Post-Mortem Template

Security SpecialistOperations & StrategyDevops

Complete this after significant incidents (P1-P3). Focus on learning, not blame.

How to Use

Copy this template to Post-Mortems folder
Scribe creates draft before the post-mortem meeting
Hold meeting within a week of resolution
All responders contribute
Every post-mortem produces action items with owners and deadlines
Share with team (and publicly if appropriate)

Post-Mortem:

INCIDENT TITLE

Metadata

Field	Value
Incident Date	YYYY-MM-DD
Severity	P1 / P2 / P3
Authors
Status	Draft / Final
Incident Log	Link to incident log

Summary

[2-4 paragraphs. What happened, when, how long, how it was resolved. Someone unfamiliar should understand the incident after reading this.]

Impact

Users

Users affected:
Duration:
Services unavailable:

Financial

Funds at risk:
Actual losses:

Reputation

Public visibility:
Media coverage:

Timeline

Time (UTC)	Event
	Incident began
	Detected
	Response started
	Root cause identified
	Mitigation applied
	Resolved

See linked Incident Log for detailed timeline.

Root Cause

Primary Cause

[What was the fundamental reason this happened?]

Contributing Factors

5 Whys

Question	Answer
Why did [incident] happen?
Why?
Why?
Why?
Why?

What Went Well

What Went Wrong

Where We Got Lucky

[What fortunate circumstances helped that we shouldn't rely on next time?]

Action Items

Every action item needs an owner and deadline.

Action	Owner	Deadline	Status

Lessons for Runbooks

Should we create or update a runbook based on this incident?

New runbook needed: [type]
Existing runbook to update: [which one]
No runbook changes needed

Detection

Aspect	Details
How detected	Monitoring / User report / Team member / Other
Time to detection
Could we detect faster?

Meeting Notes

Attendees:Discussion points:

Template based on Incident-Response-Policy