Covers the design and operation of incident response programs and the creation and maintenance of actionable runbooks and playbooks for production systems. Candidates should be able to explain the incident lifecycle from detection and classification through investigation, escalation, remediation, and post incident analysis. Topics include severity definitions and assessment, escalation procedures, team roles and responsibilities, communication protocols during incidents, on call rotations, alert triage, and coordination across teams during outages. Also includes designing automated remediation steps where appropriate, integrating runbooks with monitoring and alerting systems, maintaining playbooks for common failure modes such as malware, data exfiltration, denial of service, and account compromise, and conducting blameless post incident reviews and continuous improvement. Candidates should be able to discuss metrics for measuring response effectiveness such as mean time to detect, mean time to repair, and response success rate, and describe approaches to improve those metrics over time.
EasyTechnical
0 practiced
Explain a clear alert triage process for a data platform: from alert arrival to final disposition (actioned/suppressed/route-to-SRE). Describe deduplication, enrichment (job id, dataset, run id), severity assignment, owner assignment, short-term suppression windows, and recording remediation outcome. Mention common automations that reduce noise.
MediumSystem Design
0 practiced
Explain how you would implement 'runbook as code' in an organization: recommended file format/structure, metadata requirements (owner, severity, service), CI checks (lint, metadata presence), linking runbooks to services, change-review process, and how you'd execute non-destructive test steps in an automated sandbox.
HardSystem Design
0 practiced
Describe how to secure runbooks that contain sensitive remediation steps (database admin commands, key rotation, decryption steps). Cover access control, secrets management (vaults), audit logging, just-in-time access, approval workflows, and how to balance responder speed during P1 incidents with security and compliance requirements.
EasyTechnical
0 practiced
Define severity levels (e.g., P0/P1/P2 or Sev1/Sev2) for data-platform incidents. For each severity, give example symptoms (ETL failure, schema incompatibility, data corruption, ML-serving degradation), describe expected business impact, target response time, escalation steps, and stakeholders to notify (analytics, product, SRE, legal).
MediumTechnical
0 practiced
You are asked to improve MTTD and MTTR by 30% over six months. Propose a prioritized action plan including instrumentation improvements, alerting rule changes, runbook quality and coverage, automation of common remediations, training/onboarding improvements, and incident simulation frequency. Include measurable targets for each action.
Unlock Full Question Bank
Get access to hundreds of Incident Response and Runbook Design interview questions and detailed answers.
