Design alerting strategies and incident response practices that turn observability signals into actionable operations. Topics include alert design and classification, threshold versus anomaly detection, preventing alert fatigue, escalation and on call flow, runbook and playbook design, integrating alerts with incident management, post incident review and blameless postmortems, and how monitoring and observability feed incident detection and mean time to resolution improvements. Includes designing alerts for different domains and thinking through what runbooks and context to provide to responders.
EasyBehavioral
28 practiced
Tell me about a time you were the primary on-call for a production incident that escalated to SEV1. Use the STAR format: Situation, Task, Action, Result. Focus on how you prioritized actions, coordinated with other teams, communicated status, and what concrete process or alerting changes you implemented afterward to reduce recurrence.
Sample Answer
Situation: Last year I was primary on-call for a core API service; at 03:20 we started seeing a spike in 5xx errors and latency across all regions. Pager escalated to SEV1 when customer-facing endpoints failed and error budget burn rate exceeded threshold.Task: I needed to restore customer traffic quickly, contain blast radius, and coordinate cross-team response while keeping stakeholders informed.Action:- Triage & prioritize: I first verified alarm validity, checked recent deploys, and confirmed rollback could be performed safely. I prioritized actions by impact: (1) stop user-facing errors, (2) collect diagnostics, (3) long-term fix.- Containment: I rolled back the midnight deploy to remove the likely culprit, and rerouted traffic to healthy replicas using the load balancer.- Coordination: I opened an incident channel, invited the backend owners, networking, and SRE peers, and assigned roles (logs/metrics, rollback verification, customer comms).- Communication: I posted status updates every 10 minutes in the channel and to execs via the incident bridge with ETA for mitigation and next steps.- Post-incident: After stability, I led a 48-hour blameless postmortem, added a targeted alert for the specific error signature, tightened deployment gates (mandatory canary for that service), and implemented a circuit-breaker to prevent cascading failures.Result: Services returned to normal within 22 minutes; customer impact was minimal. The new alerts and canary process prevented recurrence—similar errors were caught during a subsequent deploy and rolled back before customer impact. The team’s error budget burn reduced and incident MTTR improved by 35% over the following quarter.
MediumSystem Design
27 practiced
Design an on-call escalation and rotation policy for a globally distributed engineering organization that supports 'follow-the-sun' coverage. Include rotation length, primary/secondary roles, escalation intervals, shadowing/onboarding for primaries, holiday coverage, integration with PagerDuty-like tools, and measures to detect and mitigate burnout.
Sample Answer
Requirements & constraints:- 24x7 coverage across timezones with minimal handoff friction- Preserve SLOs, limit weekly on-call hours per engineer, detect burnout- Integrate with PagerDuty-like tooling and existing incident runbooksHigh-level policy:- Follow-the-sun with regional pods (Americas, EMEA, APAC). Each pod provides primary + secondary (backup) for daylight hours; primaries hand off to next region at shift boundaries.Rotation length:- 7-day rotations for primaries (Mon–Sun) to keep weekend load contiguous; secondary rotates every 2 weeks to reduce churn. Maximum 2 rotations/month per engineer.Roles & responsibilities:- Primary: first responder for alerts during shift, owns incident lifecycle until handoff; required to acknowledge within 5 minutes for P1, 15 minutes for P2.- Secondary: backup for escalation and complex diagnostics; auto-notified if primary doesn't acknowledge/resolve.- On-call lead (weekly on call roster owner): handles cross-region escalations, major incident coordination.Escalation intervals:- Alert -> Primary (immediate): 0–5 min ack window for P1, 0–15 min for P2- If no ack or unresolved after 15 min (P1) escalate to Secondary- If unresolved after 30–60 min escalate to On-call lead / incident commander- PagerDuty policies enforce escalation chains and automatic remindersShadowing & onboarding:- New primaries must complete 2-week shadow with an experienced primary: observe, co-ack, then take low-severity shifts before full responsibility- Provide a standardized on-call playbook, runbooks, and 1-hour onboarding lab with simulated incidents- Require a post-first-rotation review with mentorHoliday & edge coverage:- Maintain a holiday roster; distribute holiday blocks equitably with voluntary swaps and higher compensation (e.g., extra day off, pay)- For global holidays causing thin coverage, appoint “roster reserve” engineers with shorter, capped consecutive holiday shiftsTooling & automation:- Use PagerDuty rules: time-based schedules, escalation policies, automatic re-routing on misses- Integrate with Slack/MS Teams for alert channels, add annotation integrations to auto-populate incident tickets, and runbook links in alerts- Automate low-noise filters, dynamic alert suppression for known maintenance windows, and auto-remediation playbooks for common incidentsBurnout detection & mitigation:- Metrics: weekly on-call hours, number of P1s handled, MTTA/MTTR, sleep-impacting alerts (e.g., alerts between 11pm–7am local)- Monthly on-call health review dashboard; flag engineers over thresholds (e.g., >16 hours on-call/week or >3 P1s/week)- Policies: mandatory recovery day within 72 hours after a high-severity incident; capped consecutive rotations (max 2 back-to-back rotations)- Offer mental health resources, mandatory debriefs after sev2+/P1 incidents, option to swap shifts without penalty, and quarterly on-call load audits to rebalance staffing.Trade-offs & rationale:- 7-day primary preserves continuity (important for incidents spanning weekends) but increases consecutive responsibility—mitigated via mandatory recovery days and capped rotations.- Shadowing reduces risk but requires ramp time; automated runbooks reduce cognitive load.- Integration with PagerDuty centralizes control and provides measurable SLAs for escalations.This policy balances fast incident response, equitable distribution, tooling automation, and explicit burnout controls—keeping SLOs intact while protecting engineers.
MediumSystem Design
23 practiced
Design a comprehensive alerting strategy for a payment processing service that handles 5,000 TPS, must meet a 99.99% availability SLO per week, and spans multiple regions. Describe proposed SLIs and SLOs, alert tiers (warning/critical/page), thresholds, synthetic transaction strategy, the business KPIs to monitor, and how error-budget policies should influence escalations and deployment decisions. Also mention compliance-related alerting needs.
Sample Answer
Requirements clarification:- Service handles 5,000 TPS, multi-region, target availability SLO 99.99% per week (~4.2 minutes allowable downtime/week). Alerts must be actionable and tie into business impact and compliance (PCI/DSS, AML).Proposed SLIs (user-facing, measured end-to-end):- Successful payment completion rate (transactions with final success code) per region and global (primary SLI).- Latency p50/p95/p99 for authorization and settlement steps.- Error rate: percentage of requests returning >=500 or payment-declined-system errors (not business declines).- Throughput observed vs capacity.- Synthetic success rate and latency (see below).SLOs:- Availability SLO: Successful payment completion rate ≥ 99.99% per week (global) with region-level SLOs at 99.95% to allow failover buffer.- Latency SLOs: p95 authorization latency < 200ms; p99 < 500ms.- Error rate SLO: system error rate < 0.01% per week.Alert tiers, scope, and thresholds:- Warning (informational, channel: Slack/ops dashboard): - Synthetic success rate drop >0.5% sustained 5m. - p95 latency breach by 20% for 10m. - Region throughput >70% of provisioned capacity for 10m. - Purpose: detect trends and allow mitigation before user impact.- Critical (on-call non-urgent page, channel: PagerDuty low severity): - Synthetic success rate drop >1% sustained 3m. - Error rate >0.05% sustained 3m or error spike (x5 baseline) for 3m. - p99 latency breach >2x SLO for 5m. - Purpose: needs engineering attention but may not be full outage.- Page (P1, immediate pager): - Global successful payment completion < 99.99% in 1m window OR region SLO breach below 99.95% sustained 1m and trending down. - Payment processing pipeline downstream failures (e.g., gateway down) causing >0.5% absolute drop in success. - Active PCI compliance incident (e.g., encryption key compromise) or suspected data leakage. - Purpose: immediate incident response and possible failover.Synthetic transaction strategy:- Deploy global synthetic agents in each region and multiple vantage points per region (e.g., 3-5 per region).- Run lightweight full-stack payment flows using test cards and sandboxed gateways at 1-2 TPS total (frequency 1 per minute per agent).- Validate end-to-end: tokenization, auth, settlement, merchant callbacks. Tag synthetics separately to avoid affecting metrics.- Use canary synthetics for new deployments (higher-frequency checks against canary instances).Business KPIs to monitor (mapped to alerts):- Net Successful Transactions per minute (revenue impact).- Failed-transaction dollar value and failure rate by merchant and region.- Payment authorization latency affecting conversion (correlate latency spikes to drop in conversions).- Chargeback rate and disputes (compliance/financial risk).- Gateway uptime and third-party SLA breaches.Error budget policy and operationalization:- Track weekly error budget consumption against SLOs; visualize burn rate.- Alerting escalation tied to burn rate: - If burn rate < 1x: normal ops (warnings only). - Burn rate 1–5x: require on-call review and freeze risky changes (no non-critical deploys). - Burn rate >5x or remaining budget < 20% of period: auto-escalate to SRE lead + product, freeze deployments, enable mitigations (scale up, route traffic away), and schedule a blameless postmortem if sustained.- Integrate deployment gating: CI/CD checks require current budget > X% (e.g., 30%) for production deploys; for emergency fixes, require approval from SRE lead.Operational practices:- Multi-region failover runbooks, automated traffic shifting, capacity auto-scaling thresholds, chaos-tested failover scenarios.- Alert deduplication and suppression during planned maintenance (with safeguards).Compliance-related alerting:- PCI-DSS: alert on failed encryption/decryption, unexpected access to PAN, key management events, misconfigured TLS, logging tampering, and scope changes. These alerts should be P1 pages to security on-call.- AML/KYC: alerts for abnormal transaction patterns, velocity thresholds, and suspected fraud; route to fraud ops + compliance team.- Audit trails: all compliance events logged to immutable storage; alerts when logging pipeline fails.- Data breach indicators (suspicious exfil patterns)—immediate security escalation and regulatory notification workflow.Summary:- Focus SLIs on user success and latency, set tight SLOs matching 99.99% weekly target, use three alert tiers with clear thresholds and regional/global scopes, run multi-vantage synthetic transactions including canaries, monitor business KPIs tied to revenue and risk, enforce error-budget driven deployment controls, and include explicit, high-severity compliance alerts with secure routing and auditability.
MediumTechnical
22 practiced
Describe specific metrics you would use to measure the quality and effectiveness of an alerting system. For each metric define it, explain why it matters, how you would collect it, and suggested targets where reasonable. Include metrics such as MTTD (mean time to detect), MTTR, false-positive rate, alert-to-action ratio, and alerts per on-call-hour.
Sample Answer
Below are concrete metrics I’d use to measure the quality and effectiveness of an alerting system. For each: definition, why it matters, collection method, and suggested targets (where reasonable).1) MTTD (Mean Time to Detect)- Definition: Average time from when a service begins degrading or an incident starts to when the alerting system triggers a valid alert.- Why it matters: Fast detection reduces blast time and enables quicker remediation before SLOs are violated.- How to collect: Instrument incident timelines in your incident management system (pager trigger timestamp vs. incident start inferred from monitoring data or SLO breach time). Aggregate over incidents.- Target: < 1/3 of allowable SLO window (e.g., for 1-hour SLO breach window, aim <20 minutes). Realistic: 1–15 minutes depending on system criticality.2) MTTR (Mean Time to Resolve)- Definition: Average time from alert trigger to incident resolution (service restored to defined healthy state).- Why it matters: Measures end-to-end effectiveness including detection, on-call response, and runbook quality.- How to collect: Use incident tickets: alert timestamp → resolution/close timestamp. Optionally split into time-to-ack, time-to-mitigation, time-to-restore for finer insights.- Target: Varies by severity: Severity-1 <30–60 minutes; lower severities proportionally longer. Track percentiles (p50/p90/p99) not just mean.3) False-positive rate- Definition: Fraction of alerts that do not require any operational action (noise).- Why it matters: High false positives cause alert fatigue, ignored pages, and slower real incidents detection.- How to collect: Tag alerts post-incident as “actionable” vs “no action” via on-call feedback/automated runbook results; compute false_positives / total_alerts.- Target: <5–10% actionable-first; for critical alerts aim <1–2% false positive. Monitor trends and per-alert-rule rates.4) Alert-to-action ratio (Actionable-alerts / total-alerts)- Definition: Proportion of alerts that led to a meaningful remediation action (ack, runbook executed, mitigation).- Why it matters: Complementary to false-positive rate; shows how many alerts drive real work.- How to collect: Correlate alert records with incident actions logged (ack, playbook run, CI job triggered).- Target: >80% actionable for high-severity channels; overall >50–70% depending on environment.5) Alerts per on-call-hour (alert volume normalized)- Definition: Number of alerts an on-call engineer receives per hour (or per shift), optionally per service.- Why it matters: Measures cognitive load and burn rate; helps size on-call rotations and identify noisy services.- How to collect: Count alerts routed to on-call schedules divided by total on-call-hours in period.- Target: Keep bursts manageable — e.g., average <0.5 alerts/hour per person with p95 spikes <4/hour. Critical services may accept higher but require automation.6) Time-to-acknowledge and Time-to-first-action- Definition: Time from alert to first human acknowledgement and to first mitigation attempt.- Why it matters: Distinguishes detection speed from human response latency.- How to collect: Alert timestamps vs. acknowledgement logs/automation triggers.- Target: Ack within 5–15 minutes for critical alerts; first action within 15–30 minutes.7) Mean time between noisy alerts (or alert storm frequency)- Definition: Frequency of high-volume alert storms per period.- Why it matters: Identifies systemic failures and cascading alerts.- How to collect: Detect periods where alert rate exceeds threshold; track occurrences.- Target: Zero frequent storms; investigate any storm > threshold.Best practices:- Track percentiles (p50/p90/p99) alongside means.- Measure per-service and per-alert-rule to prioritize tuning.- Automate feedback (ack tagging) to reduce manual labeling bias.- Tie metrics to SLO error budgets—allow more aggressive alerts when budget is healthy, tighten when depleted.These metrics together give detection speed, operational burden, and signal quality — enabling data-driven alerting improvements.
HardSystem Design
26 practiced
Design resilience for your observability pipeline so you can still detect incidents when parts of the metrics/logs/traces stack are degraded. Describe fallback detection methods (local agents, sampled telemetry, prioritized events), how to prioritize which telemetry to preserve, how to surface observability-degradation alerts, and strategies to keep incident detection operational under load or partial outages of your observability providers.
Sample Answer
Requirements & constraints:- Detect incidents even if central observability (metrics/logs/traces SaaS or self-hosted collector/ingest) is degraded or overloaded.- Maintain low false negatives on critical alerts, bounded cost/ops, and graceful degradation for non-critical telemetry.- Provide observable health of the observability pipeline itself.High-level architecture:- Local agents on hosts/pods (lightweight collectors) → local detection & short-term buffering → primary remote backends (metrics/logs/traces) → long-term storage & correlator.- Fallback control plane (small, highly available service) to orchestrate fallback modes (sampling rates, priority lists).Fallback detection methods:1. Local agents: run lightweight rules/thresholds and anomaly detectors at edge. If remote is unavailable, agents escalate directly (webhook, paging, or write to independent alerting channel).2. Sampled telemetry: maintain two streams—full stream (to backend) and survivable stream (small subset with high-value keys). When bandwidth/backpressure occurs, drop low-priority telemetry and keep survivable stream.3. Prioritized events: tag telemetry with priority (P0–P3). Preserve P0 (availability, SLO-exceeding metrics, on-call heartbeats, deployment markers), then P1 (error rates, high-latency traces), etc.4. Local traces/short traces: capture trace summaries (span counts, error flags) to send when full traces are blocked.How to prioritize telemetry:- Define policy driven by SLOs and RCA value: - P0: service up/down, critical SLO breaches, leader election loss, alert heartbeats. - P1: error rate spikes, latency over thresholds, 5xx hotspots. - P2: lower-impact business metrics, debug logs. - P3: verbose debug/traces.- Use sampling strategies per-service: preserve all P0/P1, sample P2 by rate or reservoir, P3 only on-demand.Surfacing observability-degradation alerts:- Instrument pipeline health (agent heartbeats, ack latencies, ingestion queue depth, dropped/skipped counts).- Create dedicated “Observability Reliability” alerts routed to SRE: ingestion lag > threshold, retention drop, sustained high error rates to backend, increase in local-agent fallback mode.- Visible dashboard with current fallback mode, per-service preserved telemetry rates, and estimated blind-spots.Keeping detection operational under load/partial outages:- Local decisioning: agents must be capable of evaluating compact set of rules and firing local alerts with documented fail-safe escalation (SMS/phone, alternative pager channel).- Backpressure controls: circuit-breaker to switch to survivable stream and enable higher sampling for critical telemetry only.- Multi-destination: dual-write important telemetry to independent providers or object storage (e.g., S3) for async harvest.- Cache-and-forward: durable local buffer with exponential backoff and bounded disk usage; on restart, replay highest-priority items first.- Graceful degradation: step down from full traces→trace-summaries→metrics→heartbeats; disable expensive features (histograms, debug logs) first.- Runbook & automation: automated workflow to triage when observability degrades (scripts to flip routing, raise incident, rotate keys).Trade-offs and considerations:- Edge detection can increase false positives—tune thresholds and sync policies centrally.- Local agents add complexity and CPU/disk usage limits; enforce resource caps.- Dual-write increases cost but reduces single-provider blast radius.- Test regularly: chaos experiments to simulate backend outage and verify alerts still trigger and on-call flows function.This design ensures incident detection remains possible by preserving high-value telemetry, surfacing pipeline health early, and enabling local, resilient alerting while minimizing noise and cost.
Unlock Full Question Bank
Get access to hundreds of Alerting Strategy and Incident Response interview questions and detailed answers.