Every SaaS company has incidents. The ones that become reliable aren't the ones that avoid them — they're the ones that respond calmly and learn systematically. The difference is visible in the first ten minutes of an outage: an immature team has five engineers in a thread all guessing, no one sure who's in charge, the status page silent while customers tweet. A mature team has a declared incident, a named commander, a single channel, and a status update out before support gets the first ticket. That calm isn't temperament — it's process rehearsed until it's boring. Incident management is that process, and the postmortem that follows is where an outage stops being a loss and becomes the thing that prevents the next three.
Severity levels: shared language under pressure
Before you can respond well, everyone needs to agree on how bad 'bad' is — because the response to a full outage and a cosmetic glitch should look nothing alike. Define three or four severity levels and socialize them until they're reflexive. Roughly: SEV1 is critical — the product is down or data is at risk, all hands, wake people up. SEV2 is major — significant degradation or a key feature broken for many users, urgent but not middle-of-the-night for everyone. SEV3 is minor — limited impact, a workaround exists, handle in business hours. The point of the scale isn't bureaucracy; it's that 'we have a SEV1' instantly tells everyone how to drop what they're doing, without a debate about whether this 'counts.' Tie your paging and your RTO/RPO recovery targets to these levels so the urgency and the commitments line up.
Roles: someone is in charge
- Incident Commander (IC): owns the response, not the fix. The IC coordinates, decides, delegates, and keeps the timeline — they are deliberately not heads-down debugging, because someone has to hold the whole picture. In a small incident the IC and the fixer can be one person; in a big one, never.
- Communications lead: owns the status page and stakeholder updates so engineers can focus on resolution. Customers forgive downtime far more readily than silence.
- Subject-matter experts: the engineers actually diagnosing and fixing, pulled in by the IC as the investigation points at their systems.
- Scribe: keeps a running timeline of what was observed, tried, and changed — invaluable in the moment and essential for the postmortem later.
On-call without burning people out
You can't run incident response without someone reachable when it breaks at 3am — but on-call done carelessly is how you lose your best engineers. The humane version has a few non-negotiables. Compensate it, in pay or time off; unpaid, expected 24/7 availability is a resignation letter waiting to be written. Keep rotations small enough that the burden is shared but large enough that no one is on every other week. Only page for things a human must act on right now — every false alarm erodes trust in the pager, and 'alert fatigue' means the real one gets swiped away at 3am. That last point is where on-call meets observability: well-tuned, symptom-based alerts tied to user impact are what make on-call sustainable, and noisy dashboards are what make it miserable. Give every on-call engineer a runbook and the authority to act, not just the pager.
The blameless postmortem
After any significant incident, write it up — and write it blameless. The premise, borrowed from aviation and high-reliability engineering, is that people don't cause incidents out of carelessness; systems allow good engineers to make mistakes that reach production. So the question is never 'who broke it?' but 'what let this happen, and what would have caught it?' The moment a postmortem assigns blame, two things die: honesty (people stop volunteering what really happened) and learning (you fix a person instead of the system, and the next person hits the same trap). 'An engineer ran a bad migration' is blame and teaches nothing. 'A migration with no dry-run step and no guardrail could be applied directly to production' is a system flaw with three obvious fixes. Same event, completely different outcome — and it's the same instinct that keeps a production-ready system safe: assume the human will err and build the system so it survives.
Action items or it didn't happen
A postmortem that ends in insights and no changes is theater — the same incident will recur, and now with the added damage of a team that's learned writing them is pointless. Every postmortem must produce concrete, owned, tracked action items: a specific fix, a named owner, a due date, and a place in the backlog that gets prioritized like real work. Distinguish the immediate remediation (stop the bleeding) from the systemic fixes (add the guardrail, the alert, the test, the automation that makes this class of failure impossible). Track completion — a stack of postmortems with unfinished action items is a reliability program on paper only. The measure of a good process isn't how many postmortems you write; it's how rarely the same failure comes back.
Metrics that guide, not gamify
Track a few numbers to see whether you're improving: MTTR (mean time to recovery — how fast you restore service), MTTD (time to detect — often the biggest hidden lever, since you can't fix what you haven't noticed), incident frequency by severity, and how many postmortem action items actually get done. Watch them as trends, not targets to hit — the moment MTTR becomes a number people optimize, you get incidents quietly not-declared to keep the stats clean, which is worse than the original problem. The goal is honest signal about whether your reliability is trending the right way, informing where to invest: detection, response, or prevention.
How Infiniti Tech Partners builds reliability
We stand up incident management that holds up under pressure: clear severity levels, a real incident-commander model, on-call rotations engineered to be sustainable rather than punishing, and a blameless postmortem practice that turns outages into a shrinking list of ways your system can fail. Paired with the observability to detect fast and the recovery targets to respond against, it's the difference between a team that fights the same fire monthly and one whose reliability compounds. If your incidents feel chaotic and oddly repetitive, that's a process gap we can close.
Frequently asked questions
What is a blameless postmortem?
A blameless postmortem is an incident write-up that asks 'what let this happen, and what would have caught it?' rather than 'who broke it?' The premise is that people don't cause incidents out of carelessness — systems allow good engineers to make mistakes that reach production, so you fix the system, not the person. The moment a postmortem assigns blame, honesty dies (people stop volunteering what happened) and learning dies (you fix a person instead of the flaw), so the next person hits the same trap.
What does an incident commander do?
The incident commander (IC) owns the response, not the fix — they coordinate, decide, delegate, and keep the timeline, deliberately staying out of hands-on debugging because someone has to hold the whole picture. In a small incident the IC and the fixer can be the same person; in a large one, never. Alongside the IC, a communications lead owns status-page updates so engineers can focus on resolution, subject-matter experts do the actual diagnosis, and a scribe keeps a running timeline for the postmortem.
What incident metrics should a SaaS team track?
Track MTTR (mean time to recovery — how fast you restore service), MTTD (time to detect, often the biggest hidden lever since you can't fix what you haven't noticed), incident frequency by severity, and the completion rate of postmortem action items. Watch them as trends rather than targets — the moment MTTR becomes a number people optimize, you get incidents quietly not-declared to keep the stats clean. The goal is honest signal about whether reliability is improving and where to invest: detection, response, or prevention.
Related reading
Observability for Growth-Stage SaaS: Logs, Metrics, Traces, and On-Call
How to build observability for a growth-stage SaaS — the three pillars, what to instrument first, SLO-based alerting, and an on-call rotation that doesn't burn your team out.
EngineeringFeature Flags and Progressive Delivery: Ship Faster Without the Blast Radius
How feature flags and progressive delivery let you deploy continuously and release safely — canaries, percentage rollouts, kill switches, and the flag debt that quietly rots a codebase.
EngineeringScaling PostgreSQL: When to Tune, When to Replicate, When to Shard
A practical order of operations for scaling PostgreSQL under a growing SaaS — indexing and tuning, connection pooling, read replicas, partitioning, and when sharding is finally worth it.