
The SMB Incident Response Problem
If you’re a DevOps engineer at an SMB, you know the feeling: your phone buzzes at 2 AM. A service is down. You’re the only one who knows how to fix it. You stumble to your laptop, SSH into production, and start debugging while your brain is half asleep.
This is the classic SMB on-call trap. You have critical services that need 24/7 coverage, but you don’t have the team size to staff a proper follow-the-sun rotation. The result? Burnout, slow incident resolution, and a growing resentment toward the infrastructure you built.
The good news: you don’t need a team of ten SREs to run a world-class incident response program. You need the right processes, the right automation, and a realistic understanding of what “good” looks like for a lean team.
Why Traditional On-Call Doesn’t Scale Down
Enterprise incident response models assume you have:
- Multiple teams with dedicated on-call rotations
- A full-time incident commander role
- Postmortem reviews with cross-team representation
- Budget for PagerDuty, Opsgenie, and a dozen other tools
For an SMB with 2-5 engineers, this model is not just impractical — it’s counterproductive. The overhead of maintaining complex on-call schedules eats into the time you need to actually improve the system.
As we discussed in Level 1: Surviving Chaos, the first step is admitting that your current approach isn’t working. The second is building something that fits your context.
The Lean Incident Response Framework
We’ve developed this framework working with dozens of SMBs. It has three tiers, each automating or simplifying the level above it.
Tier 1: Automated Self-Healing (Your First Line of Defense)
Before you wake up a human, ask: can the system fix itself? Every alert that can be automated is one fewer page for your team.
# Automated incident response policies for SMBs
policies:
- name: "auto-restart-crashed-container"
match: container_status == "CrashLoopBackOff"
action: "kubectl rollout restart deployment/{{ .Deployment }}"
cooldown: 300 # seconds between auto-restarts
max_retries: 2
escalate_after: "all retries exhausted"
- name: "auto-clean-disk-space"
match: disk_usage > 85% AND disk_usage < 95%
action: "docker system prune -af && journalctl --vacuum-size=500M"
notify: "slack/#alerts"
escalate_after: "disk_usage > 95%"
- name: "auto-rollback-on-error-spike"
match: error_rate > 5% AND deploy_within_15m
action: "automated rollback to previous version"
notify: "slack/#deployments"
post_action: "run smoke tests"
Start by automating the three most common alerts in your system. For most SMBs, that’s: container crashes, disk space filling up, and error rate spikes after deployments. This alone can reduce on-call pages by 40-60%.
Tier 2: Scheduled Response (Not 24/7)
Here’s a controversial take for lean teams: you don’t need 24/7 on-call. Not at the beginning. What you need is:
- Business hours coverage — primary responder during working hours with a 15-minute response time
- After-hours escalation — a single engineer on a “best effort” basis for truly critical issues, with automated rollback as the default response
- Follow-the-sun light — if you have team members in 2 time zones, extend coverage to 14-16 hours with overlap
The key insight: if Tier 1 automation handles 50% of potential incidents, Tier 2 only needs to cover the remaining critical ones. And for those, a 30-minute response time is often acceptable for SMBs — especially when the automated fallback has already mitigated the impact.
Tier 3: Escalation with SLOs
When a human is needed, you need a clear escalation path. For SMBs, a two-level escalation is usually enough:
- Level 1 Responder — handles 80% of incidents, has runbook access and automated tooling
- Level 2 Specialist — the engineer who built the system, available for complex issues
Define response SLOs based on severity:
Severity | Response Time | Mitigation Time | Example
P1 (Critical) | 15 min | 60 min | Full outage, data loss
P2 (High) | 30 min | 4 hours | Degraded performance
P3 (Medium) | Next business day | 1 week | Bug with workaround
P4 (Low) | Next sprint | Next release | Cosmetic issue
Building Your On-Call Schedule
For teams of 3-5 engineers:
- Primary: 1 week rotation (Mon-Mon), business hours only
- Secondary: 1 week rotation, same schedule
- After-hours: Same primary, but with automated fallback as first response
- Swap weeks every cycle — no one is on-call more than 1 week out of 3
For teams of 2 engineers:
- Primary: 1 week on, 1 week off
- No secondary (it’s just two of you — be honest about it)
- After-hours: Automated rollback is the default; human intervention only for issues that automation can’t handle
- Shared responsibility for postmortems and improvements
Runbook-Driven Response
The most underrated tool in incident response is a good runbook. Every known incident pattern should have a documented runbook that answers three questions:
- How do I confirm this is happening? (dashboard links, commands to run)
- What do I do immediately? (the 5-minute mitigation, not the perfect fix)
- When do I escalate? (clear criteria for calling in backup)
Store runbooks in your Git repository alongside your infrastructure code. Keep them in a docs/runbooks/ directory and link to them from your alert notifications.
# docs/runbooks/high-error-rate.md
# High Error Rate Response Runbook
## 1. Confirm
- Check Grafana dashboard: [link]
- Run: `curl -s https://api.myapp.com/health | jq .error_rate`
## 2. Immediate Mitigation (5 min)
- If error_rate > 5% AND deploy within 15m:
Run: `kubectl rollout undo deployment/myapp`
- If error_rate > 5% AND no recent deploy:
Check database connection pool status
Run: `kubectl exec deploy/myapp -- nc -zv ${DB_HOST} 5432`
## 3. Escalation Criteria
- Escalate to L2 if: Mitigation doesn't reduce error_rate below 2% within 10 minutes
- Escalate to L2 if: Database connectivity issue confirmed
Measuring What Matters
For lean teams, track only three metrics:
- Mean Time to Acknowledge (MTTA) — how fast your team responds
- Mean Time to Resolve (MTTR) — how fast you fix things
- Page burden — number of pages per engineer per week (keep this under 5)
If page burden is above 5, invest in Tier 1 automation before adding more people. Every hour spent building automated responses pays back 10 hours of saved on-call time.
Start with What You Have
You don’t need PagerDuty or Opsgenie to start. A free Slack channel, a GitHub repo for runbooks, and a Google Sheet for tracking rotations is enough for month one. As you grow, add tools incrementally:
- Month 1: Slack alerts + shared runbook repo + rotation schedule
- Month 2: Automated incident response for top 3 alerts
- Month 3: Lightweight on-call tool (PagerDuty free tier, Grafana On-Call, or Zabbix)
- Month 4: Postmortem process — blameless, 30-minute reviews
The goal isn’t to copy Google’s SRE model. It’s to build an incident response system that works for your team size, your budget, and your risk tolerance.
If you need help designing your incident response framework, we’ve helped dozens of SMBs implement exactly this approach. Check out our DevOps consulting services or book a free consultation to discuss your specific situation.
Need help implementing this in your company?
We help SMBs adopt these practices without hiring a full-time internal team.
Book a free consultation and discover how we can transform your infrastructure.