth, a safe script, and clear escalation rules. They should know which tickets to hold, which users to reassure, and when to escalate signs of data inconsistency rather than ordinary outage symptoms.
Sales and customer success
Sales should stop improvising. If prospects are in trial, give the team a short approved line explaining current impact and expected update timing. Customer success should identify high-risk accounts that need direct outreach instead of waiting for inbound frustration.
Product and engineering
Product should suspend launches, experiments, and copy changes that could muddy diagnosis. Engineering managers should protect responders from drive-by requests and reassign routine work so the incident team can stay focused.
Leadership
The founder or CEO should make business trade-offs explicit. Keep the trial campaign running or pause it? Push the launch or delay it? Offer manual workarounds to enterprise customers or wait for full service restoration? Those are executive calls, not things engineers should guess at during a live incident.
Example of business continuity in practice
Take a startup whose auth provider is failing intermittently. Engineers may be able to restore partial access by forcing re-auth behavior or disabling some session features. But the business choreography matters just as much:
| Team | Immediate move | Risk if ignored |
|---|---|---|
| Support | Publish macro for login retries and session reset guidance | Customers receive conflicting instructions |
| Sales | Pause live demos requiring full product access | Reps promise workflows that won't load |
| Product | Freeze releases and feature announcements | New variables confuse recovery |
| Engineering | Shift to degraded mode and monitor session stability | Full outage may recur during investigation |
| Leadership | Decide whether to delay onboarding commitments | Revenue expectations drift from reality |
The company doesn't need everyone in the incident. It needs everyone operating with the same facts.
The 80/20 continuity plan
You can build a useful continuity layer this quarter with a short checklist attached to your incident response plan:
- Critical business functions: support, billing, login, core user workflow
- Fallback modes: read-only access, queued processing, manual support process
- Department instructions: one-page guidance for support, sales, and product
- Decision triggers: when to pause launches, outreach campaigns, or onboarding
- Owner list: who approves customer-impacting trade-offs
That's enough to move from “engineering is fixing it” to “the company is operating through it.”
If your team needs help turning a rough engineering process into a reliable operating model, Adamant Code works with startups and growth-stage companies to build resilient software systems, strengthen observability, and improve the delivery discipline that makes incident response calmer and faster.