Incident Report

How to Write Incident Reports That Actually Prevent Recurrence

The point of an incident report isn't blame — it's learning. The best post-mortems turn a bad night into permanent improvements. But most incident reports either get written weeks late (losing critical detail) or focus on the timeline without extracting the lessons. Here's how to write one that actually changes things.

Write It Within 24 Hours

An incident report written two weeks after the incident is fiction. Details are fuzzy, emotions have cooled, and the urgency to fix things has faded. Write the report within 24 hours while the Slack thread, dashboards, and frustration are all fresh. Struq makes this fast: paste the Slack thread and you have a structured report in seconds.

The Timeline Is the Foundation

A good incident timeline is specific to the minute. Not "around 3 AM, Derek noticed the issue" but "2:52 AM — Derek checks dashboards, sees database CPU at 98%." Precise timelines reveal response gaps, show where diagnosis went wrong, and help calibrate alert thresholds. Pull timestamps from Slack messages, PagerDuty, and monitoring tools.

Root Cause vs. Contributing Factors

The root cause is the thing that broke. Contributing factors are the things that let it happen. A missing index is the root cause. Lack of query review, no resource limits, and no runbook are contributing factors. This distinction matters because fixing the root cause prevents this exact incident, but fixing the contributing factors prevents an entire category of incidents.

Impact Should Be Concrete

"The site was slow" doesn't create urgency. "12,000 users affected, API degraded for 35 minutes, payment webhooks delayed" creates urgency. Quantify impact in terms leadership cares about: users affected, revenue at risk, data integrity, SLA breach status. This is what determines whether your action items get prioritized or ignored.

Action Items Need Owners and Deadlines

"Improve monitoring" is not an action item. "Add query execution time monitoring and alerting (Observability team, next sprint)" is an action item. Every action item from a post-mortem should have an owner, a deadline, and a tracking ticket. If it doesn't have these, it won't get done.

Blameless Doesn't Mean Unaccountable

Blameless post-mortems aren't about avoiding responsibility — they're about creating an environment where people share what actually happened instead of covering their tracks. The analytics team should feel safe saying "we bypassed query review." The on-call should feel safe saying "I misdiagnosed the issue for 15 minutes." That honesty is what prevents the next incident.

From Slack Chaos to Clean Post-Mortem

Paste the Slack thread from the incident channel, PagerDuty alerts, or your raw notes. Struq extracts the structured incident report — title, severity, timeline, root cause, impact, contributing factors, action items, and lessons learned. Get the post-mortem done while the details are still fresh.