Incident Severity Classification Tool Guide: SEV Level Definitions That Don’t Collapse Under Pressure
Incident severity classification tool guide: SEV level definitions that don’t collapse under pressure
Incident severity classification tool guide: SEV level definitions that don’t collapse under pressure
In a 30 person engineering org, one mislabeled SEV1 can pull 10 percent of the team into a war room for hours. And one under-labeled SEV3 can turn into a churn event by morning.
Downtime cost benchmarks often land in the $300K to $5M per hour range for larger firms, and some research cites ~$2M per hour averages for high impact outages. That’s how fast exposure stacks up once core systems break (Dynamic Consultants Group). The point is simple: a consistent incident severity classification tool isn’t process theater. It’s how you control attention, cost, and trust when things go sideways.
What is an incident severity classification tool, and what the Incident Severity Classifier standardizes
An incident severity classification tool gives responders a shared way to label impact. It turns “this feels bad” into “this meets SEV2 criteria.” That shared language matters most when the team is tired, the Slack channel is loud, and customers are asking for ETAs.
The Art of CTO Incident Severity Classifier standardizes incident classification using impact based criteria across:
- User impact: how many users, and which users, lose core functionality.
- Data integrity: risk of loss, corruption, or exposure.
- Revenue effect: direct lost transactions, refunds, credits, and sales risk.
- Blast radius: how many services, regions, and customers are in scope.
This guide treats severity as a label for harm. It’s not a label for effort.
Here’s why this tool exists. Early startups run “all hands for everything.” That’s fine at 5 engineers. It breaks at 30. By 50 to 100 engineers, you need repeatable rules so on-call rotations, comms, and exec attention scale without drama.
The framing statement: severity is an impact contract, not a feelings check.
SEV level definitions: severity level guidelines that teams can apply in 60 seconds
Most teams land on 4 or 5 levels. Atlassian describes severity as a measure of business impact, with SEV1 as critical and SEV3 as minor, and they tie response expectations to those levels (Atlassian severity levels). PagerDuty makes the same point in plainer terms: definitions need to be specific and tied to business metrics, or you’ll waste time debating during the incident (PagerDuty severity classification).
Here’s a set of SEV level definitions that works well for Series A and early Series B.
A practical 4 level model (SEV1 to SEV4)
- SEV1, Critical: complete outage of a core user journey, or confirmed data loss, corruption, or breach. No acceptable workaround. Executive notification and customer comms start fast.
- SEV2, Major: major degradation or partial outage for a large cohort, or high risk of data integrity issues. Workaround exists but hurts. Dedicated response team.
- SEV3, Minor: partial impact for a subset of users, or degraded performance with a workaround. Handle in business hours unless it escalates.
- SEV4, Low: cosmetic issues, minor bugs, or internal tooling friction. Track and fix in normal workflow.
ManageEngine’s descriptions map well to this, including the idea that SEV2 is a major disruption that needs prompt resolution, and SEV4 is low priority with minimal disruption and a stable workaround (ManageEngine SEV levels).
Add a SEV5 only if you have a real use
Some orgs add SEV5, Informational for “no user impact” events. That can help trend analysis. It can also become a junk drawer.
Odown’s table shows a common SEV1 to SEV5 mapping across response time, escalation, and impact (Odown SEV levels). If the team already struggles to keep SEV1 to SEV4 consistent, a SEV5 usually adds noise.
The Art of CTO SEV definition rule
Here’s a definition teams can paste into runbooks:
Severity is the measured harm of an incident right now, based on user impact, data integrity risk, revenue exposure, and blast radius.
That keeps the label grounded in impact, not effort.
Incident classification framework: the Impact First SEV Framework
Most CTOs don’t need more levels. They need fewer arguments. The fastest path is a simple incident classification framework that people can run in their head.
The Impact First SEV Framework
Use these four questions in order. Stop as soon as one triggers SEV1.
- Data integrity trigger: Is there confirmed data loss, corruption, or exposure risk? If yes, classify SEV1 until proven otherwise.
- Core journey trigger: Is a core user journey down for most users? If yes, classify SEV1.
- Cohort trigger: Is a large cohort blocked or heavily degraded? If yes, classify SEV2.
- Subset trigger: Is a subset impacted with a workaround? If yes, classify SEV3.
Giva calls out scope as one of the fastest inputs, and recommends writing definitions in terms of percent of active users affected, not vague words like “many” (Giva severity best practices). PagerDuty also pushes teams to tie severity to tangible metrics like percent of users affected, revenue impact, and number of services impacted (PagerDuty severity classification).
A concrete scoring rubric for 10 to 100 engineer orgs
If your team likes a bit more structure, score each dimension 0 to 3, then map totals to SEV.
- User impact
- 0: no user impact
- 1: < 5 percent of active users, non core feature
- 2: 5 to 25 percent of active users, or core feature for a segment
- 3: > 25 percent of active users, or core journey for most users
- Data integrity
- 0: no risk
- 1: transient inconsistency, auto heals
- 2: possible corruption or exposure, not confirmed
- 3: confirmed loss, corruption, or exposure
- Revenue effect per hour
- 0: $0 to $1K
- 1: $1K to $10K
- 2: $10K to $50K
- 3: > $50K
- Blast radius
- 0: one internal tool
- 1: one service, one region
- 2: multiple services, one region
- 3: multi region, shared platform, or identity layer
Map the total:
- 9 to 12: SEV1
- 6 to 8: SEV2
- 3 to 5: SEV3
- 0 to 2: SEV4
The numbers aren’t magic. They just force a fast conversation with shared anchors.
What happens when the team disagrees on SEV2 vs SEV3?
Treat it like a product bug in the framework, not a people problem.
Giva recommends a quarterly review, plus an extra review after any incident where the classification was disputed during response (Giva severity best practices). That cadence works well for startups because the product and customer base change fast.
Severity vs priority: how to use an incident priority matrix without gaming SEV
Severity and priority are different knobs.
- Severity measures harm.
- Priority sets order of work.
Mix them and you’ll get severity inflation. People bump incidents to SEV1 just to get attention. Then SEV1 stops meaning “drop everything,” and the pager loses credibility.
PagerDuty recommends using an incident priority matrix to assess impact and urgency, drawing from ITIL style practices (PagerDuty severity classification). Xurrent defines the matrix as a way to combine impact and urgency into a priority level, with questions that force clarity on time sensitivity and escalation risk (Xurrent priority matrix guide).
A simple incident priority matrix for startups
Use this table to set priority after you set severity.
| Impact | Urgency | Priority | Example |
|---|---|---|---|
| High | High | P1 | Checkout down during peak hours |
| High | Medium | P2 | Checkout degraded, workaround exists |
| Medium | High | P2 | One enterprise customer blocked, contract SLA |
| Medium | Medium | P3 | Latency regression, no SLA breach yet |
| Low | Low | P4 | Cosmetic UI bug |
FireHydrant describes the same core idea: map impact and urgency, then assign priority levels that drive who responds and what resources are needed (FireHydrant priority matrix).
A rule that prevents SEV gaming
Put this policy in writing:
- SEV never changes based on customer tier.
- Priority can change based on customer tier.
Example: a SEV3 bug hits one customer. If that customer is 18 percent of ARR, set Priority P2 with a dedicated owner. Keep it SEV3 so the dataset stays clean.
This separation also improves metrics. ManageEngine notes that consistent severity data supports trend analysis and continual improvement over time (ManageEngine SEV levels).
Enterprise implications for Series A and early Series B CTOs
Severity systems sound like “big company process” until you hit the first quarter with three concurrent incidents.
-
On-call load and burnout
- A noisy SEV1 channel creates alert fatigue. Giva calls out severity inflation as the most common and most costly mistake, because responders learn that SEV1 does not mean “drop everything” (Giva severity best practices).
- A clean SEV system lets teams rotate on-call without fear that every page is a fire.
-
Customer trust and comms discipline
- A SEV1 declaration should trigger clear stakeholder updates. ManageEngine notes that defined severities streamline internal and external communication during disruptions (ManageEngine SEV levels).
- If the team declares SEV1 too often, customers stop believing status updates.
-
Revenue exposure and board level risk
- Downtime cost curves get steep fast once core platforms break. Benchmarks cite $300K+ per hour for many mid size and large firms, and ~$2M per hour averages for high impact outages in some research summaries (Dynamic Consultants Group).
- Startups rarely have those absolute numbers, but the shape of the curve is the same. A two hour checkout outage can erase a week of growth.
-
Better postmortems and better roadmaps
- InvGate recommends using historical incident data to adjust severity levels to match real conditions, not assumptions (InvGate severity matrix).
- Clean severity data makes it easier to justify platform work, reliability work, and migrations.
CTO recommendations: how to roll out severity level guidelines without slowing response
This is where most teams blow it. They write a doc, everyone nods, and then the next incident gets labeled based on vibes.
Immediate actions
-
Write the SEV rubric in the paging tool
- Put the SEV definitions in the incident creation flow, not in Confluence.
- Atlassian notes that SEV1 and SEV2 should page on-call immediately, while lower severities can wait for working hours in many orgs (Atlassian severity levels).
-
Add one required field: percent of active users affected
- Use ranges like < 5 percent, 5 to 25 percent, > 25 percent.
- Giva points out that percent based definitions speed classification and reduce debate (Giva severity best practices).
-
Timebox the SEV decision to 5 minutes
- If the team can’t decide, default up one level.
- Reclassify after 15 minutes when more facts exist.
-
Create a SEV change log
- Record when severity changes and why.
- Odown calls out that severity should be updated if the incident becomes more severe during mitigation (Odown SEV levels).
Policy framework
-
SEV ownership
- Incident commander owns severity during response.
- Postmortem owner validates severity after the fact.
-
SEV1 guardrails
- Data trigger: any credible data exposure risk starts at SEV1.
- Core journey trigger: login, checkout, payments, or API auth down starts at SEV1.
-
Comms triggers
- SEV1: customer status page update within 15 minutes.
- SEV2: customer comms within 60 minutes if user facing.
- These times are policies, not promises. They create muscle memory.
-
Quarterly calibration
- Review disputed classifications and adjust thresholds.
- Giva recommends quarterly reviews and extra reviews after disputed incidents (Giva severity best practices).
Architecture principles
-
Blast radius mapping
- Shared services like auth, billing, and feature flags get stricter SEV triggers.
- Use Command Center to track service criticality, incident history, and risk hotspots across the portfolio (/command-center).
-
Error budget alignment
- SEV1 and SEV2 should map to SLO breaches or near misses.
- Track response time and restore time in the Engineering Metrics Dashboard so severity labels match operational reality (/tools/engineering-metrics-dashboard).
-
Postmortem severity check
- Add a required section in your postmortem template: “Was the SEV correct at T0, T15, and T60?”
- Use our incident postmortem guide and template to keep reviews blameless and consistent (/tools/incident-postmortem).
-
Build vs buy for incident tooling
- If the team is stitching together paging, chat, and status updates, decide what to buy.
- Use the Build vs Buy Matrix to make that call with clear criteria (/tools/build-vs-buy-matrix).
Bigger picture: severity is a leadership system, not an ops detail
Once you’re past 25 engineers, incident response stops being “an ops thing.” It becomes a management problem. Who gets pulled in, who speaks externally, who can make calls fast, and how you keep the team from thrashing.
Severity also shapes culture. If every incident is SEV1, people learn to ignore the pager. If SEV1 is rare and real, people respond quickly and stay calm.
So ask yourself: do you want severity to be a shared language, or a negotiation tactic?
Use the tool: Incident Severity Classifier
Sources
- Atlassian, Understanding incident severity levels
- PagerDuty, Incident severity classification best practices
- Giva, Incident Severity Levels best practices and mistakes
- ManageEngine, SEV-1 to SEV-5 explained
- Dynamic Consultants Group, What a single hour of outage costs by industry
- InvGate, The 5 incident severity levels and a matrix
- Odown, Incident severity levels SEV1 to SEV5
- Xurrent, Incident priority matrix guide
- FireHydrant, Incident priority matrix