# Reusable Incident Templates

All templates use canonical incident fields in `{braces}`. Renderers must apply audience redaction policies before output.

## Engineering Reports

### Full Technical Incident Report

```markdown
# Technical Incident Report: {incident.title}

Incident ID: {incident.id}
Severity: {incident.severity.internal}
Category: {incident.category.name}
Environment: {incident.environment.name}
Status: {incident.status}
Incident Commander: {incident.ownership.incidentCommander.name}
Engineering Lead: {incident.ownership.engineeringLead.name}
Started: {incident.startedAt}
Detected: {incident.detectedAt}
Resolved: {incident.resolvedAt}

## Summary
{incident.summary}

## Impact
{impact.engineeringNarrative}

## Affected Systems
{affectedScope.services}
{affectedScope.assets}
{environment.clusters}

## Timeline
{timeline.internal}

## Detection
{detection.summary}

## Root Cause
{rca.summary}

## Contributing Factors
{rca.contributingFactors}

## Mitigation And Recovery
{recovery.steps}

## Data Integrity / Security Review
{security.exposureAssessment}
{impact.integrity}
{impact.confidentiality}

## Evidence
{evidence.summary}

## Decisions
{decisions}

## Action Items
{actions.accepted}
```

### Engineering Postmortem

```markdown
# Blameless Engineering Postmortem: {incident.title}

## What Happened
{incident.summary}

## User/Customer Impact
{impact.customerExperience}

## Detection
{detection.summary}

## Response
{response.summary}

## What Went Well
{postmortem.wentWell}

## What Went Poorly
{postmortem.wentPoorly}

## Where We Got Lucky
{postmortem.luck}

## Root Cause And Contributing Factors
{rca.summary}
{rca.contributingFactors}

## Corrective And Preventive Actions
{actions.accepted}
```

### Root Cause Analysis

```markdown
# Root Cause Analysis: {incident.title}

## RCA Methods Used
{rca.methodsUsed}

## Five Whys
{rca.fiveWhys}

## Fault Tree
{rca.faultTree}

## Fishbone Categories
- Technical: {rca.technicalFactors}
- Process: {rca.processFactors}
- Human factors: {rca.humanFactors}
- Organizational: {rca.organizationalFactors}
- Monitoring: {rca.monitoringGaps}
- Documentation: {rca.documentationGaps}

## Findings
{rca.findingsWithEvidence}

## Prevention Plan
{actions.riskReduction}
```

### Deployment / Rollback Report

```markdown
# Deployment/Rollback Report: {incident.title}

Deployment: {reliability.deployment}
Rollback: {reliability.rollback}
Change Owner: {change.owner}
Related PRs: {change.pullRequests}
Related Commits: {change.commits}

## Change Summary
{change.summary}

## Validation Performed
{change.validation}

## Failure Mode
{incident.summary}

## Rollback Or Forward Fix
{recovery.steps}

## Guardrails To Add
{actions.deploymentSafety}
```

## Security Reports

### Security Incident Report

```markdown
# Security Incident Report: {incident.title}

Security Severity: {incident.severity.security}
Incident Category: {incident.category.name}
Security Lead: {incident.ownership.securityLead.name}

## Executive Security Summary
{security.executiveSummary}

## Classification
Attack vector: {security.attackVector}
Threat actor: {security.threatActor}
Confirmed compromise: {security.confirmedCompromise}
Data exfiltration: {security.exfiltrationAssessment}

## Timeline
{timeline.security}

## Affected Assets And Accounts
{security.affectedAssets}
{security.compromisedAccounts}

## IOCs / IOAs
{security.iocs}
{security.ioas}

## MITRE ATT&CK Mapping
{security.mitreAttack}

## MITRE D3FEND Mapping
{security.mitreD3fend}

## Containment / Eradication / Recovery
{security.containment}
{security.eradication}
{security.recovery}

## Evidence And Chain Of Custody
{evidence.securityRegister}

## Notifications
{security.notifications}

## Action Items
{actions.security}
```

### SOC Investigation Report

```markdown
# SOC Investigation Report: {incident.title}

## Alert Sources
{security.alertSources}

## Hypotheses
{investigation.hypotheses}

## Queries Run
{investigation.queries}

## Findings
{rca.findingsWithEvidence}

## False Positive / True Positive Determination
{security.determination}

## Detection Rules
YARA:
{security.yaraRules}

Sigma:
{security.sigmaRules}

SIEM:
{security.siemRules}
```

### Regulatory Notification Draft

```markdown
# Regulatory Notification Draft: {incident.title}

Framework/Jurisdiction: {regulatory.framework}
Deadline: {regulatory.deadlineAt}
Legal Review Status: {regulatory.legalReviewStatus}

## Nature Of Incident
{incident.summary}

## Data / Subjects Affected
{regulatory.dataSubjects}
{affectedScope.dataClasses}

## Likely Consequences
{regulatory.likelyConsequences}

## Measures Taken
{recovery.steps}
{actions.accepted}

## Contact
{regulatory.contact}
```

## Executive Reports

### One-To-Two Page Executive Summary

```markdown
# Executive Incident Summary: {incident.title}

## Current Status
{incident.status} as of {generatedAt}

## Business Impact
{impact.business}

## Customer Impact
{impact.customerExperience}

## Risk
{risk.summary}

## Timeline Highlights
{timeline.executiveHighlights}

## Decisions Needed
{decisions.pendingExecutive}

## Actions And Owners
{actions.executive}
```

## Customer Communications

### Initial Incident Notice

```markdown
Subject: We are investigating an issue affecting {customer.serviceName}

Hi {customer.name},

We are currently investigating an issue affecting {customer.visibleImpact}. We identified the issue at approximately {incident.detectedAtLocalized}.

Our team is actively working on it and we will provide another update by {nextUpdateAtLocalized}.

At this time, {customer.actionRequiredSentence}

Thank you for your patience,
{company.supportSignature}
```

### Investigating Update

```markdown
Subject: Update: We are still investigating {customer.serviceName}

We are continuing to investigate {customer.visibleImpact}. Current evidence suggests {customer.nonTechnicalCauseHypothesis}.

Next update: {nextUpdateAtLocalized}
```

### Identified Update

```markdown
Subject: Update: Cause identified for {customer.serviceName} issue

We have identified the cause of the issue affecting {customer.visibleImpact}. The issue is related to {customer.safeCauseSummary}.

We are applying a mitigation now and will provide another update by {nextUpdateAtLocalized}.
```

### Monitoring Update

```markdown
Subject: Update: Fix applied and monitoring

We have applied a fix for the issue affecting {customer.visibleImpact}. We are monitoring the system to confirm the issue remains resolved.

No action is required from you at this time unless you still see {customer.residualSymptom}.
```

### Resolution Notice

```markdown
Subject: Resolved: {customer.serviceName} incident on {incident.date}

The incident affecting {customer.visibleImpact} has been resolved.

Impact window: {incident.startedAtLocalized} to {incident.resolvedAtLocalized}

What happened:
{customer.whatHappened}

What we did:
{customer.whatWeDid}

Security/privacy:
{customer.securityPrivacyStatement}

Customer action:
{customer.actionRequired}

We apologize for the disruption. We will follow up if our continuing review changes this assessment.
```

### Customer FAQ

```markdown
# FAQ: {incident.title}

## What happened?
{customer.whatHappened}

## Was my data accessed by an unauthorized party?
{customer.securityPrivacyStatement}

## Was any data deleted?
{customer.dataLossStatement}

## What should I do?
{customer.actionRequired}

## Who do I contact?
{company.supportContact}
```

## Status Page Updates

### Investigating

```text
We are investigating an issue affecting {statusPage.components}. Users may experience {statusPage.symptoms}. We will provide another update by {nextUpdateAtLocalized}.
```

### Identified

```text
We have identified the cause of the issue affecting {statusPage.components}. We are working on a mitigation and will provide another update by {nextUpdateAtLocalized}.
```

### Monitoring

```text
We have applied a fix and are monitoring recovery. Users should begin seeing normal behavior. We will provide a final update once monitoring is complete.
```

### Resolved

```text
This incident is resolved. Impact window: {incident.startedAtLocalized} to {incident.resolvedAtLocalized}. We will publish a post-incident summary if appropriate.
```

### Scheduled Maintenance

```text
Scheduled maintenance: {maintenance.summary}. Window: {maintenance.startLocalized} to {maintenance.endLocalized}. Expected customer impact: {maintenance.expectedImpact}.
```

## Internal Communications

### Slack / Teams Update

```markdown
**{incident.title} - {incident.status}**

- Severity: `{incident.severity.internal}`
- Commander: {incident.ownership.incidentCommander.name}
- Impact: {impact.current}
- Cause: {rca.currentHypothesis}
- Mitigation: {recovery.currentStep}
- Next update: {nextUpdateAtLocalized}
- Needs: {blockers}
```

### Shift Handover

```markdown
# Incident Handover: {incident.title}

Current state: {incident.status}
Commander: {incident.ownership.incidentCommander.name}

## What We Know
{handover.knownFacts}

## What Is Still Unknown
{handover.unknowns}

## Active Work
{actions.inProgress}

## Watch Items
{handover.watchItems}

## Next Update Due
{nextUpdateAtLocalized}
```

### Executive Notification

```markdown
Subject: {incident.severity.internal} incident update - {incident.title}

Current status: {incident.status}
Business impact: {impact.business}
Customer impact: {impact.customerExperience}
Risk: {risk.summary}
Decision needed: {decisions.pendingExecutive}
Next update: {nextUpdateAtLocalized}
```

## Audit And Compliance Templates

### Evidence Register

```markdown
# Evidence Register: {incident.id}

| ID | Category | Source | Collector | Collected At | SHA-256 | Classification | Integrity | Retention |
| --- | --- | --- | --- | --- | --- | --- | --- | --- |
{evidence.tableRows}
```

### Chain Of Custody

```markdown
# Chain Of Custody: {incident.id}

| Evidence ID | Timestamp | Actor | Action | Notes |
| --- | --- | --- | --- | --- |
{evidence.custodyRows}
```

### Decision Log

```markdown
# Decision Log: {incident.id}

| Time | Decision Maker | Decision | Rationale | Evidence |
| --- | --- | --- | --- | --- |
{decisions.tableRows}
```

### Internal Audit Report

```markdown
# Internal Audit Incident Report: {incident.title}

## Scope
{audit.scope}

## Timeline And Controls
{timeline.audit}

## Evidence Reviewed
{evidence.summary}

## Control Gaps
{audit.controlGaps}

## Corrective Actions
{actions.accepted}

## Closure Criteria
{audit.closureCriteria}
```

## Output Format Rules

- Markdown: render full sections with links to evidence IDs.
- HTML: render with audience redactions and accessible headings.
- PDF: generate from approved HTML snapshot with document hash.
- JSON: export canonical model or redacted view model.
- CSV: export timeline, evidence register, action items, and communications log.
- Plain text: use status page/customer-safe redaction profile.

