Purpose
Use this template after SEV-1 and SEV-2 incidents, and for any incident involving payments, wallet integrity, student data, RBAC, tenant isolation, or prolonged outage.
Incident Summary
| Field | Value |
|---|
| Incident ID | TBD |
| Title | TBD |
| Severity | TBD |
| Start time | TBD |
| End time | TBD |
| Duration | TBD |
| Incident commander | TBD |
| Services affected | TBD |
| User impact | TBD |
| Financial impact | TBD |
| Data exposure risk | TBD |
Timeline
| Time | Event | Owner |
|---|
| TBD | Incident detected | TBD |
| TBD | Triage started | TBD |
| TBD | Mitigation applied | TBD |
| TBD | Service recovered | TBD |
| TBD | Incident closed | TBD |
Root Cause
Document the confirmed root cause. Avoid blame. Focus on system behavior, process gaps, detection gaps, and prevention.
What Went Well
What Did Not Go Well
Corrective Actions
| Action | Owner | Due Date | Status |
|---|
| TBD | TBD | TBD | Open |
Evidence
| Evidence | Link / Location |
|---|
| Logs | TBD |
| Screenshots | TBD |
| Sentry issue | TBD |
| Deployment record | TBD |
| Support ticket | TBD |
Closure Rule
The postmortem is not complete until corrective actions have owners and due dates.