An incident note is useful only if it makes the next related deployment easier to reason about. It should not be a blame document, and it should not be a vague apology. It should preserve evidence while the dashboard, logs, and chat context are still fresh.
A good note separates facts, impact, cause, detection gaps, and follow-up work. Mixing those together creates a story that feels complete but is hard to act on later.
Use a fixed note shape
A small template prevents the team from skipping the uncomfortable parts:
Title:
Date:
Owner:
Status:
Summary:
Customer impact:
Timeline:
Detection:
Trigger:
Contributing factors:
Mitigation:
What was not affected:
Follow-up work:
Open questions:This is enough structure for most internal incidents. The template is not the point; the separation is.
Keep the timeline factual
The timeline should be boring and timestamped:
09:42 deploy 1842 started
09:47 invoice export queue depth began rising
09:55 first customer support ticket mentioned missing PDF exports
10:03 on-call acknowledged queue alert
10:11 deploy rolled back
10:24 exports resumed for new requests
10:51 delayed export jobs drainedDo not put interpretation in this section. “Bad migration caused outage” belongs in cause analysis, not the timeline.
Describe impact in product language
“The worker failed” is not impact. Support and product teams need to know what users experienced.
Affected: Team and Business accounts exporting invoices between 09:47 and 10:24
User-visible effect: PDF export requests stayed in pending state
Data impact: no invoice data lost; 318 export jobs delayed
Recovery: delayed jobs completed by 10:51 after rollback
Not affected: invoice creation, payment collection, admin invoice viewThis boundary prevents future responders from overgeneralizing the incident.
Connect trigger to missing protection
A deploy can trigger an incident without being the only cause. The deeper cause may be an unsafe migration, missing overlap test, weak alert, unclear ownership, or retry behavior nobody exercised.
Write it plainly:
Trigger: deploy 1842 changed invoice_export_jobs payload shape.
Contributing factor: workers from deploy 1841 were still processing old jobs.
Missing protection: no compatibility test covered old job payloads after the schema change.This makes follow-up work specific instead of moral.
Record the detection gap
If a customer reported the issue before monitoring did, that is part of the incident. If an alert fired but nobody owned it, that is also part of the incident.
Detection gap:
Queue depth alert fired at 10:00, 13 minutes after impact began.
Support ticket arrived at 09:55.
Follow-up: lower warning threshold for invoice export queue and add dashboard panel to release checklist.The goal is not to sound defensive. The goal is to improve the next detection path.
Make follow-up work assignable
Avoid follow-ups like “improve monitoring” or “make migrations safer.” Write work that can be assigned and verified:
- Add worker payload compatibility test for invoice exports
- Document rollback order for web and worker deploys
- Add queue-depth panel to billing release dashboard
- Remove manual export retry step from runbook after automation landsAn incident note earns its keep when someone opening it during the next deployment can see exactly what changed because of the last failure.