AI Agent Incident Response: From Alert Webhook to Root Cause with an AI Assistant
Every incident has the same first ten minutes. An alert arrives. You open the monitoring dashboard to see what is down. Then the logs. Then you start forming hypotheses: is it the app, the database, the network, the DNS, the certificate? Each hypothesis means another tab, another query, another mental timestamp comparison.
Those ten minutes are almost entirely mechanical. Fetch data, line up timelines, eliminate layers. Which is exactly the kind of work you can now hand to an AI assistant with tool access. This post walks through a concrete incident, layer by layer, showing where the assistant does the legwork and where you still make the calls.
The Setup (Five Minutes, Once)
Two pieces:
- Webhook alerts from UptyBots. Every monitor can notify a webhook endpoint the moment a check fails. Most teams point this at their chat (Slack, Discord, Mattermost) or an internal endpoint. Email and Telegram work too; the point is that the alert lands where you will see it, with the monitor name and failure details.
- An AI assistant connected to your monitoring via MCP. One config entry pointing your client (Claude Code, Claude Desktop, Cursor, and others) at
npx uptybots-mcp-serverwith an API key. Now the assistant can pull incidents, stats, and monitor details on demand. Setup details are in the docs.
One prerequisite that has nothing to do with AI: you need monitors on more than one layer. If the only check you have is "homepage returns 200", no assistant can tell you whether the database is the problem. The workflow below assumes a typical multi-layer setup: HTTP monitor on the site, API monitor on a backend endpoint, port monitor on the database, ping monitor on the host, SSL monitor on the certificate. (Why this layering matters is a topic of its own: multi-layer monitoring explained.)
The Incident
09:41. A webhook alert lands in the team channel: "checkout-api is DOWN". Here is the actual investigation, as a conversation.
Minute one: scope
> We got a down alert for checkout-api at 09:41.
What else is down or degraded right now?
The assistant calls list_monitors filtered by status and answers: checkout-api is down, everything else is up, but www-main shows elevated response times on its last checks. That single answer already kills the scariest hypothesis (total outage) and frames the real one: something is degrading the backend path.
Minute two: timeline
> Pull the incidents for checkout-api today and the hourly
stats for the last 6 hours. When did this actually start?
get_incidents plus get_stats_hourly. The assistant reports: response times were flat around 220ms until 08:00, then climbed steadily to over 4 seconds before the checks started failing at 09:38. So this is not a crash. It is a slow degradation that finally crossed the timeout threshold. Slow degradations point away from "deploy broke it" and toward resource exhaustion or a dependency.
Minute three: eliminate layers
> Check the db-port monitor and the host ping monitor
for the same window. Any incidents or latency changes?
The assistant pulls both. Ping is clean: the host is reachable with normal latency, so the network layer and the machine itself are fine. The database port monitor shows no downtime but its connection times doubled starting around 08:00.
Two data points, same timestamp, different layers. The assistant says what you are already thinking: the degradation pattern on checkout-api correlates with database connection latency beginning around 08:00; the network path is clean; this looks like database-level resource pressure rather than an application or network fault.
Minute four: the human part
The assistant narrowed it from "everything is possible" to "look at the database" in about three minutes of wall-clock time. Now the human work starts: you SSH in (or ask your assistant with shell access to do it) and find the actual cause - in the real incident this is based on, a scheduled 08:00 export job on the same database host was rewritten the day before and started table-scanning a large table, starving the connection pool.
The monitoring data could not name the export job. But it eliminated the network, the host, the certificate, and the application deploy without you opening a single dashboard tab, and it timestamped the start so precisely that "what changed at 08:00?" had an obvious answer.
Aftermath: verify and document
> The fix is deployed. Watch checkout-api and confirm
the next checks pass, then give me an incident summary
I can paste into the postmortem: timeline, affected
monitors, resolution time.
The assistant confirms recovery from the live checks and produces the summary from the same incident data it pulled during the investigation. The postmortem timeline writes itself, with timestamps that come from monitoring records rather than memory.
What This Workflow Is (and Is Not)
Being precise about the claim, because "AI incident response" gets oversold:
- The assistant is doing correlation, not magic. It fetches real data through 15 well-defined tools and lines up timelines faster than a human with tabs. The quality of its conclusions is bounded by the quality of your monitor coverage.
- You still own the diagnosis. The assistant said "database layer, started 08:00". A human recognized the export job. That division of labor is the honest version of this workflow.
- The speed gain is real and it compounds. Ten mechanical minutes saved per incident, multiplied by every incident, multiplied by every on-call engineer who no longer needs to know where every dashboard lives.
Making Your Setup Ready for This
- Monitor each layer separately: HTTP for the user-facing path, API for backend health, port for databases and services, ping for hosts, SSL and domain expiry for the slow-moving disasters.
- Name monitors so a language model can reason about them. "checkout-api" and "db-port-production" beat "Monitor 7". This costs nothing and pays off in every conversation.
- Send alerts to a webhook or channel your team actually watches, so the clock starts immediately.
- Connect the MCP server for everyone on call: one config entry per machine, one named API key per person.
Frequently Asked Questions
Can the webhook alert trigger the AI investigation automatically?
The webhook delivers the alert to any endpoint you control, so teams wire it into their chat or automation from there. The investigation itself runs in your MCP-connected assistant when you ask. How much of that loop you automate is an engineering choice; the data access layer (the MCP tools) is the same either way.
What data does the assistant see during an investigation?
Exactly what the MCP tools return from your UptyBots account: monitor configurations and statuses, incident history, hourly and daily stats, and notification history. It has no access to your servers or logs unless you have separately given it that access.
Does this replace a status page or on-call rotation?
No. It compresses the investigation step between "alert fired" and "we know where to look". Paging, escalation, and communication remain whatever your team already uses.
What if I only have one monitor?
Then start there, but add layers. Single-monitor setups can tell you that something is wrong, never where. The port and ping monitors that made this investigation work take two minutes each to create - or one sentence, if you ask your assistant to do it.