Overview
Rootly models every incident using a sequence of lifecycle stages that reflect how teams actually discover, assess, respond to, and close out operational issues. Each stage corresponds to an incident status, and Rootly automatically records timestamps as incidents progress. These statuses power automation, analytics, retrospectives, and help teams maintain a clean, consistent operational process.Each lifecycle transition can be made from the web UI or via Slack commands such as
/rootly mitigate, /rootly resolve, and /rootly cancel. Rootly automatically records the appropriate timestamp with every status change.Triage
Incidents frequently begin with incomplete or ambiguous signals.The Triage status is designed for these early situations where something may be wrong, but responders are not yet certain. Entering Triage keeps notifications limited so teams can investigate without alarming broader stakeholders. How to enter Triage:
- When creating an incident, select the Mark as In Triage checkbox
- Or update the status from Slack or the web UI
in_triageTimestamp:
in_triage_at (only recorded if the incident actually enters Triage)
Started
Once responders confirm the issue is real, the incident progresses to the Started status. This is the point where coordinated response begins—roles are assigned, communication channels open, and early hypotheses are formed. How to enter Started:- Leave Mark as In Triage unchecked during incident creation
- Or move from Triage → Started in the UI or via Slack
startedTimestamp:
started_at
If you skip Triage during creation, Rootly sets the incident directly to Started.
Detected (Optional)
Some teams track the moment an issue was first noticed, separate from when response formally began. Data value:detectedTimestamp:
detected_at
Captured detection time supports metrics like MTTD (Mean Time To Detect).
Acknowledged (Optional)
Acknowledgement indicates a specific responder has taken ownership, which pauses escalations and clarifies responsibility even before major status transitions occur. Data value:acknowledgedTimestamp:
acknowledged_at
Mitigated
An incident becomes Mitigated when the immediate impact has been contained. Users may still be affected, but the issue is no longer actively worsening. This is common when temporary fixes, failovers, or emergency controls are applied. How to enter Mitigated:- Use the Mitigate button
- Or run
/rootly mitigatein Slack
mitigatedTimestamp:
mitigated_at
Resolved
An incident is Resolved when the underlying issue has been fixed and service impact is no longer present.This moment typically triggers stakeholder updates and begins the retrospective process. How to enter Resolved:
- Click Resolve
- Or run
/rootly resolvein Slack
resolvedTimestamp:
resolved_at
Many teams configure workflows that automatically generate a Retrospective when an incident reaches Resolved.
Closed
While Resolved means “the system is fixed,” Closed means “all follow-up work is complete.”This includes finishing retrospectives, verifying action items, and closing out communications. Data value:
closedTimestamp:
closed_at
Use Closed to separate technical completion from process completion.
Cancelled
A Cancelled incident represents a false positive or the identification of a duplicate.It prevents unnecessary responder work and keeps analytics clean. How to enter Cancelled:
- Use the Cancel Incident button
- Or run
/rootly cancel - Available only when the incident is in Triage
cancelledTimestamp:
cancelled_at
Planned Maintenance (Optional)
Rootly can model planned or controlled operational work.Scheduled incident lifecycle values include:
- planning — defining scope
- scheduled — approved window (
scheduled_for,scheduled_until) - in_progress — work underway
- completed — work finished
- verifying — final checks
Timeline
Every incident includes a Timeline, which organizes all key moments—status changes, role assignments, workflow actions, Slack updates, alerts, and manual entries—into a coherent narrative.Status Overview
| Status | Data Value | Timestamp Field |
|---|---|---|
| Triage | in_triage | in_triage_at |
| Started | started | started_at |
| Detected* | detected | detected_at |
| Acknowledged* | acknowledged | acknowledged_at |
| Mitigated | mitigated | mitigated_at |
| Resolved | resolved | resolved_at |
| Closed | closed | closed_at |
| Cancelled | cancelled | cancelled_at |
FAQ
What status should I use when I'm not sure an issue is an incident yet?
What status should I use when I'm not sure an issue is an incident yet?
Use Triage. It limits notifications and keeps early investigation to a small responder group.
Use Started only once you are confident the issue is real.
Use Started only once you are confident the issue is real.
Can I start an incident directly in the Started status?
Can I start an incident directly in the Started status?
Yes. If you leave Mark as In Triage unchecked during creation, Rootly will set the incident directly to Started.
Do I have to use Mitigated?
Do I have to use Mitigated?
No. Mitigated is optional, but recommended. If you skip it and go straight to Resolved, Rootly will automatically set
mitigated_at = resolved_at to preserve accurate analytics.What is the difference between Resolved and Closed?
What is the difference between Resolved and Closed?
- Resolved = the technical issue is fixed
- Closed = all follow-up work (retrospectives, action items, communication, cleanup) is complete
Can I add custom lifecycle statuses?
Can I add custom lifecycle statuses?
Yes—Rootly supports additional operational statuses such as Detected, Acknowledged, and Scheduled Maintenance states (
planning, scheduled, in_progress, etc.). These are optional and configurable based on your workflow.Where should I track follow-up actions?
Where should I track follow-up actions?
Use Action Items or attach tasks directly from the incident.
Once these are complete, set the incident to Closed.
Once these are complete, set the incident to Closed.