> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ewake.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Incident Response

> Run an investigation alongside your team during a live incident, ewake correlates signals across your stack while engineers debate the fix.

<Info>
  **What you'll get:** An investigation engine running in the background of your war room, ranked hypotheses, supporting evidence, what's been ruled out, and recommended next steps, all delivered in Slack as the incident unfolds. Your team debates fixes, not root causes.
</Info>

***

## What it does

When a real incident hits, a P0, a customer-facing outage, an SLA breach, the biggest time sink is rarely the fix. It's the investigation: stitching together signals from five different tools, forming a hypothesis, validating it, ruling it out, forming another.

Ewake acts as the **investigation engine running in the background of your war room**. It correlates signals across your entire stack automatically, the same work that takes a team of engineers 30 to 60 minutes, ewake does in seconds.

* **Ingests alerts** and maps them to the affected service in the production knowledge map
* **Cross-references** deployment activity, configuration changes, and upstream dependencies
* **Surfaces a structured investigation**: hypotheses, evidence, what's been ruled out, recommended next actions
* **Joins your existing Slack channel**, no new tool, no new dashboard

***

## When to use it

* A P0 or P1 incident is in progress and a war room is forming
* A customer-facing outage requires faster root-cause identification
* An SLA breach is imminent and time-to-resolution matters
* Multiple alerts are firing simultaneously and you need to find the common thread

This is distinct from the [On-Call Agent](/working-with-ewake/on-call-agent) (one alert, automated reply) and [Scheduled Tasks](/working-with-ewake/scheduled-tasks) (proactive analysis on a schedule). Incident Response is for the moment when an incident has already been declared and a team is actively debugging.

***

## What you'll get

*\[Screenshot to add: ewake investigation thread in a Slack incident channel, hypotheses, evidence, ruled-out causes]*

In the incident channel, ewake delivers a continuously updating investigation that includes:

* **Ranked hypotheses**, most probable root causes first, with confidence scores
* **Evidence**, log excerpts, metric correlations, recent commits supporting each hypothesis
* **What's been ruled out**, explicitly stated, so engineers don't re-investigate the same path
* **Recommended next actions**, concrete steps to validate or invalidate the leading hypothesis
* **Investigation timeline**, built-in record that becomes the basis of the postmortem

***

## Prerequisites

<CardGroup cols={3}>
  <Card title="Slack" icon="slack" href="/get-started/connect-slack" />

  <Card title="Alert source" icon="chart-line" href="/integrations/overview">
    Datadog, Grafana, PagerDuty, or others
  </Card>

  <Card title="GitHub" icon="code-branch" href="/integrations/code/github" />
</CardGroup>

For the strongest investigation context, also connect:

<CardGroup cols={2}>
  <Card title="Incident.io" icon="siren" href="/integrations/alerting/incident-io">
    Lets ewake reference past incidents and postmortems during a live investigation.
  </Card>

  <Card title="Deployment Tracking" icon="rocket" href="/integrations/deployment/deployment-tracking">
    Surfaces deployment events at the moment of the incident.
  </Card>
</CardGroup>

***

## How to set it up

Incident Response runs automatically once ewake is in the channel where the incident is being discussed. There is no separate trigger to configure.

<Steps>
  <Step title="Add ewake to your incident channel">
    In Slack, invite `@ewake` to the channel where your team coordinates incidents (e.g. `#incidents-prod`, `#war-room`).

    See [Adding ewake to a channel →](/get-started/connect-slack#add-ewake-to-a-channel)
  </Step>

  <Step title="(Recommended) Auto-invite via Incident.io">
    If you use Incident.io, configure a workflow to automatically invite ewake to every new incident channel.

    See [Auto-invite via Incident.io →](/integrations/alerting/incident-io#auto-invite-ewake-to-incident-channels)
  </Step>

  <Step title="Trigger an investigation">
    Once ewake is in the channel, simply mention it with context:

    ```
    @ewake we have a P0 on payments-api, errors started at 14:32 UTC
    ```

    Or, if the [On-Call Agent](/working-with-ewake/on-call-agent) is also configured for this channel, ewake will start investigating the moment the alert lands, no mention required.

    <Check>
      Ewake will reply in the thread with an evolving investigation as it correlates signals.
    </Check>
  </Step>
</Steps>

***

## During the incident, useful prompts

```
@ewake what changed in the last hour on the affected services?
```

```
@ewake rule out the deploy at 14:30, was anything in that diff related?
```

```
@ewake have we seen this failure pattern before? Link the past incident.
```

```
@ewake summarise the investigation so far for the postmortem.
```

***

Need help setting this up? Contact [support@ewake.ai](/support).
