Framework · Method & Operational Resilience

Methodology & Incident Response Playbook

Two things in one place: how we build and normalize the incident corpus behind every figure on this site, and the practitioner framework we recommend for responding to cloud outages.

Part A

Research methodology

Every number this site publishes traces to a documented corpus with documented rules. This is the credibility backbone: what goes in, how it is normalized, and where the method is weakest.

What enters the corpus

The corpus covers major public incidents at AWS, Microsoft Azure, and Google Cloud, 2017–2025 — currently 47 events, last updated June 30, 2026. An incident qualifies as major when the provider’s own disclosure (status history or post-event summary) shows all three of: multi-service or multi-region customer impact, duration over 30 minutes, and provider acknowledgement at its highest or second-highest severity convention.

Primary sources, in order of precedence: official post-event summaries (e.g. AWS PES, Azure PIRs, Google incident reports), provider status-page histories, and — for cross-checking timestamps — the live incident feeds collected by our data infrastructure. Press coverage is never a primary source.

Normalization rules

  • Duration runs from first customer-visible impact to the provider’s declared resolution — not to the end of backlog draining, which is noted separately when disclosed. Where providers give ranges, we take the wider bound.
  • Root cause maps the provider’s narrative onto six classes (configuration/change, software defect, capacity/overload, network/hardware, external attack, other/undisclosed). The mapping is ours; the narrative is theirs.
  • Severity follows the severity matrix below, so “major” means the same thing across providers with different vocabularies.
  • SLA breach is computed per affected service against the provider’s published monthly uptime target for a standard configuration; the credit-gap claim rate is a labeled practitioner estimate, not a measurement — no provider discloses claim volumes.

Known limitations

  • Disclosure bias. Providers differ in what they publish. AWS’s higher incident count partly reflects more granular disclosure, not necessarily worse reliability. Cross-provider comparisons should be read with this caveat.
  • Public-only. Incidents resolved without public acknowledgement are invisible to the corpus, which therefore under-counts small and single-tenant events.
  • Small n. 47 events across nine years supports the medians and shares we publish; it does not support month-over-month trend claims, which is why we don’t make them.

Data infrastructure and independence

The live incident feeds used for timestamp cross-checking are collected by Next Signal, which supports this research. Editorial control, the normalization rules, and the published numbers are ours; the relationship is disclosed wherever it is relevant.

Citing this research

Cite as: CloudDowntime, “State of Cloud Reliability 2026,” clouddowntime.com/report/2026. Per-stat citations are printed next to each figure in the report and in the benchmark data. Corrections: when a provider revises a disclosure, we recompute and note the change with a dated correction.

Part B

The Incident Response Playbook

A practitioner’s framework for responding to cloud outages — the five-phase lifecycle, how to classify severity, who does what, and the comms that keep customers informed. Adapted from the NIST and Google SRE incident models.

The five-phase lifecycle

Every incident moves through the same arc. The goal of each phase is fixed; only the tactics change with the failure.

  1. 1Detect
    0–5 min

    Confirm the signal is real and customer-impacting.

    • Validate alert against independent telemetry
    • Declare an incident and assign a severity
    • Open the incident channel and bridge
  2. 2Triage
    5–15 min

    Size the blast radius and stand up the response team.

    • Page the Incident Commander and on-call SMEs
    • Scope affected regions, services and customers
    • Post the first public status update
  3. 3Mitigate
    15–60 min

    Stop the bleeding — restore service before root-causing.

    • Apply the fastest safe mitigation (failover, rollback, drain)
    • Throttle or shed load to protect healthy capacity
    • Re-confirm impact is trending down
  4. 4Resolve
    1–4 hrs

    Return to full service and verify recovery.

    • Roll forward the durable fix
    • Validate SLOs are back within target
    • Stand down the response, hand off to owners
  5. 5Learn
    24–72 hrs

    Turn the incident into durable resilience.

    • Publish a blameless post-incident review
    • File and prioritise corrective actions
    • Share an external RCA where customers were impacted

Severity matrix

Classify the incident the moment it’s declared — severity drives who gets paged and how often you communicate.

LevelImpactResponse
SEV-1CriticalMulti-region outage or data-loss risk; revenue-critical path down.All-hands, exec paged, 15-min status cadence.
SEV-2MajorSingle-region or single-service outage with broad customer impact.IC + on-call SMEs, 30-min status cadence.
SEV-3MinorDegraded performance or partial feature impact with a workaround.On-call owner, hourly updates, business hours.
SEV-4LowCosmetic or internal-only; no customer-visible degradation.Tracked as a normal ticket, no incident bridge.

Incident roles

Clear ownership prevents the two classic failure modes: everyone debugging, or no one deciding.

Incident Commander
Owns the response and all decisions. Coordinates — does not debug.
Operations Lead
Drives the technical investigation and applies mitigations.
Communications Lead
Owns status-page updates and internal/exec stakeholder comms.
Scribe
Keeps the timestamped timeline that feeds the post-incident review.

Communication templates

Pre-written, fill-in-the-blank updates so the Comms Lead never starts from a blank page mid-incident.

Initial — within 15 min

We are investigating reports of <impact> affecting <service> in <region>. Next update in 30 minutes.

Update — mitigation underway

We have identified a likely cause and are applying a mitigation. Some customers may still see <symptom>. Next update by <time>.

Resolved

The issue affecting <service> is resolved as of <time>. A full root-cause analysis will follow within 5 business days.

The one rule

Mitigate before you diagnose. Restoring service is always the first priority — root cause can wait until customers are back.