latestaiagents/incident-commander
plugins/devops-sre/skills/incident-response/incident-commander/SKILL.md
Guide incident response as an Incident Commander with structured communication and coordination. Use this skill when there's an active incident, outage, service degradation, or production issue. Activate when: incident, outage, service down, production issue, SEV1, SEV2, pages, alerts firing, something broke, users complaining, error spike, latency spike.
$ install --global
skillsauthnpx skillsauth add latestaiagents/agent-skills incident-commanderInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 2:54 AM16.5s1 file scanned
SKILL.md
- name:
- incident-commander
- description:
- |
- Activate when:
- incident, outage, service down, production issue, SEV1, SEV2, pages, alerts firing,
Incident Commander Guide
Lead incident response with structured communication, clear ownership, and systematic resolution.
Incident Commander Role
The IC (Incident Commander) is responsible for:
- Coordination: Ensuring right people are engaged
- Communication: Keeping stakeholders informed
- Decision-making: Making calls when consensus isn't possible
- Documentation: Ensuring timeline is captured
The IC does NOT need to be the person fixing the problem.
Incident Severity Levels
| Level | Description | Response Time | Examples | |-------|-------------|---------------|----------| | SEV1 | Critical - Complete outage | Immediate | Total service down, data loss, security breach | | SEV2 | Major - Significant impact | 15 min | Core feature broken, major degradation | | SEV3 | Minor - Limited impact | 1 hour | Non-critical feature down, workaround exists | | SEV4 | Low - Minimal impact | Best effort | Cosmetic, single user affected |
Incident Response Workflow
Phase 1: Detection & Triage (0-5 minutes)
1. Acknowledge the alert
2. Quick assessment:
- What's broken?
- Who's affected?
- What's the blast radius?
3. Assign severity level
4. Declare incident if SEV1/SEV2
Phase 2: Mobilization (5-15 minutes)
1. Create incident channel: #inc-YYYYMMDD-[brief-description]
2. Post initial summary (template below)
3. Page relevant teams if needed
4. Assign roles:
- IC (Incident Commander) - you or delegate
- Tech Lead - driving investigation
- Comms Lead - external communication
Initial Incident Post Template:
🚨 INCIDENT DECLARED
**Severity:** SEV-[X]
**Status:** Investigating
**Impact:** [Who/what is affected]
**Started:** [Time] UTC
**Current Understanding:**
[Brief description of symptoms]
**Roles:**
- IC: @[name]
- Tech Lead: @[name]
- Comms: @[name]
**Next Update:** [Time] (every 15-30 min for SEV1/2)
Phase 3: Investigation (Ongoing)
1. Gather data:
- Recent deployments?
- Configuration changes?
- External dependency issues?
- Error patterns in logs?
- Metrics anomalies?
2. Form hypothesis and test
3. Identify mitigation options:
- Can we rollback?
- Can we scale?
- Can we failover?
- Do we need a hotfix?
Phase 4: Mitigation
1. Choose mitigation approach
2. Communicate plan before executing
3. Execute with verification at each step
4. Monitor for improvement
5. Confirm resolution
Phase 5: Resolution
1. Verify service is healthy
2. Update status page
3. Send resolution communication
4. Create postmortem ticket
5. Schedule postmortem meeting (within 48h for SEV1/2)
Communication Templates
Status Update (Every 15-30 min)
📊 INCIDENT UPDATE - [Time] UTC
**Status:** [Investigating/Identified/Mitigating/Resolved]
**Impact:** [Current impact]
**Update:**
[What we've learned, what we're doing]
**Next Steps:**
[What's happening next]
**Next Update:** [Time] UTC
Resolution Communication
✅ INCIDENT RESOLVED - [Time] UTC
**Duration:** [X hours Y minutes]
**Root Cause:** [Brief description]
**Resolution:** [What fixed it]
**Impact Summary:**
- Users affected: [number]
- Duration: [time]
- SLA impact: [yes/no]
**Next Steps:**
- Postmortem scheduled: [date/time]
- Postmortem doc: [link]
Thank you to everyone who helped respond.
Best Practices
DO
- Keep incident channel focused on resolution
- Use threads for side discussions
- Update status page early and often
- Make decisions when stuck (bias for action)
- Rotate IC if incident is long (>4 hours)
- Take breaks - fatigue causes mistakes
DON'T
- Blame individuals
- Make changes without communicating
- Forget to update stakeholders
- Skip the postmortem
- Let scope creep into fixing unrelated issues
Role Cheat Sheet
| Role | Responsibility | Who | |------|----------------|-----| | IC | Coordination, decisions, communication | Declared or on-call | | Tech Lead | Investigation, fix implementation | SME for affected service | | Comms Lead | Status page, customer comms | Support/Comms team | | Scribe | Document timeline | Anyone available | | Subject Matter Experts | Deep knowledge | Paged as needed |
Escalation Triggers
Escalate to leadership when:
- SEV1 lasting >30 minutes
- Data breach suspected
- Customer SLA breach imminent
- Media attention expected
- Regulatory notification required
Related Skills
latestaiagents/skill-testing
development
VerifiedTrustedCommunity
Test skills for correct activation, content quality, and regression — both automated checks (frontmatter validity, lint) and manual verification (query-suite activation testing). Covers CI integration and how to catch skill regressions before users do. Use this skill when adding skills to a repo, setting up CI for a skill library, or debugging "the skill exists but doesn't work". Activate when: test skills, validate skills, skill CI, skill linting, skill activation test, skill regression.
2SKILL.mdUpdated Apr 23, 2026
latestaiagents/skill-frontmatter
documentation
VerifiedTrustedCommunity
Write the YAML frontmatter for a SKILL.md file so it activates reliably — name, description, and activation keywords that the model matches against. Covers length, tone, and the most common frontmatter mistakes. Use this skill when authoring a new skill, fixing a skill that isn't auto-activating, or reviewing skills for publication. Activate when: SKILL.md frontmatter, skill description, skill activation, skill YAML, write a skill, author a skill.
2SKILL.mdUpdated Apr 23, 2026
latestaiagents/skill-activation-patterns
development
VerifiedTrustedCommunity
Design skills that fire at the right moment — neither over-eager (noise) nor under-eager (silent). Covers activation specificity, trigger phrases, disambiguation between overlapping skills, and debugging activation. Use this skill when multiple skills could fire on the same query, a skill never fires, or a skill fires too often. Activate when: skill won't activate, skill over-activates, overlapping skills, skill triggers, skill selection, skill disambiguation.
2SKILL.mdUpdated Apr 23, 2026
latestaiagents/progressive-disclosure
development
VerifiedTrustedCommunity
Structure SKILL.md content so the model reads just enough — concise summary up front, progressively deeper detail, examples on demand. Covers section ordering, length budgets, when to split into multiple skills. Use this skill when writing or refactoring a skill body, one skill has grown too long, or a skill is wordy but not useful. Activate when: SKILL.md structure, skill content, skill too long, split skill, progressive disclosure, skill body.
2SKILL.mdUpdated Apr 23, 2026