Methodology & Incident Response Playbook
Two things in one place: how we build and normalize the incident corpus behind every figure on this site, and the practitioner framework we recommend for responding to cloud outages.
Research methodology
Every number this site publishes traces to a documented corpus with documented rules. This is the credibility backbone: what goes in, how it is normalized, and where the method is weakest.
What enters the corpus
The corpus covers major public incidents at AWS, Microsoft Azure, and Google Cloud, 2017–2025 — currently 47 events, last updated June 30, 2026. An incident qualifies as major when the provider’s own disclosure (status history or post-event summary) shows all three of: multi-service or multi-region customer impact, duration over 30 minutes, and provider acknowledgement at its highest or second-highest severity convention.
Primary sources, in order of precedence: official post-event summaries (e.g. AWS PES, Azure PIRs, Google incident reports), provider status-page histories, and — for cross-checking timestamps — the live incident feeds collected by our data infrastructure. Press coverage is never a primary source.
Normalization rules
- Duration runs from first customer-visible impact to the provider’s declared resolution — not to the end of backlog draining, which is noted separately when disclosed. Where providers give ranges, we take the wider bound.
- Root cause maps the provider’s narrative onto six classes (configuration/change, software defect, capacity/overload, network/hardware, external attack, other/undisclosed). The mapping is ours; the narrative is theirs.
- Severity follows the severity matrix below, so “major” means the same thing across providers with different vocabularies.
- SLA breach is computed per affected service against the provider’s published monthly uptime target for a standard configuration; the credit-gap claim rate is a labeled practitioner estimate, not a measurement — no provider discloses claim volumes.
Known limitations
- Disclosure bias. Providers differ in what they publish. AWS’s higher incident count partly reflects more granular disclosure, not necessarily worse reliability. Cross-provider comparisons should be read with this caveat.
- Public-only. Incidents resolved without public acknowledgement are invisible to the corpus, which therefore under-counts small and single-tenant events.
- Small n. 47 events across nine years supports the medians and shares we publish; it does not support month-over-month trend claims, which is why we don’t make them.
Data infrastructure and independence
The live incident feeds used for timestamp cross-checking are collected by Next Signal, which supports this research. Editorial control, the normalization rules, and the published numbers are ours; the relationship is disclosed wherever it is relevant.
Citing this research
Cite as: CloudDowntime, “State of Cloud Reliability 2026,” clouddowntime.com/report/2026. Per-stat citations are printed next to each figure in the report and in the benchmark data. Corrections: when a provider revises a disclosure, we recompute and note the change with a dated correction.
The Incident Response Playbook
A practitioner’s framework for responding to cloud outages — the five-phase lifecycle, how to classify severity, who does what, and the comms that keep customers informed. Adapted from the NIST and Google SRE incident models.
The five-phase lifecycle
Every incident moves through the same arc. The goal of each phase is fixed; only the tactics change with the failure.
- 1Detect0–5 min
Confirm the signal is real and customer-impacting.
- Validate alert against independent telemetry
- Declare an incident and assign a severity
- Open the incident channel and bridge
- 2Triage5–15 min
Size the blast radius and stand up the response team.
- Page the Incident Commander and on-call SMEs
- Scope affected regions, services and customers
- Post the first public status update
- 3Mitigate15–60 min
Stop the bleeding — restore service before root-causing.
- Apply the fastest safe mitigation (failover, rollback, drain)
- Throttle or shed load to protect healthy capacity
- Re-confirm impact is trending down
- 4Resolve1–4 hrs
Return to full service and verify recovery.
- Roll forward the durable fix
- Validate SLOs are back within target
- Stand down the response, hand off to owners
- 5Learn24–72 hrs
Turn the incident into durable resilience.
- Publish a blameless post-incident review
- File and prioritise corrective actions
- Share an external RCA where customers were impacted
Severity matrix
Classify the incident the moment it’s declared — severity drives who gets paged and how often you communicate.
| Level | Impact | Response |
|---|---|---|
| SEV-1Critical | Multi-region outage or data-loss risk; revenue-critical path down. | All-hands, exec paged, 15-min status cadence. |
| SEV-2Major | Single-region or single-service outage with broad customer impact. | IC + on-call SMEs, 30-min status cadence. |
| SEV-3Minor | Degraded performance or partial feature impact with a workaround. | On-call owner, hourly updates, business hours. |
| SEV-4Low | Cosmetic or internal-only; no customer-visible degradation. | Tracked as a normal ticket, no incident bridge. |
Incident roles
Clear ownership prevents the two classic failure modes: everyone debugging, or no one deciding.
- Incident Commander
- Owns the response and all decisions. Coordinates — does not debug.
- Operations Lead
- Drives the technical investigation and applies mitigations.
- Communications Lead
- Owns status-page updates and internal/exec stakeholder comms.
- Scribe
- Keeps the timestamped timeline that feeds the post-incident review.
Communication templates
Pre-written, fill-in-the-blank updates so the Comms Lead never starts from a blank page mid-incident.
Initial — within 15 min
We are investigating reports of <impact> affecting <service> in <region>. Next update in 30 minutes.
Update — mitigation underway
We have identified a likely cause and are applying a mitigation. Some customers may still see <symptom>. Next update by <time>.
Resolved
The issue affecting <service> is resolved as of <time>. A full root-cause analysis will follow within 5 business days.
The one rule
Mitigate before you diagnose. Restoring service is always the first priority — root cause can wait until customers are back.