incident response and management

Processes and tooling for detecting, triaging, mitigating and learning from production incidents, using runbooks, severity classification, on-call rotations and postmortems; performing incident response involves alerting (PagerDuty), incident coordination, root-cause analysis, rollback or mitigation actions, and documenting follow-up remediation and SLA updates.

incidentresponseandmanagement

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

DrP: Meta's Efficient Investigations Platform at Scale

Dec 03, 2025
SS
Shubham Somani
🏛️ Meta

In large-scale systems, on-call engineers rely on manual procedures or ad-hoc scripts for incident investigation, resulting in high mean time to resolution (MTTR), elevated operational overhead, and diminished productivity. This paper introduces DrP—the first end-to-end automated investigation framework designed for heterogeneous domains including services, AI/ML, and mobile systems. DrP’s key contributions are: (1) a declarative SDK enabling low-code development of reusable, domain-agnostic analysis logic; (2) a distributed execution engine with a plugin-based architecture supporting high-concurrency diagnostics and deep integration with alerting, event management, and remediation systems; and (3) a unified abstraction layer that transparently insulates users from infrastructure heterogeneity. Deployed at scale within Meta, DrP executes ~50,000 analyses daily across 300+ engineering teams, reducing average MTTR by 20% overall and up to 80% in specific scenarios—significantly enhancing SRE responsiveness and system observability.

Automates manual investigation processes to reduce incident resolution timeProvides an end-to-end framework for scalable, automated incident analysis and mitigationReduces on-call toil and improves productivity in large-scale systems

Agentic Troubleshooting Guide Automation for Incident Management

Oct 11, 2025
JM
JIAYI MAO
🏛️ Tsinghua University | Microsoft | Microsoft Research

Manual execution of Troubleshooting Guides (TSGs) in large-scale IT systems is inefficient and error-prone, while existing LLM-based approaches struggle with poor TSG quality, complex control flow, data-intensive queries, and parallel execution requirements. Method: We propose an end-to-end automation framework comprising: (i) TSG Mentor to enhance guide quality; (ii) an offline phase leveraging LLMs to construct a structured execution DAG and generate domain-specific Query Preparation Plugins (QPPs); and (iii) an online phase employing a DAG-guided, memory-augmented scheduler and executor that ensures correctness and enables task-level parallelism. Results: Evaluated on real-world TSGs and incidents, our framework achieves a 94% success rate with GPT-4.1—significantly outperforming baselines—and reduces execution time for parallelizable TSGs by 32.9%–70.4%, while also improving token efficiency and latency.

Addressing LLM limitations in handling complex control flow and data queriesAutomating troubleshooting guides to reduce manual execution errors and delaysImproving parallel execution efficiency for IT incident management workflows

Incident Analysis for AI Agents

Aug 19, 2025
CE
Carson Ezell
🏛️ Harvard University | Centre for the Governance of AI

Current AI agent incident reporting mechanisms suffer from critical limitations: they rely solely on publicly available data, omitting sensitive yet essential internal execution traces—such as reasoning chains and tool invocation logs—thereby hindering identification of root causes. This work pioneers the application of systems safety principles to AI agent incident analysis, proposing a novel “Systemic–Contextual–Cognitive” tri-dimensional causal framework. We design an integrated attribution methodology combining activity log analysis, system documentation review, and tool behavior tracing. Furthermore, we specify mandatory fields for incident reports and define a minimal sensitive dataset that developers and deployers must retain—including reasoning trajectories, API call sequences, and environmental context. Our contributions establish both a theoretical foundation and practical guidelines for building explainable, reproducible, and intervenable AI agent incident response mechanisms. (149 words)

Addressing insufficient incident reporting processes for AI agent failuresAnalyzing AI agent incidents to understand causes and prevent harmProposing a framework to identify system, contextual, and cognitive factors

This work addresses the challenges of root cause diagnosis in large-scale microservice systems, where existing approaches are hindered by massive log volumes, limited LLM context windows, and insufficient semantic reasoning and interpretability. The authors propose a neuro-symbolic hybrid method that emulates Site Reliability Engineers’ manual troubleshooting process through a six-stage pipeline for log sampling, template clustering, and anomaly ranking, producing a concise evidence package for LLM-based root cause inference. This approach compresses raw logs by 1,000–7,000× while preserving critical failure signals and provides auditable log templates and statistical evidence, substantially enhancing interpretability and practicality. Evaluated on 11 real-world incidents, the method achieves an MRR of 0.790 and ranks the correct root cause within the top three candidates in over 90% of cases within one minute, earning strong endorsement from operations teams.

incident diagnosislarge-scale systemslog analysis

TrioXpert: An automated incident management framework for microservice system

Jun 11, 2025
YS
Yongqian Sun
🏛️ Nankai University | Haihe Laboratory of Information Technology Application Innovation | BizSeer | National University of Defense Technology | Chinese Academy of Sciences | Lenovo

Existing event management approaches for large-scale microservice systems rely on unimodal data, struggle to jointly perform anomaly detection, failure classification, and root-cause localization, and lack interpretability. To address these limitations, this paper proposes the first end-to-end multi-task joint optimization framework for automated fault management. Our method introduces a novel three-channel heterogeneous data processing pipeline that fuses multimodal telemetry—metrics, logs, and distributed traces—and incorporates an LLM-augmented collaborative reasoning mechanism to enable modality-specific feature extraction and unified training. Evaluated on two mainstream microservice benchmarks, our framework achieves improvements of 4.7%–57.7% in anomaly detection, 2.1%–40.6% in failure attribution, and 1.6%–163.1% in root-cause localization. Moreover, it generates verifiable, step-by-step reasoning evidence, substantially enhancing model interpretability and operational utility.

Automated incident management in microservice systemsHandling multiple tasks with multimodal dataImproving interpretability with reasoning evidence

Latest Papers

What's happening recently
View more

This work addresses the limited interpretability and accountability of large language models (LLMs) in root cause analysis, which hinder their applicability in high-stakes operational settings requiring rigorous evidence chains, hypothesis comparison, and uncertainty handling. The authors propose JustDiag, a diagnostic argumentation engine that introduces, for the first time, an explicit modeling of the diagnostic reasoning process into root cause analysis. JustDiag structures and maintains states such as evidence, findings, competing hypotheses, conflicts, and follow-up checks to enable traceable and auditable inference, complemented by a calibration mechanism that explicitly accounts for uncertainty. Integrating LLMs with a structured reasoning framework, the approach employs a two-tier evaluation protocol to assess both outcome and reasoning quality. Experiments on 66 real-world incidents demonstrate that JustDiag significantly outperforms non-argumentative baselines in both outcome and process scores, exhibiting superior uncertainty retention despite a slightly lower completion rate.

accountabilitydiagnostic justificationincident response

This work addresses a critical gap in microservice fault diagnosis: while existing methods can accurately identify root causes, they often fail to generate effective and executable recovery actions, preventing true system restoration. To bridge this gap, the authors propose R2Act, a novel framework that formally defines a recovery-oriented action space, introduces metrics for action effectiveness, and establishes an offline evaluation protocol. They also construct a benchmark dataset comprising 302 real-world Kubernetes faults, annotated with root causes and synchronized multimodal observations. Leveraging techniques such as action modeling and retrieval-augmented generation (RAG) enhanced large language models (LLMs), the study systematically evaluates the entire pipeline from diagnosis to recovery. Experimental results reveal that despite root cause localization accuracy ranging from 91.4% to 99.7%, the effectiveness of generated recovery actions remains limited at only 36.8%–60.3%, highlighting a key bottleneck in current LLM-based recovery decision-making.

diagnosis-to-action reasoningincident responselarge language models

This work addresses the vulnerability of existing LLM-driven microservice root cause analysis (RCA) agents to early reasoning errors that lead to diagnostic failure and their inability to localize or correct such mistakes. The study introduces a novel formulation of RCA errors as stage-localizable reasoning flaws and proposes a structured four-stage framework—comprising evidence bundles, hypothesis sets, analytical structures, and decision reports. To enhance robustness, it integrates stage-level auditing, budget-aware fast-slow path routing, counterfactual candidate evaluation, and stage-specific patch replay mechanisms. Implemented via LangGraph, the system demonstrates significant improvements in root cause localization and fault classification accuracy on both public benchmarks and real-world production data, precisely identifying erroneous stages and successfully repairing most execution trajectories within one to two iterations, thereby substantially improving agent debuggability and self-repair capability.

AIOpsLLM-based AgentsMicroservices

This work addresses a critical gap in the safety mechanisms of large language model (LLM) agents, which predominantly focus on preventive measures and lack capabilities for responding to and recovering from incidents after they occur. To bridge this gap, the authors propose AIR—the first incident response framework tailored for LLM agents—that integrates semantic anomaly detection, tool-driven containment, and recovery mechanisms within the agent’s execution loop. AIR also leverages a domain-specific language to automatically generate protective rules, enabling autonomous management across the full incident lifecycle. Experimental evaluation demonstrates that AIR achieves over 90% success rates in detection, remediation, and eradication across three representative agent types, with automatically generated rules performing comparably to handcrafted ones, all while maintaining acceptable runtime overhead.

autonomous systemsfailure recoveryincident response

This work addresses the significant challenge of real-time identification of actionable technical risks from high-noise, high-throughput, and semantically complex customer event streams in enterprise systems. The authors propose an end-to-end risk discovery system that innovatively integrates large language models (LLMs) with an efficient indexing mechanism. Through a multi-stage event linking strategy, cascaded routing, and a multidimensional denoising pipeline—combining domain knowledge, statistical patterns, and behavioral filtering—the system achieves precise, low-latency risk extraction and accurate business attribution. Evaluated in a real-world production environment processing an average of 300,000 events per day with peaks of 2,000 events per minute, the system demonstrates a P90 alert latency of only 3.5 minutes and a 95% detection rate for high-priority events, substantially outperforming existing baseline approaches.

cloud-native servicesenterprise-scale anomaly discoveryincident signal extraction

Hot Scholars

MR

Milena Radenkovic

University of Nottingham UK, Microsoft Research Ltd, Cambridge, UK
Complex networksComplex GraphsAI and ML and AnalyticsSecurity and Privacy
TA

Tawfiq Ammari

Assistant Professor, Rutgers University School of Communication and Information
Data ScienceHuman-Computer InteractionCSCWSTS
CR

Casey Randazzo

University of California Santa Barbara
Collective ActionComputational Social ScienceComputer-Mediated Communication
KY

Kai Yin

Expedia Group
TransportationAutonomous VehiclesStochastic ModelingApplied Statistics
ZC

Zirong Chen

Vanderbilt University
cyber physical systemsnatural language processingartificial intelligencemachine learning