Skip to content

Incident Response

Prime #
912
Origin domain
Operations Safety
Subdomain
acute phase management → Operations Safety

Core Idea

Incident response is the pattern by which a system facing acute, time-critical disruption engages a temporary command regime that prioritizes stabilization over diagnosis, accepts reversible degradation, defers root-cause analysis until the acute phase ends, and compresses decision authority into one commander — inverting normal-operations priorities for the duration only.

How would you explain it like I'm…

Put The Fire Out First

When a fire alarm rings, you don't stop to figure out *why* it started — you just get everyone out safely first. One grown-up takes charge and gives the orders so nobody runs in different directions. You can find out what caused the fire *later*, once everyone is safe. Right now, the only job is to make things safe fast.

Safe First, Why Later

Incident response is what a team does when something suddenly goes very wrong and fast — a fire, a big outage, an emergency in a hospital. The surprising rule is that during the emergency you do *not* try to make things perfect, and you do *not* stop to find the root cause; you just get to a safe-but-limping state as quickly as you can. One person becomes the commander and makes the calls, instead of everybody deciding together like normal. You also protect the evidence and save the deep investigation for *after* the crisis is over, because trying to diagnose while everything is on fire only makes the response worse.

Stabilize Before Diagnose

Incident response is the pattern by which a system hit with an acute, time-critical disruption switches into a temporary command regime that prioritizes *stabilization over diagnosis*. The defining move is an inversion of normal priorities: during the acute phase the goal is not peak performance, not finding the cause, and not following the usual careful process — it's to reach a safe-but-degraded state fast and preserve the ability to recover later. Six commitments shape it: a trigger event displaces normal operation; detection registers it after a delay that itself matters; a containment step limits the spread before any fix; a stabilization step reaches a safe (often degraded) state; root-cause analysis is *deferred* until the acute phase ends, because diagnosing under time pressure is unreliable and competes for the same attention; and decision authority is *compressed* into one commander for the duration. Its whole point is licensing the counterintuitive moves — act on partial information, accept rework, override normal authority, truncate diagnosis, and save forensic evidence rather than acting on it now — because running the normal playbook during an incident actively makes things worse.

 

Incident response is the structural pattern by which a system facing an acute, time-critical disruption engages a temporary command regime that prioritizes stabilization over diagnosis, accepts reversible degradation to limit the disruption's blast radius, defers root-cause investigation until the acute phase ends, and compresses decision authority into a designated commander operating under explicit time pressure and partial information. The defining commitment is the inversion of normal-operations priorities: during the acute phase the objective is *not* to optimize performance, *not* to identify causes, and *not* to follow standard deliberative process — it is to reach a safe-but-degraded state quickly and preserve the ability to recover later. The pattern names the acute phase as its own regime with its own optimization target, distinct from the post-mortem that follows. Six commitments give it shape: a trigger event (breach, outage, mass casualty, hull breach, market dislocation) displaces normal operation; a detection step registers the trigger after a non-trivial, operationally significant delay; a containment step limits spread before any fix; a stabilization step reaches a safe, often degraded, state; a deferred root-cause analysis waits until the acute phase closes, because diagnosis under time pressure is unreliable and competes with stabilization for attention; and a compressed command structure (incident commander, attending physician, on-call SRE) absorbs authority normally distributed across the organization, for the acute phase only. Its distinctive content is that without it practitioners run normal-operations playbooks during incidents — full information-gathering, distributed decision-making, deliberative consultation, optimization for outcome quality — and those playbooks actively degrade acute-phase outcomes. The prime licenses the otherwise-counterintuitive moves: act on partial information, accept rework, override authority chains, truncate diagnosis, and preserve forensic state for later. Its heavily institutional vocabulary — commander, containment, post-mortem — travels as a recognizable organizational form.

Broad Use

  • Cybersecurity: the NIST IR cycle and SANS PICERL — a compromised host is isolated (contained) before the attacker is removed.
  • Emergency medicine: the ABC primary survey stabilizes before the secondary survey diagnoses.
  • Disaster management: FEMA/ICS separates the command-driven Response phase from the distributed-authority Recovery phase.
  • Site reliability engineering: mitigate before resolve; root-cause lives in the post-mortem after the page closes.
  • Military operations: react-to-contact drills compress authority into the small-unit leader for the duration of contact.
  • Aviation: aviate-navigate-communicate ordering and engine-fire memory items act now on partial information.

Clarity

Makes the phase boundary an explicit object: at any moment "are we still in the acute phase?" has a definite answer that determines which playbook applies.

Manages Complexity

Compresses a large family of substrate-local frameworks into one six-element skeleton, and supplies a shared intervention catalogue — pre-staged playbooks, named command roles, reversibility-preserving moves, forensic discipline.

Abstract Reasoning

Licenses the counterintuitive moves — act reversibly on partial information, preserve forensic state for later, and judge an incident's handling by what was pre-staged in the calm phase, not by acute-phase heroics.

Knowledge Transfer

  • Emergency management: the Incident Command System migrated from fire service into hospital incident command and business continuity.
  • Surgical teams: Crew Resource Management moved from aviation into trauma resuscitation.
  • Software operations: the SRE incident-command model is explicitly modeled on NIMS/ICS.

Example

In trauma resuscitation under ATLS, the ABC ordering secures a collapsing airway before any imaging completes — the medical analogue of "isolate, don't eradicate" — and diagnosis is deferred to the secondary survey.

Relationships to Other Primes

One-hop neighborhood: parents above, mutual partners to the right, children below.Incident Responsesubsumption: Event Lifecycle PhasesEvent LifecyclePhases

Parents (1) — more general patterns this builds on

  • Incident Response is a kind of Event Lifecycle Phases — The file states it outright: incident_response IS "that middle phase specifically, examined from within" — the acute phase of the pre/event/post trichotomy that event_lifecycle_phases (valid candidate, CAND-R25-015-02, already a Phase-C link) spans. event_lifecycle_phases allocates effort ACROSS the three regimes; incident_response is the acute regime's internal structure. Clean part-of/child-of (a phase within the lifecycle), explicitly the "broader frame incident response sits inside." High conviction. Distinct from controlled_reentry (the adjacent return phase, not a parent) which Phase-C correctly kept separate.

Path to root: Incident ResponseEvent Lifecycle PhasesState and State Transition

Not to Be Confused With

  • Incident Response is not Controlled Reentry because controlled reentry is the governed return of a system to normal operation across a boundary, whereas incident response is the acute-phase regime that precedes any return — it governs while the system bleeds.
  • Incident Response is not Event Lifecycle Phases because that frame spans the whole pre/event/post trichotomy and allocates effort across all three, whereas incident response is the acute phase specifically, with its own inverted optimization target.
  • Incident Response is not Local Autonomy / Tiered Escalation because tiered escalation is a standing governance structure, whereas incident response compresses distributed authority into one commander temporarily, then relinquishes it.