Incident Action Items Tracker

Incident Follow-Up Snapshot

{{ overdueCount }} overdue {{ dueSoonCount }} due soon {{ blockedCount }} blocked {{ ownerRows.length }} owner{{ ownerRows.length === 1 ? '' : 's' }} {{ missingFieldCount }} missing field{{ missingFieldCount === 1 ? '' : 's' }}

Reference date:

Use the date of the review or handoff.

Action items:

CSV header is optional. Default order is action, owner, due date, status, priority, incident, tracker, evidence.

Review the action log

{{ message }}

Due-soon window:

Use 1-14 days for normal review cadence.

days

Stale-overdue threshold:

Use 3-30 days depending on how often post-incident reviews happen.

days

Default incident:

Optional incident or PIR label for rows that omit one.

Incident	Action	Owner	Priority	Due date	Days	State	Follow-up	Copy
{{ row.incident }}	{{ row.action }}	{{ row.owner }}	{{ row.priorityLabel }}	{{ row.dueDisplay }}	{{ row.daysDisplay }}	{{ row.stateLabel }}	{{ row.followUp }}

Owner	Total	Open	Overdue	Due soon	Blocked	Next due	Nudge	Copy
{{ row.owner }}	{{ row.total }}	{{ row.open }}	{{ row.overdue }}	{{ row.dueSoon }}	{{ row.blocked }}	{{ row.nextDueDisplay }}	{{ row.nudge }}

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Post-incident action items turn lessons learned into assigned work. After a service outage, security event, failed change, or recovery exercise, the review usually leaves a list of fixes, checks, documentation updates, monitoring changes, and communication tasks. That list only helps if every item has a named owner, a due date, a status, and enough evidence to show whether the risk was actually reduced.

Follow-up work often fails for ordinary reasons. A meeting captures a good action, the ticket link is missing, a blocked dependency is never escalated, or a due date passes while the team has moved back to feature work. The practical goal is not to make a longer post-incident review. It is to keep corrective work visible until closed, especially when the work reduces recurrence, improves detection, or makes the next response less costly.

Incident action rows moving through due-date and status checks into owner follow-up.

Action status is a management signal, not proof that the underlying incident is solved. A closed item without evidence may still need review, and a clean owner summary can still hide a weak action such as "improve monitoring" unless the follow-up has a concrete completion test. Strong action lists use plain verbs, one accountable owner, a realistic date, a link back to the system of record, and a note that explains what evidence will close the item.

The same discipline applies outside cybersecurity. Post-change reviews, data-center failovers, disaster-recovery drills, customer escalations, and reliability reviews all create corrective work. The useful pattern is consistent: identify the action, assign one owner, set a date, mark blocked work early, and keep the review alive until the remaining risk is accepted or removed.

Technical Details:

An incident action list is a small operational ledger. Each row combines a corrective action with responsibility, schedule, current state, priority, source incident, ticket reference, and evidence. The due-state calculation compares each due date with a reference date so overdue work, near-term work, blocked work, and closed work can be separated without changing the original action text.

The state check is deliberately conservative. Closed work is removed from open-action pressure. Missing required details are called out before normal open-state labels because a row without an owner or usable due date cannot be followed up reliably. Blocked work is separated from ordinary overdue work because a dependency needs a different response than a simple reminder.

Incident action state rules and boundary conditions
Rule	Condition	Displayed state	Follow-up meaning
Closed status	Status reads as done, closed, complete, resolved, fixed, or verified.	`Closed`	The action is counted as closed, but evidence is still checked.
Missing detail	Action, owner, due date, or valid date is missing.	`Missing info`	Fix the row before treating the reminder or export as reliable.
Blocked status	Status reads as blocked, waiting, hold, stuck, or dependency.	`Blocked`	Name the dependency or unblock the owner before the due date.
Overdue	The row is open and `due date - reference date < 0`.	`Overdue` or `Stale overdue`	Ask for a new ETA and blocker update. Stale overdue appears when age is at least the stale threshold.
Due soon	The row is open and `0 <= due date - reference date <= due-soon window`.	`Due soon`	Confirm the owner is still on course before the target date.
Later open	The row is open, has a valid future date, and is outside the due-soon window.	`Open`	Keep it visible for the next incident action review.

Header detection supports common names used by spreadsheets, ticket exports, and post-incident review templates. When no header is present, the source is read positionally in the order action, owner, due date, status, priority, incident, tracker, and evidence.

Accepted incident action source fields
Field	Recognized header examples	Why it matters
`action`	action, action item, item, task, description, followup, todo, title	Supplies the corrective work shown in the ledger and owner reminders.
`owner`	owner, assigned to, assignee, responsible, POC, lead, team	Builds owner counts and assigns reminder text to a named person or team.
`due date`	due, due date, deadline, target date, target, ETA	Drives overdue, stale-overdue, and due-soon classification.
`status`	status, state, phase, workflow	Normalizes open, in-progress, blocked, done, and deferred rows.
`priority`	priority, prio, severity, impact	Sorts critical and high-priority work before lower-priority rows inside the same state.
`incident`	incident, incident ID, PIR, postmortem, review, source	Keeps actions tied to the review, outage, exercise, or ticket that produced them.
`tracker` and `evidence`	ticket, issue, Jira, Linear, work item, link, proof, notes, outcome	Connects follow-up rows to the work system and closure proof.

Rows can be pasted as comma, tab, pipe, or semicolon separated text. Quoted cells are handled so a comma inside an action sentence does not split the row. Local CSV, TSV, and TXT files up to 2 MB can be read into the source area, and normalization rewrites the parsed rows into canonical CSV without inventing missing owners, due dates, tickets, or evidence.

Everyday Use & Decision Guide:

Start with the review date or handoff date as Reference date. That makes the overdue and due-soon counts match the meeting, export, or handoff you are preparing. For weekly post-incident reviews, the default Due-soon window of 3 days is a good first pass. Shorten it for daily incident standups and lengthen it only when the team really reviews follow-up on a slower cadence.

Paste the action list from a spreadsheet, ticket export, or postmortem template into Action items. Use Load sample when you want to see the expected shape, then use Normalize CSV after pasting mixed delimiters or uneven spacing. If a row does not include an incident ID, Default incident can fill that label without touching rows that already name a review or ticket.

Check Incident Follow-Up Snapshot first for overdue, due soon, blocked, owner, and missing-field counts.
Use Review the action log warnings before copying anything into a meeting note or customer-facing RCA process.
Open Action Ledger when you need row-by-row state, day delta, and follow-up wording.
Open Owner Follow-Up when the next step is asking each owner what changed since the last review.
Use Owner Load Chart to see whether overdue or blocked work is concentrated under one owner.
Use JSON when another workflow needs structured summary, ledger, owner, and warning data.

A common mistake is treating a green owner summary as proof that the incident is fully remediated. The tracker can show that all rows are closed, but it cannot prove that a firewall change was deployed, a monitor catches the right condition, or a runbook was tested. Use the Evidence column, tracker links, and closed-row warnings to decide whether closure is believable.

Rows are parsed in the browser. Avoid sharing an address bar after entering sensitive incident details, and treat downloaded CSV, DOCX, chart, and JSON files as incident records when they contain internal ticket numbers, service names, customer-impact notes, or remediation evidence.

Step-by-Step Guide:

Use the main inputs to build a clean follow-up ledger, then review warnings before exporting or copying owner nudges.

Set Reference date to the review date, handoff date, or meeting date. If the date is invalid, Review the action log reports that today is being used for due-state calculations.
Paste rows into Action items, drag in a CSV or TXT file, or choose Browse CSV. Files larger than 2 MB are rejected with a file-size message.
Use Load sample if you need a working template. The sample sets Reference date to 2026-05-04 and fills example incident actions.
Open Advanced and adjust Due-soon window, Stale-overdue threshold, or Default incident only when the default cadence does not match your review process.
Click Normalize CSV after parsing succeeds if you want the source rewritten with canonical headers and date formatting. If there are no action rows, the tool asks you to paste rows before normalizing.
Resolve Review the action log warnings about missing owners, missing due dates, invalid due dates, short rows, closed rows without evidence, or open actions past due.
Read Action Ledger for incident, action, owner, priority, due date, days, state, and follow-up text.
Use Owner Follow-Up for total, open, overdue, due soon, blocked, next due, and nudge columns by owner.
Check Owner Load Chart or JSON when the handoff needs a visual owner load view or structured data for another system.

Interpreting Results:

The headline value is meant to make follow-up pressure obvious. If it shows overdue work, start there. If it shows open work but no overdue count, check due-soon and blocked badges before assuming the review can close.

How to read incident action item result areas
Result area	Read first	Useful caution
`Incident Follow-Up Snapshot`	Overdue, due soon, blocked, owner, and missing-field badges.	A zero overdue count can still hide blocked work or missing required fields.
`Action Ledger`	State, days, and follow-up text for each action.	Missing info takes priority in the visible state because the row cannot be chased cleanly.
`Owner Follow-Up`	Open, overdue, due soon, blocked, next due, and nudge columns.	One owner can have a low total count but still need attention if the open item is critical or blocked.
`Owner Load Chart`	Stacked counts for overdue, due soon, blocked, later open, and closed actions.	The chart shows count, not severity or effort size.
`JSON`	Summary totals, settings, action ledger, owner follow-up, and warnings.	Structured output may include raw incident IDs, tracker names, and evidence notes.

Boundary checks matter. A row due on the reference date is Due soon, not overdue. A row due one day before the reference date is overdue. A row due exactly three days away is due soon when the due-soon window is 3, because the upper boundary is included.

Do not overread the result as compliance evidence or a complete postmortem. The output helps prepare a follow-up review. The underlying tickets, pull requests, runbooks, monitoring dashboards, and change records still decide whether the corrective work is real and complete.

Worked Examples:

Firewall follow-up review

With Reference date set to 2026-05-04, a row for Patch firewall HA pair owned by SecOps, due 2026-05-03, status in progress, and priority high appears in Action Ledger with Days as 1 overdue and State as Overdue. The follow-up asks SecOps for a new ETA and blocker update. In Owner Follow-Up, SecOps receives one open and one overdue action.

Due-soon boundary check

Keep Reference date at 2026-05-04 and Due-soon window at 3. An open action due 2026-05-07 is counted as Due soon because it is exactly three days away. An otherwise identical action due 2026-05-08 stays open as later work. Incident Follow-Up Snapshot changes the due-soon badge for the first row but not the second.

Blocked dependency with same-day due date

A row for Add customer-impact monitor owned by NOC, due 2026-05-04, status blocked, and priority critical appears as Blocked instead of ordinary due-soon work. The Owner Follow-Up nudge asks NOC to unblock the action or name the dependency. Owner Load Chart adds that row to the blocked segment for NOC.

Broken source row cleanup

A pasted row such as Assign database failover rehearsal,,2026-05-10,open,low is still parsed, but the owner becomes Unassigned and Review the action log reports that one row needs a named owner. If the due date is changed to next Friday and the browser cannot parse it as a date, the same warning area reports an invalid due date and Action Ledger uses Missing info until the date is rewritten as a real calendar value.

FAQ:

What columns can I paste?

Use action, owner, due date, status, priority, incident, tracker, and evidence when possible. Header names can vary, and rows without headers are read in that same positional order.

Why did a row show Missing info?

A row shows Missing info when the action text, owner, due date, or valid calendar date is missing. Fix those fields before copying follow-up text or exporting the ledger.

What makes an action overdue or due soon?

An open action is overdue when its due date is before the Reference date. It is due soon when the due date is on the reference date or within the configured Due-soon window.

Does this replace Jira, Linear, or a GRC system?

No. Use the Tracker and Evidence fields to point back to the system of record. The ledger is best for review preparation, owner nudges, and handoff summaries.

Does it send action rows to a server?

Rows and local files are parsed in the browser, and there is no separate action-processing endpoint for the pasted data. External chart assets may load separately, so treat pasted incident data, URL state, and downloaded exports as sensitive records.

Glossary:

Post-incident review: The review after an incident, outage, failed change, or exercise that captures lessons and follow-up work.
Action item: A concrete corrective task with an owner, due date, status, and completion evidence.
Owner: The person or team accountable for moving an action item forward and reporting status.
Due-soon window: The number of days after the reference date that count as near-term follow-up.
Stale overdue: An overdue open action whose age is at least the configured stale-overdue threshold.
Evidence: The proof, note, ticket update, or outcome that supports closing an action item.
Tracker: The ticket, issue, work item, or link that connects the action item to the system of record.

References:

NIST SP 800-61 Rev. 3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management, National Institute of Standards and Technology, April 2025.
Postmortem Culture: Learning from Failure, Google SRE Workbook.
Principle D2 Lessons Learned, National Cyber Security Centre.