Connect PagerDuty, Get an Alert Noise Audit — Then Watch MTTR Fall
This is part five of our Connection Value series. The opener laid out the ladder: every connection should pay for itself in the first hour, then keep climbing. This post is the incident-tooling rung — PagerDuty specifically, though everything here applies equally to Better Stack, Opsgenie, and the other alert sources among CloudThinker's 42+ connections.
The pitch is simple: within the first hour of connecting, you get an Alert Hygiene report on your last 30 days of paging history. Within the first weeks, alerts start arriving with a root-cause hypothesis already attached. And every month after, you get a MTTD/MTTA/MTTR view that shows the delta since you turned this on — measured, not promised.
The first hour: an Alert Hygiene report
The connection itself is a read-only API key — the connection guide walks through the exact scopes, so your security review can see what's granted and what isn't. At connection time the agent can read alerts, incidents, services, and schedules. It cannot acknowledge, resolve, reroute, or silence anything.
Once connected, CloudThinker's Deep Response Engine pulls your last 30 days of alert history and renders an Alert Hygiene report:
- Total alert volume, broken down by service and severity
- The percentage that was actually actionable — alerts where a human did something other than acknowledge and close
- Your top noise sources, ranked by pages generated per action taken
- Concrete deduplication and routing recommendations, per source
Here's an illustrative excerpt — a composite of what a first report tends to look like for a team paging on a few dozen services. Your numbers will differ:
| Alert source | Alerts / 30d | % actionable | Recommendation |
|---|---|---|---|
disk-usage-warning (batch fleet) |
412 | 2% | Raise threshold 80% → 90%; auto-resolves within the hour in 96% of cases |
pod-restart (staging cluster) |
288 | 0% | Route to a dashboard, not a pager — staging restarts never paged an action |
api-latency-p99 (checkout) |
96 | 61% | Keep. Add dedup window: 34% are duplicates within 10 minutes |
ssl-cert-expiry |
60 | 5% | One alert at 30 days out, not daily from 60 days out |
db-connection-pool (orders) |
41 | 78% | Keep as-is — highest signal source you have |
The pattern this table usually reveals: a small number of sources generate most of the pages and almost none of the action. In the composite above, two sources account for roughly 70% of volume and 1% of the actions. That's not an unusual ratio — it's the mechanism behind alert fatigue, which we covered in depth in our alert fatigue and triage post. The report gives you a prioritized cleanup list on day one, using history you already have. Nothing needs write access to produce it.
The ladder up: investigation on page
Cleaning up noise is the first-hour win. The ongoing value is what happens when a real alert fires.
With the connection in place, the agent treats every page as an investigation trigger. Before the on-call engineer has finished reading the notification, it has already:
- Pulled the relevant metrics for the alerting service and its immediate dependencies
- Sampled the logs around the alert window for error-rate changes and new exception types
- Mapped the blast radius from your topology — what's upstream, what's downstream, what else is degrading
- Found the nearest deploy — if you've also connected a repo, it checks what shipped to the affected services in the hours before the alert and diffs the candidate change
It then posts a root-cause hypothesis to the incident channel: here's what's failing, here's the correlated deploy or metric inflection, here's the evidence, here's a confidence level. Not a verdict — a hypothesis with citations, so the human can verify rather than trust.
The number to watch is alert-to-hypothesis time — the gap between the page firing and the hypothesis landing in the channel. The target is under five minutes, and it's displayed per incident in the dashboard, not just claimed in marketing copy. Some incidents beat it comfortably; a genuinely novel failure mode won't, and the timestamp will say so. Either way you can see what you're getting.
Why this moves MTTR: for most teams, the longest stretch of an incident isn't the fix — it's the orientation phase, the twenty to forty minutes of "what's actually broken and what changed?" We wrote about this breakdown in how to reduce MTTR. Handing the on-call engineer a cited hypothesis at minute four attacks exactly that stretch.
After resolution: the timeline writes itself
When the incident closes, the agent reconstructs the timeline from the sources it was already watching: first alert, related deploys, metric inflections, escalations, and every action taken — human or agent. That reconstruction exports straight into a postmortem draft, and if you've connected Jira, it flows into the same post-resolution loop: the draft becomes a ticket with the evidence attached, and recurring incident patterns start showing up in your toil analysis.
Then, monthly, the before/after: a MTTD/MTTA/MTTR view with the delta since CloudThinker was enabled, per service and overall. This is the honest scoreboard. If dedup recommendations cut your page volume 60% but MTTR hasn't moved, you'll see that too — and the usual reason is that the remaining alerts are the hard ones, which is where the investigation-on-page loop earns its keep over the following months.
Escalation-aware autonomy
Everything above works with read access plus permission to post messages. Whether the agent may ever act on an incident is a separate, deliberate decision — and like every CloudThinker connection, it follows graduated autonomy: Notify, Suggest, Approve, Autonomous, set per incident class and per severity.
A typical policy after a month or two of building trust:
- SEV-1 / SEV-2: investigate and escalate only. The agent posts its hypothesis and pages per your on-call schedule. It touches nothing.
- SEV-3, known patterns: Approve — the agent prepares the remediation (restart the wedged consumer, recycle the connection pool) and executes only after the on-call engineer clicks approve from the incident channel.
- Specific low-risk runbooks in non-prod: Autonomous, after those exact automations have proven themselves at the Approve level. Automations are portable SKILL.md files, and every one dry-runs in a sandbox before it can touch a real system.
The policy is escalation-aware: it reads your on-call schedule, so "escalate" means paging the right human at 3 a.m., not posting into a channel nobody's watching. And every action at every level — every hypothesis posted, every approval requested, who approved, what changed — lands in the audit trail with RBAC controlling who can loosen the policy. The runbook automation post covers how teams decide which incident classes graduate.
What the agent will not do
Worth stating plainly, because "AI agent connected to your pager" deserves scrutiny:
- On high-severity incidents, the default is investigate-and-escalate. The agent hands a hypothesis to the on-call human and gets out of the way. It does not play hero on a SEV-1 unless you have explicitly granted that incident class Autonomous — and most teams never do, on purpose.
- Read-only access reads; it does not touch. With the default connection, the agent cannot acknowledge, resolve, silence, or reroute a single alert. The Alert Hygiene report's recommendations are yours to apply — it won't change a routing rule for you without write access and an autonomy level above Notify.
- Read-only also has limits on what it can see. The noise audit is only as good as your alert history: if a "resolved" alert was actually handled in a side channel PagerDuty never saw, the actionable percentage will undercount it. The report tells you what the data shows, and the data has edges.
- It does not skip the schedule. Escalation goes through your on-call rotation, not around it. Nobody gets paged — or bypassed — outside the policy you set.
- Nothing is invisible. Every hypothesis, suggestion, approval, and action is in the audit trail with a named human or an explicit policy behind it.
The right mental model: a tireless first responder who does the orientation work in the first five minutes, drafts the paperwork afterward, and only ever holds the tools you've handed over — one incident class at a time.
See your own noise numbers
The first-hour Alert Hygiene report requires nothing but a read-only connection and 30 days of history you already have. Most teams are surprised by their actionable percentage — usually in the wrong direction — and that surprise is the start of the MTTR curve bending.
Try CloudThinker free — 100 premium credits, no card required — and follow the connection guide to connect PagerDuty, Better Stack, or Opsgenie and see your own noise audit within the hour.
