Incident Communication Templates: What to Say During an Outage

1. Investigating — problem detected, cause unknown. First message.

2. Identified — cause found, fix in progress.

3. Monitoring — fix deployed, watching recovery.

4. Resolved — issue resolved, service restored.

Title: [Component] — Degraded Performance / Partial Outage

When: Within 5 minutes of detection

We are investigating reports of [increased error rates / slow response times /
unavailability] affecting [Component Name].

Some users may experience [specific impact: failed API calls / slow page loads /
inability to log in].

Our team is actively investigating. We will provide an update within 30 minutes.

Posted at: [timestamp]

Key elements: what's affected, impact on users, when the next update is coming. Don't name the cause if you're unsure.

We have identified the cause of [the issue / degraded performance] affecting
[Component Name].

[Brief, non-technical explanation: A database issue is causing delays in
processing requests / A configuration change caused some API requests to fail].

Our team is implementing a fix. We expect service to be restored within
[estimated time].

Affected: [list of affected capabilities]
Not affected: [list of unaffected capabilities — helps reassure users]

Posted at: [timestamp]

Key elements: cause (high-level), ETA, what's not affected (reduces panic).

A fix has been implemented for the [Component Name] issue. We are monitoring
the situation to confirm full recovery.

[Most / All] users should now be able to [access the service / process
requests] normally.

If you continue to experience issues, please [clear your cache / try again
in a few minutes / contact support].

We will post a final update once we confirm the issue is fully resolved.

Posted at: [timestamp]

The issue affecting [Component Name] has been resolved. All services are
operating normally.

Summary:
- Duration: [start time] to [end time] ([X] minutes)
- Impact: [brief description of what users experienced]
- Cause: [one-line root cause]
- Resolution: [one-line fix description]

We apologize for any inconvenience. A detailed post-incident review will
be published within [24/48] hours.

Posted at: [timestamp]

Subject: [Service Name] — [Component] experiencing issues

Hi,

We're currently experiencing [brief description] affecting [Component].

What's happening: [1-2 sentences about the impact]
What we're doing: Our team is investigating and working on a resolution.
Current status: [Investigating / Identified / Monitoring]

You can follow live updates on our status page: [status page URL]

We'll send another update when the situation changes.

— [Your Company] Team

Subject: [Resolved] [Service Name] — [Component] issue resolved

Hi,

The issue affecting [Component] has been resolved. Services are back
to normal.

Duration: [X] minutes ([start] to [end])
Impact: [what users experienced]
Resolution: [brief non-technical explanation]

We apologize for any disruption. If you have questions, please contact
our support team at [email/link].

A detailed post-incident report will be available at: [link]

— [Your Company] Team

🔴 INCIDENT — [P1/P2] — [Component] [down/degraded]

Impact: [what's broken, who's affected]
Detection: [how it was found — AtomPing alert / customer report / internal]
IC (Incident Commander): @[name]
Status page: [link]
War room: [Slack channel / Zoom link]

@on-call — please acknowledge

🟡 UPDATE — [Component] incident — [HH:MM]

Current status: [Identified / fix in progress]
Root cause: [technical explanation for the team]
Next steps: [what's being done now]
ETA: [estimated resolution time]
Blockers: [if any]

Next update in [15/30] minutes

POST-INCIDENT REVIEW — [Date] — [Component]

Duration: [start] to [end] ([X] minutes)
Severity: [P1/P2/P3]
Impact: [number of affected users/requests, revenue impact if applicable]
Detection: [how and when — AtomPing alert at HH:MM, customer report, etc.]
Time to detect: [X] minutes
Time to resolve: [X] minutes

TIMELINE:
[HH:MM] — AtomPing alert: [Component] HTTP check failed
[HH:MM] — On-call acknowledged, began investigation
[HH:MM] — Root cause identified: [description]
[HH:MM] — Fix deployed
[HH:MM] — Service confirmed restored
[HH:MM] — Status page updated to Resolved

ROOT CAUSE:
[2-3 paragraphs explaining what went wrong technically]

WHAT WENT WELL:
- [Detection was fast — 30s via AtomPing]
- [Runbook existed and was followed]
- [Status page kept customers informed]

WHAT COULD BE IMPROVED:
- [Detection: monitor X endpoint was missing]
- [Response: escalation was delayed by Y minutes]
- [Communication: first status page update was late]

ACTION ITEMS:
- [ ] [Specific fix to prevent recurrence] — Owner: @name — Due: [date]
- [ ] [Monitoring improvement] — Owner: @name — Due: [date]
- [ ] [Process improvement] — Owner: @name — Due: [date]

Speed over completeness: "investigating" in 5 minutes beats detailed message after 30 min silence.

Specificity over vagueness: "API returning 503 errors" beats "some users may experience issues".

Specify what's not affected: "Dashboard and API unaffected" reduces panic. Customers assume worst case until told otherwise.

ETA with caveat: "expect resolution in 30 min" beats "working on it". Add "we will update if this changes".

Don't blame: "configuration change caused..." not "engineer accidentally...". Blameless culture starts with public communication.

Auto-detection: monitoring finds outage → auto incident on status page. Zero delay between detection and first update.

Auto-resolution: monitoring confirms recovery → incident auto-resolved. Status page updates.

Manual details: automation sets "investigating". Engineer adds details: cause, ETA, actions. Best of both: speed + human context.

Incident Management Guide — full lifecycle from detection to post-mortem

Complete Status Pages Guide — components, design, infrastructure

On-Call Best Practices — escalation policies and alert routing

Public vs Internal Status Pages — what to show each audience