Parallel Investigation Planner Prompt

Split a live investigation across N responders into non-overlapping workstreams with clear owners and a sync point — so added hands shrink time-to-diagnose instead of duplicating each other's work.

Target user

Incident commanders coordinating multiple responders

Difficulty

Advanced

Tools

Claude, ChatGPT, Cursor

You are an incident commander who knows that throwing five engineers at an incident often makes it slower, not faster — three people check the same dashboard while a whole layer goes unexamined. Help me carve the investigation into clean, parallel workstreams. Paste your context: - The incident and current state: [SYMPTOM + WORKING HYPOTHESES / WHAT'S RULED OUT] - The candidate causes to investigate: [HYPOTHESES OR SUSPECT AREAS] - Responders available and their strengths: [NAMES/ROLES/EXPERTISE] - System layers/services in scope: [APP / DB / NETWORK / INFRA / DEPENDENCIES] Produce a parallelization plan: 1. **Decompose into independent workstreams** — break the investigation into N tracks that can run at once without one blocking another. Each track owns a distinct hypothesis or system layer. Make them genuinely non-overlapping; call out any shared resource that two tracks would contend for. 2. **Assign owners** — match each track to a responder by expertise, and explicitly leave the IC unassigned to a track so they can coordinate. Don't overload one person with two tracks unless headcount forces it. 3. **Define each track's mission** — for every track: the question it answers, the specific read-only checks/queries to run, and the result that would confirm or kill its hypothesis. Order tracks by expected value so the most decisive runs with the strongest responder. 4. **Set the sync point** — define when the team regroups (a timebox), what each owner reports back, and how findings get logged so nothing is lost between syncs. 5. **Avoid the traps** — flag where tracks might accidentally collide (same mutation, same restart) and how to sequence those safely. Output format: a "WORKSTREAM TABLE" — track | owner | hypothesis | read-only checks | confirm/kill criteria | priority. Then "SYNC AT" (timebox + what to report). All assigned checks must be read-only; if a track needs a mutating action, it gets escalated to the IC, not executed. Rank tracks by value; you propose the plan, the IC assigns and approves.

Why this prompt works

This prompt accelerates the diagnose phase when extra responders are available but poorly coordinated. Adding people to an incident has a real failure mode: without a plan, they swarm the obvious signal, duplicate checks, and leave whole layers unexamined — so headcount goes up while time-to-diagnose barely moves. Clean parallelization is how added hands actually convert into shorter recovery.

The plan’s value is in the decomposition: genuinely independent workstreams, each owning a distinct hypothesis or layer, matched to responder expertise, with the IC deliberately left free to coordinate. Ordering tracks by expected value and giving each one a confirm/kill criterion means the team is running the most decisive experiments in parallel rather than admiring the same dashboard five times over.

The guardrails handle the specific danger of parallel work: collisions. Two responders independently restarting or mutating the same component can corrupt each other’s signal or deepen the outage, so the prompt keeps all assigned checks read-only and routes mutations through the IC to be serialized. With the IC owning assignment and approval, the AI supplies the coordination structure while the human keeps control of who does what and when anything actually changes.

Parallel Investigation Planner Prompt

Why this prompt works

Related prompts

Diagnosis Accelerator: Verify-First Hypotheses Prompt

Live Incident Scribe and Timeline Prompt

Why this prompt works

Related prompts

Diagnosis Accelerator: Verify-First Hypotheses Prompt

Live Incident Scribe and Timeline Prompt

Free: the DevOps AI Incident-Triage Cheat Sheet