EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Escalation Runbook · v1.0
12 Jul 2026 SEV-1..4 · 14-day recovery · Named owner

14-day SEV-1 to SEV-4 recovery — with named owner at every step.

Companion to defoneos-mod-customer-success-scorecard.html (where escalations are triggered) and defoneos-mod-churn-prevention.html (when SEV-1 triggers churn risk). This runbook is the named-owner playbook for any escalation that opens against a DEFONEOS buyer. Every step has a person, a deadline, and a SIGIL receipt.

4Severity tiers
14 dMax recovery window
9Steps per severity
SIGILReceipt at each step

1. SEV definitions — the four-tier taxonomy

SeverityDefinitionExamples
SEV-1Critical. Material breach, renewal intent at risk, or safety-of-life implication.Production outage > 4h, material security incident, data loss, regulatory finding requiring customer notification, champion resignation.
SEV-2Degraded. Value-realisation KPI missed or governance breach; not yet material breach.SIGIL pipeline down > 48h, audit overdue on a regulated framework, named operator certification expired > 30d, two consecutive missed QBRs.
SEV-3Risk. Delivery or adoption KPI at risk; no current value impact.Patch lead time > 30d for non-emergency advisory, F1 signal at red for 2 consecutive weeks, named expansion workload delayed.
SEV-4Advisory. Minor concern, no impact on value, logged for tracking.Single help-desk ticket with no pattern, single missed quarterly check-in, documentation gap.

2. Response SLAs

SeverityAcknowledgeTriageContainmentResolution targetPost-mortem
SEV-1≤ 1 hour≤ 4 hours≤ 24 hours≤ 14 days≤ 21 days
SEV-2≤ 4 hours≤ 24 hours≤ 5 business days≤ 14 days≤ 21 days
SEV-3≤ 1 business day≤ 5 business daysn/a (no containment)≤ 30 daysNot required (logged)
SEV-4≤ 5 business days≤ 10 business daysn/a≤ 90 daysNot required

3. SEV-1 — Critical, 14-day recovery

Step 1 — Detect & acknowledge (≤ 1 hour)

  1. Detection source: 24/7 incident line, observability alert, buyer call, CSOAI internal detection.
  2. Acknowledge by named CSOAI on-call engineer within 1 hour; create incident record in escalation ledger.
  3. SIGIL receipt: incident ID + timestamp.

Step 2 — Triage & declare (≤ 4 hours)

  1. On-call engineer + buyer SC officer agree on SEV tier.
  2. If SEV-1: CSOAI CEO + buyer executive sponsor notified within 4 hours; executive-to-executive call within 6 hours.
  3. War room established (bridge call + shared doc); both parties' technical authorities in the room.
  4. SIGIL receipt: SEV tier declaration + named owner + war-room bridge.

Step 3 — Containment (≤ 24 hours)

  1. Scope the affected workloads, operators, data.
  2. Apply immediate mitigation (power-cycle affected nodes, failover to redundant plane, isolate at network switch).
  3. Preserve forensic artefacts (memory dump, disk image, network state) with write-blocker.
  4. SIGIL receipt: containment actions + forensic chain-of-custody.

Step 4 — Root-cause investigation (≤ 5 business days)

  1. Engineering team + buyer technical authority investigate; daily standups; shared working doc.
  2. Identify root cause; classify (CSOAI / buyer / third-party / environmental).
  3. Propose remediation: hot-fix patch, configuration change, process change, or rebuild.
  4. SIGIL receipt: root cause + remediation proposal.

Step 5 — Remediation delivery (≤ 10 business days)

  1. Deliver remediation via the appropriate channel: emergency advisory (air-gap: sneakernet), config change (signed), or rebuild.
  2. Buyer applies in test environment; validates against 240-test gate.
  3. Buyer applies in production; CSOAI engineer on-call for 48-hour stabilisation window.
  4. SIGIL receipt: remediation applied + validation results.

Step 6 — Restoration confirmation (≤ 12 business days)

  1. Buyer confirms all production workloads restored; observability green for 72 hours.
  2. Buyer + CSOAI counter-sign restoration confirmation.
  3. SIGIL receipt: restoration confirmation + counter-signature.

Step 7 — Post-mortem (≤ 21 business days)

  1. Joint post-mortem document: timeline, root cause, contributing factors, what went well, what didn't, action register.
  2. Action register: each named action has owner, deadline, success criterion.
  3. SIGIL receipt: post-mortem + action register.

Step 8 — Process improvement (≤ 14 days after post-mortem)

  1. Action register actions are tracked in the CSOAI engineering backlog + the buyer's change plan.
  2. Status reported at next QBR.

Step 9 — Escalation closure (≤ 14 days after post-mortem)

  1. All action register items closed or scheduled.
  2. Closure counter-signed by CSOAI CS lead + buyer executive sponsor.
  3. SEV-1 closed in escalation ledger; SIGIL receipt of closure.

4. SEV-2 — Degraded, 14-day recovery (9 steps, condensed)

  1. Acknowledge (≤ 4 hr) — named CS lead; incident record; SIGIL receipt.
  2. Triage (≤ 24 hr) — CS lead + buyer ops lead agree on tier; CSOAI CRO + buyer CIO notified.
  3. Recovery plan (≤ 5 bd) — joint plan with named owner, deadline, success criterion.
  4. Recovery delivery (≤ 10 bd) — execute plan; buyer validates.
  5. Confirmation (≤ 12 bd) — buyer + CSOAI counter-sign restoration.
  6. Post-mortem (≤ 21 bd) — joint document with action register.
  7. Process improvement — tracked in backlog + QBR.
  8. Closure counter-sign — CSOAI CS lead + buyer CIO.
  9. SIGIL receipt of closure.

5. SEV-3 — Risk, 30-day resolution (lighter-weight)

SEV-3 escalations do not require a war room or executive notification, but they do require a named owner and a deadline. They are tracked in the weekly scorecard and the next QBR.

  1. Acknowledge (≤ 1 bd) — CS lead; incident record; SIGIL receipt.
  2. Triage (≤ 5 bd) — CS lead + buyer ops lead; agree on plan.
  3. Resolution plan (≤ 10 bd) — joint plan with named owner + deadline.
  4. Resolution delivery (≤ 20 bd) — execute plan; verify.
  5. Confirmation (≤ 25 bd) — buyer counter-signs resolution.
  6. Closure (≤ 30 bd) — SIGIL receipt.
  7. Logged in next QBR — under "open escalations" agenda item.

6. SEV-4 — Advisory, 90-day resolution (lightest-weight)

  1. Acknowledge (≤ 5 bd) — CS lead; logged in scorecard.
  2. Plan (≤ 10 bd) — joint plan if needed.
  3. Resolution (≤ 90 d) — bundled into normal operational cadence.
  4. Closure — at next QBR.

7. The named-owner matrix

SeverityCSOAI ownerBuyer ownerCSOAI escalationBuyer escalation
SEV-1On-call engineer (named in escalation ledger)Buyer SC officerCSOAI CEOBuyer executive sponsor
SEV-2CS leadBuyer ops leadCSOAI CROBuyer CIO
SEV-3CS leadBuyer ops leadCSOAI CS VPBuyer ops manager
SEV-4CS leadBuyer ops leadNone requiredNone required

8. The 24/7 incident line

The 24/7 incident line is contracted to all DEFONEOS pilot customers (per Schedule 2 of defoneos-mod-contract-award-letter.html). The number is in the deployment binder issued at SoW signature.

DEFONEOS 24/7 INCIDENT LINE Primary: +44 [redacted — in deployment binder] Backup: +44 [redacted — in deployment binder] Email: incident@defoneos.org (PGP-signed receipt auto-issued) Portal: https://defoneos.org/incident (SIGIL-anchored ticket creation) Response time by tier: SEV-1: phone answered live, ≤ 3 rings, 24/7/365 SEV-2: phone answered ≤ 30 sec, 24/7/365 SEV-3: phone answered ≤ 5 min, business hours UK; ticket system 24/7 SEV-4: ticket system only; response within 5 business days

9. The escalation ledger

The escalation ledger is the SIGIL-anchored record of every escalation across all DEFONEOS customers. Each entry contains:

FieldDescription
Incident IDSIGIL-anchored unique identifier (e.g. INC-2026-0712-001)
BuyerBuyer entity + contract reference
SEV tier1, 2, 3, or 4 (re-classifiable)
Detected atISO 8601 timestamp + detection source
Acknowledged atISO 8601 timestamp + named owner
Current statusOPEN / CONTAINED / RECOVERING / RESOLVED / CLOSED
Current stepWhich step in the runbook (1-9)
Root causeOne-sentence classification (CSOAI / buyer / third-party / environmental)
Affected workloadsList of buyer workloads impacted
Resolution targetDate by which resolution is committed
Closure SIGIL receiptHash + chain reference

10. What this runbook is NOT

11. Cross-walk to DEFONEOS pack

12. Honesty register

  1. The SEV tier definitions are CSOAI defaults; buyers may classify differently internally (e.g. P1/P2/P3/P4) and CSOAI adopts the buyer's classification when communicating.
  2. The 14-day recovery window is the maximum contractual target; observed pilot-deployment SEV-1 resolutions have been 3-9 days.
  3. The 24/7 incident line response times are contractual in Schedule 2; breach of these SLAs is a material breach.
  4. The escalation ledger is retained for the duration of the contract plus 7 years per UK GDPR and commercial record retention.
  5. Air-gapped buyers may have adjusted escalation procedures; see defoneos-mod-air-gap-deployment-guide.html §8 for the no-internet IR procedure.