Product

PagerDuty Automation with AI Agents: From Page to Root Cause

PagerDuty automation that investigates the incident while you're still waking up. Part three of our incident response series shows how CloudThinker agents connect read-only to PagerDuty (API token plus webhook subscription), pick up triggered incidents, investigate the underlying infrastructure — metrics around the alert window, recent deploys, dependent service state — and post the diagnosis into the incident note before the engineer opens a laptop. Covers graduated autonomy (Notify, Suggest, Approve, Autonomous) with escalation policies left exactly as configured, a first-scan findings table, sample prompts, and how agents reduce MTTR on change-driven incidents without ever touching your paging.

·
pagerdutyincidentresponseoncallaiagentcloudthinkerreducemttrautomation
Cover Image for PagerDuty Automation with AI Agents: From Page to Root Cause

PagerDuty Automation with AI Agents: From Page to Root Cause

Picture the incident note you'd actually want to read at 3 AM. Not "high error rate on checkout-api" — you already got that from the page. The note that says: payments-gateway is returning 503s, it started 4 minutes after deploy a1c9f2 shipped a connection-pool change, and the pool is now saturated at 100/100. That note names the failing dependency and the deploy that broke it — and it was written before you finished reaching for your laptop.

That is the difference this article is about: PagerDuty automation that doesn't just route the page faster, but investigates the incident while you're still waking up. Part one mapped where on-call toil actually concentrates even on a well-run PagerDuty account — the context hunt after every ack, related pages arriving as separate incidents, escalations that fire because the first responder is heads-down investigating rather than absent. Part two built everything native features give you: Event Orchestration for routing and dedup, service dependencies, response plays, and Webhooks v3 for custom glue.

This final part covers the layer none of that reaches. To be clear about positioning: this is not a PagerDuty replacement. Your services, escalation policies, and schedules stay exactly where they are. CloudThinker agents sit on top of PagerDuty as the layer that investigates a triggered incident and — under autonomy you control — proposes or applies the fix, with your paging path untouched.

Connecting PagerDuty: read-only token plus a webhook, about five minutes

CloudThinker connects to PagerDuty the way your security review will want it to: a read-only REST API token plus a webhook subscription that notifies CloudThinker the instant an incident triggers.

You generate the token under Integrations → API Access Keys, checking the Read-only API key box so it can list incidents, services, and log entries but change nothing. The webhook subscription is created under Integrations → Generic Webhooks (v3) (or via the API), scoped to incident.triggered, incident.escalated, and incident.acknowledged events so agents pick up work the moment PagerDuty routes it. PagerDuty's docs on REST API scopes and webhook subscriptions spell out exactly what each grants, so the review is a short read rather than a meeting.

No agents on your hosts, no changes to your PagerDuty configuration, no write access at connection time. The PagerDuty connection guide has the step-by-step with the exact token type and event list.

What the agents do with a triggered incident

The webhook fires the moment PagerDuty triggers an incident — often seconds before the push notification reaches the phone in your pocket. From there, agents run the investigation an on-call engineer would run, in the first two or three minutes instead of the first half hour:

  1. Read the incident context. The triggering event, which service and integration produced it, the alert payload and custom details, and how often this signature has fired in the last 30 days — so a known-flappy alert is flagged as such immediately.
  2. Investigate the underlying infrastructure. Metrics for the affected service around the alert window, error rates and saturation on the host or container, and the state of directly dependent services — the same signals you'd pull up manually, gathered in parallel.
  3. Correlate with recent change. Deploys, config changes, feature-flag flips, and autoscaling events in the same window. Most production incidents trace to a change; it's the check humans do last and agents do first.
  4. Write the diagnosis into the incident, not a separate tool. The agent posts a note directly onto the PagerDuty incident — what fired, what the evidence shows, the most likely cause with a confidence level, and a proposed remediation with a rollback note. When the responder opens the incident, the first note is already the investigation.

The difference from the part-two Event Orchestration work is what's being automated. Orchestration follows the rules you wrote in advance — route this, suppress that, dedup these. An agent decides what to look at next based on what it just found, the way an engineer reasons, with each step written down as evidence.

Graduated autonomy: nothing happens without the level you set

Every action class has an autonomy level you set per service or environment:

  • Notify — the agent investigates and posts the diagnosis. Nothing else. This is the default for everything, and where every team should start.
  • Suggest — the agent proposes a specific remediation with projected impact and rollback steps, and waits.
  • Approve — the agent stages the action and executes only after a named human approves it in chat.
  • Autonomous — the agent executes and reports. Teams reserve this for reversible, well-understood actions in non-production — restarting a wedged worker in staging, say — after weeks of watching the agent be right at the Approve level.

Your escalation policies stay exactly as configured at every level. Agents do not decide an incident isn't worth paging anyone for; they never modify a schedule, an escalation policy, or an on-call assignment. If nobody acks, PagerDuty escalates on your timers, not the agent's — the human stays paged. What changes is that whoever picks up arrives to an investigated incident instead of a blank one. Every action lands in an audit trail: what triggered, what was checked, what was proposed, who approved, what changed, when.

[SCREENSHOT: a PagerDuty incident timeline with CloudThinker's diagnosis note posted at the top — failing dependency, correlated deploy hash, confidence level — timestamped before the first human ack]

What a first scan typically finds

Beyond live incident response, the first connection runs a hygiene pass over recent incident history — the part-one toil audit, done in minutes. Numbers below are illustrative: a composite of what a first scan tends to surface for a mid-market team running 40–80 services with a handful of on-call rotations. Yours will differ.

Finding Detail Impact
Auto-resolving noise 3 alerts triggered 90+ incidents in 30 days, self-resolved ~40% of total page volume
Related pages, separate incidents 1 dependency outage generated 6 parallel incidents, un-grouped 6 responders paged for one cause
Escalations from investigation 12 escalations fired while the first responder was heads-down Second-line woken unnecessarily
Deploy-correlated incidents 61% of Sev2+ incidents began within 15 min of a deploy Root cause knowable at trigger
Slow-ack rotations One rotation averaged 9 min to ack overnight pages MTTA drag, silent burnout signal
Postmortem timelines by hand 8 postmortems rebuilt from Slack scrollback Hours of after-the-fact toil

[SCREENSHOT: the first-scan findings table in the CloudThinker console, each row showing a noisy signature or un-grouped incident cluster with its page count and a proposed, approval-gated fix]

Two things worth noticing about that shape. First, most page volume is a handful of noisy signatures and un-grouped related incidents — the part-one alert-fatigue story as concrete line items, and the fastest MTTR win on the board. Second, a majority of real incidents correlate with a deploy, which is exactly the correlation an agent can attach at trigger time instead of during the retro. Each row arrives with a proposed, approval-gated fix.

Prompts to try in your first session

CloudThinker is conversational — you ask in plain language, and the agent answers with the underlying PagerDuty and infrastructure data cited so you can verify rather than trust:

"The checkout-api high-error-rate incident just triggered. Investigate: read the alert payload, pull error rate and saturation for the service and its direct dependencies over the last hour, and check for deploys or config changes in the same window. Post the diagnosis to the incident note. Notify only."

"Across the last 30 days, which alert signatures triggered the most incidents that auto-resolved without human action, and what suppression or grouping would cut that noise without hiding a real signal?"

"For last night's payments outage, reconstruct the timeline from trigger to resolve — the correlated deploy, which dependent services were affected, and every ack and escalation — as a postmortem draft."

[SCREENSHOT: a chat session where an engineer types the checkout-api investigation prompt and the agent replies with cited metrics, the correlated deploy, and a proposed rollback gated at Approve]

The first prompt is the one to run during your next real page. Compare the agent's three-minute investigation, written into the incident before you're fully awake, against what you'd have assembled by hand — and you'll know quickly whether this earns a place in your response path.

What the agents will not do

"AI agent connected to production incident response" should trigger questions. The answers:

  • Read-only by default. The connection uses a read-only token. Acting on infrastructure — restarting a service, rolling back a deploy, scaling a group — requires you to grant scoped write access and raise the autonomy level above Notify for that action class.
  • No touching your paging. Agents never edit escalation policies, schedules, or on-call assignments. Those stay exactly as you configured them; the human stays paged.
  • No silent changes. Below Autonomous, nothing is modified without a named human approving in chat. Autonomous is per-action-class, per-environment — never a global switch.
  • No unauditable actions. Every investigation, note, proposal, approval, and change is in the audit trail with its evidence.

The right mental model, if you built the part-two automation: keep Event Orchestration and response plays for the deterministic paths that already work. Put agents on the part that was never automatable before — the investigation between "page delivered" and "cause found."

Closing the loop

Part one showed where on-call toil hides even on a healthy PagerDuty account. Part two showed how far native automation takes you — and where it stops: orchestration decides who gets paged and when, but nobody investigates before the human arrives. That gap is exactly what an agent layer closes. Teams that add autonomous investigation on top of an existing PagerDuty setup typically reduce MTTR from tens of minutes to single digits on change-driven incidents, because the diagnosis is waiting in the incident note instead of starting when someone opens a laptop.

Try CloudThinker free — 100 premium credits, no card required — and follow the PagerDuty connection guide to watch your next triggered incident arrive already investigated.