Prompt Engineering
AI prompts for incident postmortems: timeline, root cause, and action items (without blame)
A practical prompt workflow for incident postmortems: build a timeline from evidence, separate hypotheses from facts, and produce specific action items a team can actually ship.
Editor’s summary
What this workflow helps you do
A good postmortem is a learning artifact, not a performance review. It should answer four questions: what happened, what the impact was, why it happened (as a chain of factors), and what will change so it is less likely to happen again.
The prompts below are designed to turn an incident’s raw material—alerts, dashboards, tickets, chat logs, and notes—into a draft you can review with the team. The key is guardrails: the model must cite what it used, label uncertainty, and never fill gaps with plausible fiction.
Principles
Blameless does not mean consequence‑free
Blameless postmortems are about creating an environment where people can share what they saw and what they did without fear, so the organization can learn. The goal is not to pretend mistakes never happen. The goal is to understand which system conditions made the mistake possible and which controls failed to catch it earlier.
When you involve AI, the same principle applies: you want a draft that makes it easier to talk about decisions and system behavior, not a polished story that makes the incident look inevitable in hindsight.
Setup
Build an evidence packet before you run prompts
If you paste only a few sentences into a model and ask for a complete postmortem, you will get a confident narrative that is almost guaranteed to be wrong. Instead, create an evidence packet that the model can reference explicitly.
Use a single shared document with: incident start/end timestamps (if known), alert names, metric screenshots or links, key log excerpts, ticket IDs, deploy IDs, and a short list of participant roles. If anything is unknown, mark it unknown.
Time window: when impact likely began and ended (with timezone).
Detection: what alerted first and why it mattered.
Customer impact: what users experienced and which segments were affected.
Evidence links: dashboards, traces, logs, incident channel, tickets, PRs, deploys.
Key decisions: rollbacks, mitigations, feature flags, comms updates.
Prompt 1
Evidence normalization prompt: turn raw inputs into a clean fact table
Start by asking the model to normalize your inputs into a table of facts. This becomes your “do not hallucinate” anchor for the rest of the workflow.
You should get back: a list of sources, a list of hard facts extracted from those sources, and a list of unknowns that require follow-up.
Copy-ready prompt
You are an incident postmortem analyst. Using ONLY the evidence below, create a "Facts and Unknowns" table. Evidence packet (paste): [PASTE LINKS / LOG EXCERPTS / NOTES] Output: 1) Sources used (bullets; include ticket IDs, links, dashboards, timestamps) 2) Facts table (10–30 rows): timestamp (with timezone) | observation | source reference | confidence (High/Med/Low) 3) Unknowns list (bullets): what is missing, how to verify it, and who might know Rules: - Do not invent events or metrics. - If a timestamp is missing, write "Unknown" and explain what is needed. - If something is implied but not explicit, label it as a hypothesis, not a fact.
Prompt 2
Timeline prompt: build a reviewable incident narrative with gaps called out
A timeline is the backbone of the postmortem. It should include detection, escalation, mitigation, recovery, and comms updates, but it should also include gaps and ambiguity.
The goal is not a perfect story. The goal is a draft the team can correct quickly because every line points back to evidence.
Copy-ready prompt
Act as an SRE incident scribe. Input: - Facts table: [PASTE FACTS TABLE] Output: 1) Incident timeline (chronological): timestamp | event | evidence reference | confidence 2) Phase markers: Detection, Triage, Mitigation, Recovery, Follow-up (insert where appropriate) 3) Gaps and questions: list missing events or unclear transitions Rules: - Every timeline line MUST cite an evidence reference. - If you cannot cite evidence, do not include the line. - Prefer short, factual events. Avoid adjectives and hindsight language.
Prompt 3
Impact statement prompt: internal and external versions
Impact writing is where teams accidentally minimize or exaggerate. Ask for two drafts: one internal (detailed, operational) and one external (customer-safe, plain language).
Do not let the model speculate about customer counts or revenue unless you provide those numbers.
Copy-ready prompt
You are writing incident impact statements. Inputs: - Facts table: [PASTE FACTS TABLE] - Known impact details (if any): [PASTE CUSTOMER IMPACT INFO] Outputs: A) Internal impact statement (3–6 bullets): what broke, who was affected, severity, duration, and how we detected it B) External customer-safe summary (2–5 sentences): what customers experienced, timeframe, current status, and what we're doing next C) Uncertainty notes: what we still do not know (bullets) Rules: - Do not invent numbers, geography, or customer segments. - If scope is unknown, say it is unknown and propose how to measure it.
Prompt 4
Contributing factors prompt: separate causes, conditions, and triggers
Postmortems often fail at "why" because they collapse everything into one root cause. A better structure separates triggers (the immediate event), contributing factors (conditions that made it possible), and controls that failed (detection, safeguards, tests, reviews).
Ask the model for competing hypotheses and require it to list evidence for each one.
Copy-ready prompt
Act as a reliability investigator. Input: - Timeline: [PASTE TIMELINE] - Facts table: [PASTE FACTS TABLE] Output sections: 1) Trigger event (1–3 bullets) 2) Contributing factors (5–12 bullets), grouped by: People/Process, Software/Systems, Infrastructure, Data, External dependencies 3) Failed or missing controls (5–10 bullets): tests, alerts, dashboards, runbooks, reviews, feature flags, rate limits, etc. 4) Causal hypotheses (2–5): hypothesis | supporting evidence | counter-evidence | confidence (High/Med/Low) 5) What would have prevented or reduced impact (3–7 bullets) Rules: - Do not assign blame to individuals. - If evidence is weak, lower confidence and ask for what evidence would confirm it. - Keep hypotheses falsifiable (they should be testable).
Prompt 5
Action items prompt: ship‑able changes with owners, deadlines, and verification
A postmortem is only valuable if it changes the system. The fastest way to waste the incident is to produce vague action items with no ownership.
Use AI to propose actions, but require the structure teams use to actually deliver: scope, owner, due date, verification, and risk tradeoff.
Copy-ready prompt
You are an incident follow-up owner. Inputs: - Contributing factors + failed controls: [PASTE] - Constraints: [TEAM SIZE, ONCALL LOAD, CHANGE FREEZES, ETC.] Create a prioritized action plan. Output: 1) Action items (8–16), each with: - Title - Category (Prevent / Detect / Mitigate / Recover / Educate) - Owner role (not a person’s name) - Effort (S/M/L) - Deadline (relative is fine: 1w/2w/30d) - Verification (how we will prove it works) - Dependencies (if any) 2) Top 3 "must do" actions and why 3) Actions we should NOT do (nice-to-haves) and why Rules: - Avoid vague verbs like "improve" or "enhance". - Prefer actions that reduce blast radius or shorten detection/mitigation time. - If an action requires data not provided, ask a clarifying question.
Drafting
Final postmortem assembly prompt: produce a draft that the team can edit
Once you have facts, a timeline, impact writing, hypotheses, and action items, you can ask for a full postmortem draft. This is where AI saves the most time—but only after the earlier steps force accuracy.
Keep the output editable. The model should format a clear report with headings, but it should not try to sound like marketing.
Copy-ready prompt
Assemble a complete incident postmortem from the inputs below. Inputs: - Incident title: [WRITE A SHORT TITLE] - Timeline: [PASTE] - Impact statements: [PASTE] - Contributing factors + hypotheses: [PASTE] - Action items: [PASTE] Output (Markdown): 1) Summary (3–6 bullets) 2) Customer impact 3) Timeline 4) Root cause & contributing factors (clearly label hypotheses vs facts) 5) What went well / what didn’t 6) Where we got lucky (optional) 7) Action items (table) 8) Follow-up communication plan (internal + external) Rules: - Do not invent details. - Any claim without evidence should be labeled as "Hypothesis". - Keep tone factual and blameless.
Quality control
Hallucination checks: how to review AI-assisted postmortems fast
AI makes postmortems faster, but it also creates a new failure mode: plausible but false details that slip into a narrative because nobody has time to reread everything.
A simple review approach is to treat the timeline and impact as “high risk” sections. Require evidence links for every key event, and spot-check a handful of events against the original sources.
Pick 5 random timeline events and verify the timestamp and evidence reference.
Check that every action item maps to a contributing factor or failed control.
Ensure customer-impact statements match the known scope (or explicitly mark unknowns).
Watch for hindsight bias phrases ("should have known", "obviously"). Remove them.
If the model claims a metric changed, require the chart or query that proves it.
Internal links
Make the workflow repeatable
If you run incidents more than a few times per year, treat your postmortem process like a product. Standard prompts, templates, and review checks reduce cognitive load when the team is tired.
Store the prompts as a kit and iterate after each incident. Over time, your prompts become a reliable operating system for learning and follow-through.
Sources
Further reading
For deeper guidance on blameless culture and postmortem structure, these references are a good baseline. Your prompts should reflect the same principles: evidence, learning, and a focus on systems.
Related agent skill
Research Brief Agent Skill
A repeatable workflow for converting a complex topic into a clear research brief with assumptions, sources, argument map, risks, and next actions.
Free NEOA resource
Get the free prompt pack
Download a curated prompt pack and turn your incident workflow into a repeatable kit.
View resourceFree prompt pack
Get the prompt pack behind practical AI workflows.
Download 50 prompts for SEO, content, research, and business automation, then use them with this guide to make the workflow repeatable.
Free download
Get the prompt pack.
Choose your main interest and unlock the Markdown download.
Free during NEOA beta. You can download after submitting the form.
FAQ
Common questions
Can AI write a postmortem without logs and evidence?
Not safely. Without concrete inputs, the model will fill gaps with plausible guesses. Use AI to structure evidence you provide (logs, tickets, timelines, notes), then review and correct the draft with the team.
How do I prevent hallucinations in an AI-assisted postmortem?
Force traceability in your prompts: every timeline event needs an evidence reference, uncertainty must be labeled, and anything without proof is a hypothesis. Then spot-check the highest-risk sections (timeline and impact) against the original sources.
What makes an action item "good" after an incident?
Good action items are specific, owned, and verifiable. They usually reduce blast radius, improve detection, speed mitigation, or eliminate a known failure mode. Avoid vague items with no owner, deadline, or test plan.
Should we publish our postmortems publicly?
Sometimes. Public postmortems can build trust, but they require careful customer-safe wording and security review. Many teams write two versions: an internal learning report and an external summary focused on impact, resolution, and prevention.
Final recommendation
Make the workflow repeatable before you scale it.
Use AI to accelerate the boring parts—structuring notes, drafting sections, and checking for gaps—then keep humans responsible for accuracy, judgment, and follow-through.