Incident response automation is a trap. Some things should be automated. Some things absolutely should not be. Getting the line wrong is worse than automating nothing. What to automate 1. Alert enrichment. Before a human sees an alert, automate pulling in related data: recent deploys, dependent service health, historical correlation. Save the human 10 minutes of context-gathering. 2. Known-good remediations. If an alert always has the same fix (restart service X, clear cache Y), automate the fix