A DDoS incident is expensive. The only way to make it worthwhile is to ensure you learn from it. A structured postmortem — completed within 48 hours while memories are fresh — is the tool for turning an incident into systematic improvement.
Postmortem Structure
- Incident summary: what happened, when, for how long, what was affected.
- Timeline: minute-by-minute log of detection, escalation, actions taken, resolution.
- Impact assessment: revenue lost, users affected, SLA breach, regulatory implications.
- Root cause analysis: what made this attack succeed (or: what protected us)?
- What went well: detection speed, communication, tooling that worked.
- What went wrong: slow escalation, unclear ownership, missing runbook steps.
- Action items: specific, assigned, time-bound improvements.
Key Questions to Answer
- When did we detect the attack, and how? (Monitoring alert vs customer complaint?)
- How long did it take to begin mitigation after detection?
- Did our DDoS protection activate automatically, or require manual intervention?
- Was there any origin IP exposure that allowed the attacker to bypass our proxy?
- What information was missing that would have helped us respond faster?
Blameless principle
Postmortems are most effective when no individual is blamed. Focus on systemic causes: what made the error possible, not who made it. People make correct decisions given the information they had.