During a major incident, inform the Incident Commander about new discoveries to guide the response

Who Should Hear Fresh Discoveries During a Major Incident?

When the sirens are on and the clock is ticking, the incident floor can feel like a crowded, loud hallway. Everyone’s got a job to do, a line to pull, a fix to push. In that moment, a simple question often reveals how well a team is wired: who needs to know about new discoveries as they pop up? The short answer is clear—The Incident Commander—the person steering the response—needs to be told first. Here’s why that single choice matters, and how the flow of information really works in practice.

Meet the conductor: what the Incident Commander does

Think of the Incident Commander as a conductor in a very loud orchestra. They don’t play all the instruments, but they coordinate the timing, balance the volumes, and decide which section comes in next. In PagerDuty terms, the Incident Commander assembles the right players, directs actions, and keeps the communication lines open so the entire response stays aligned.

• They decide who should be involved next. If a discovery requires an expert from a different team—say, network engineering or data protection—they pull that resource into the room (or the channel) at the right moment.

• They set the tempo. The Commander prioritizes tasks, sequences containment steps, and shifts focus as the incident evolves.

• They own the big picture. Updates, strategy shifts, and the official status all flow through them so stakeholders aren’t left to hunt for the latest truth.

The important point here: decisions get faster and safer when the right person has the latest facts, and that person is the Incident Commander.

New discoveries and their impact: why timing matters

New discoveries aren’t just “more data.” They’re potential pivots. A fresh finding could reveal a broader impact, a different root cause, or an alternative containment path. If you’re on a high-stakes incident, the moment a discovery lands, you have to ask: does this change the plan?

• Could the discovery change containment strategies? If a vulnerability is broader than first thought, containment might need a larger scope, or a more conservative approach. The Commander weighs risk, cost, and time, then adjusts the playbook.

• Does it alter service owners or customer impact? Stakeholders care about visibility and the path to recovery. The Commander translates technical shifts into business impact so leadership and customers aren’t blindsided later.

• Does it change the next best action? A new clue can flip which fix to implement first, which data to backfill, or whether to roll back a change rather than patch it.

Let me explain with a quick analogy. Imagine you’re driving a convoy through fog. The first leg goes smoothly, but then you spot a detour sign that wasn’t in the map. Do you keep trucking and hope for the best, or pull the convoy together, reassess the route, and adjust the plan on the fly? The right answer is the latter, and in a major incident that “right answer” flows through the Incident Commander.

Who should be notified—and who should be kept in the loop

You might be tempted to loop in a lot of people as discoveries come in. After all, more eyes can help, right? Not always. The risk with broadcasting every new finding to everyone is information overload and decision fatigue. The Commander is the essential hub who filters, corroborates, and disseminates—the single source of truth that keeps everyone rowing in the same direction.

• The Incident Commander informs the broader team, but not in chaotic bursts. They curate updates that reflect current understanding and next steps.

• The technical team needs the fresh data, but often through a structured channel. A discovery is most useful when it’s accompanied by impact assessment and proposed actions.

• Stakeholders deserve awareness, but at a level that matches their need to know. Some updates go straight to executives; others go to product or customer support leads to manage expectations and communications with users.

• The Scribe or incident log is important, but they’re not the decision-makers in real time. They capture what’s decided and why, not what could have been.

In other words, inform the Incident Commander first, then let the chain of communication propagate in a controlled, meaningful way. This approach keeps the incident organized and reduces the chance of misinterpretation.

What makes the IC’s role so crucial in practice

A lot of incident response isn’t about the flashy fix. It’s about reliable governance under pressure. The Incident Commander is the nerve center for that governance:

• They maintain situational awareness. As new facts arrive, the Commander builds a live picture of impact, progress, and remaining risk.

• They mediate between speed and safety. Quick fixes are tempting, but not at the expense of creating bigger downstream problems.

• They safeguard the incident timeline. When you’re juggling multiple tasks, a clear, updated timeline helps everyone know what happened, what’s happening, and what’s next.

• They orchestrate the communications flow. The Commander decides who gets what update and when, avoiding mixed messages that can derail response.

If you’ve ever watched a good sports coach, you’ll recognize this pattern: not every moment needs a loud shout, but every moment needs a clear signal about what to do next. The Incident Commander provides that signal.

Practical tips for reporting discoveries during an incident

Let’s get practical. Here are some simple, repeatable habits that help ensure new discoveries are useful rather than chaotic.

• Report with context. When a discovery lands, pair it with what it means for containment, remediation, and service impact. The “why this matters” part helps the IC decide quickly what to do.

• Use a concise format. A short update that covers: What was found, Where it affects, When it matters, Impact, Proposed next steps. It’s a tiny briefing that pays off big time.

• Propose options, not just observations. The IC appreciates seeing a few clear paths, each with rough costs and risks. It’s not about having all the answers; it’s about hardening the decision with options.

• Keep the official record current. The incident timeline should reflect discoveries and decisions in near real time. That helps after-action reviews and audits, too.

• Guard against information overload. If you’re unsure whether something is important, mention it but avoid burying the update under a pile of minor details. The IC can triage in seconds when updates are crisp.

A brief tangent: the human side of incident response

Now, I’m not pretending this is all muscle and no soul. Major incidents bring stress, cognitive load, and fatigue. The best teams pair rigorous processes with humane leadership. The Incident Commander’s job isn’t just about speed; it’s about calm, confidence, and clarity under pressure.

• On-call life matters. Teams that rotate on-call responsibilities often perform better when there’s a clear escalation pattern and predictable communication channels. People sleep better knowing there’s a plan anchored by the IC.

• War room energy counts. The tone of conversations matters. Calm, direct questions beat vague, hopeful chatter every time.

• Post-incident reflections help long-term health. A well-run retrospective makes room for what worked, what didn’t, and what to tweak for next time—without blaming teammates for the chaos of a crisis.

A practical mindset for teams using incident management tools

Tools like PagerDuty are built to support the flow I’ve described. They’re not magic wands, but they do a solid job of clarifying roles, routing updates, and preserving a clean incident history.

• The Incident Commander as the central node. In most setups, a single person holds the lead during the critical window. The tool helps them pull in the right specialists at the right times.

• Clear ownership and handoffs. When a new discovery comes to light, the IC can reassign tasks, update the incident phase, and push the next steps to the right people.

• A shared, auditable trail. Every update, decision, and action has a timestamp and author. This isn’t “paperwork for the sake of it”—it’s the backbone of accountability and post-incident learning.

The big takeaway

During a major incident, new discoveries aren’t simply new data points. They’re potential pivots that can reshape strategy, containment, and recovery. The Incident Commander is the one who should hear about them first, so they can evaluate impact, re-prioritize, and communicate the plan clearly to everyone else. When information funnels through a well-defined leader, the whole response stays focused, coordinated, and efficient.

If you’re curious how this plays out in real teams, think about how you’d want updates to arrive in a fast-moving incident. What kinds of information would you crave in the moment? Which questions would you want answered immediately? What would you want to see reflected in the incident timeline? Answering these questions helps you tune your processes and your tool setup so that, when a new discovery lands, everyone knows the next move and the reason behind it.

Bringing it all together, the Incident Commander’s role isn’t about gatekeeping. It’s about anchoring the response to a single, trustworthy thread that can withstand the noise of a crisis. The right information at the right moment can turn a chaotic incident into a well-managed recovery—and that’s how teams protect their users, their data, and their own peace of mind.

If you’re building or refining your incident response practice, remember this: the moment a new discovery surfaces, the first person to hear it should be the one who steers the ship. The rest will follow. And with that centralized clarity, you’ll find the path from disruption to restoration is not just possible—it’s predictable.