PagerDuty Automation: Where On-Call Toil Hides Even When Paging Works
Every incident has two timestamps you can read off the timeline. One is when PagerDuty paged someone. The other is when a human actually understood what was broken. The gap between them almost never shows up in a dashboard — and on most on-call rotations, it's the biggest chunk of your MTTR.
PagerDuty is good at the first timestamp, and PagerDuty automation gets the right person out of bed, escalates when they don't ack, and tracks who owns what. What it does not do is close the gap to the second timestamp. After the ack, a human still has to hunt for context: which dashboard, which logs, what changed in the last hour. That hunt is where PagerDuty automation stops and manual toil begins.
This guide walks the toil that survives even when your paging setup is clean. For each pattern: what it is, why it happens, one place to measure it, and roughly what it costs your rotation. None of it is a knock on PagerDuty — it's a map of where the human minutes go once the page has done its job.
This is part one of a three-part series. Part two covers DIY incident automation with PagerDuty's native tools — Event Orchestration, response plays, and their ceiling. Part three shows automating investigation with an AI agent that goes from page to root cause before the engineer opens a laptop.
1. The context hunt after every ack
What it is. The page fires. The responder acks from their phone, opens a laptop, and then spends the next ten to twenty minutes reconstructing the situation from scratch: which service is this, which Grafana board shows it, where do its logs live, and — the real question — what changed. The alert told them that something is wrong. It rarely tells them why, and never tells them what to look at first.
Why it happens. Alert payloads carry a summary, a severity, and maybe a link to the monitor that fired. They don't carry the surrounding state: recent deploys, correlated metric movement, the health of upstream dependencies. That context lives in five other tools, and stitching it together is human work every single time — including the third time this quarter the same alert fired.
How to measure it. PagerDuty's per-incident timeline gives you the raw numbers. Compare the triggered timestamp to the first substantive note or status update a responder posts (not the auto-ack). That delta is your context-hunt tax. Pull it across a month via the REST API:
curl -s -H "Authorization: Token token=$PD_TOKEN" \
-H "Accept: application/vnd.pagerduty+json;version=2" \
"https://api.pagerduty.com/incidents?since=2026-06-01T00:00:00Z&until=2026-07-01T00:00:00Z&time_zone=UTC&statuses[]=resolved" \
| jq '.incidents[] | {id, created_at, title}'
Then diff created_at against the first human log entry from GET /incidents/{id}/log_entries. See the Incidents API reference.
Typical impact. On a healthy rotation this is commonly 10–20 minutes per incident before real diagnosis starts — pure investigation setup, repeated every page, and the single largest reducible slice of MTTR for most teams.
2. Duplicate and related pages arriving as separate incidents
What it is. One root cause — a database failover, a bad deploy, a saturated node — trips five monitors. PagerDuty opens five incidents. Five pages go out, possibly to different responders, who each start their own context hunt on what is fundamentally the same event. Worse are the near-duplicates: the "high error rate" page and the "latency SLO burn" page are the same story, but nothing ties them together automatically unless you configured it to.
Why it happens. Deduplication keys collapse identical alerts from the same source, but a cascading failure produces different alerts from different services. Without content-based grouping or explicit service dependencies mapped, PagerDuty has no way to know that Alert B is a symptom of Alert A.
How to measure it. In the PagerDuty web app, open Analytics → Incidents and look at incident volume per service against the count of distinct underlying causes you actually postmortem. A large ratio means fragmentation. To spot it programmatically, list incidents in a tight window and cluster by service and time proximity — bursts within a few minutes on related services are your duplicate suspects. Alert grouping settings live per-service under Services → (your service) → Settings → Alert Grouping.
Typical impact. Fragmentation inflates page counts and pulls extra responders into a single event. Even one duplicate per real incident roughly doubles the human attention spent on that class of failure.
3. Escalations that fire because the first responder is heads-down
What it is. The escalation policy exists to catch a missed page — nobody acked, so it climbs to the next person. But a common trigger is different: the first responder acked, is elbow-deep in logs, hasn't posted an update, and the timeout fires anyway. Now a second engineer wakes up, acks, and starts their own context hunt on an incident that was already being worked.
Why it happens. Escalation timeouts measure acknowledgement and silence, not progress. An engineer who is investigating hard and communicating nothing looks identical, to the policy, to an engineer who slept through the page. The system optimizes for "someone is looking" and can't see that someone already is.
How to measure it. Count escalations that happened after an ack was already recorded. In the incident log entries, look for escalate_log_entry events with a timestamp later than the first acknowledge_log_entry. A cluster of these means your timeouts are firing on busy responders, not absent ones:
curl -s -H "Authorization: Token token=$PD_TOKEN" \
-H "Accept: application/vnd.pagerduty+json;version=2" \
"https://api.pagerduty.com/incidents/$INCIDENT_ID/log_entries?is_overview=true" \
| jq '.log_entries[] | {type, created_at}'
Typical impact. These are wake-ups with no diagnostic value — the second responder adds nothing the first wasn't already doing. They're a quiet but real driver of alert fatigue, and they don't move MTTR at all.
4. Postmortem timelines rebuilt by hand from Slack
What it is. The incident resolves. Now someone has to write the postmortem, which means reconstructing the timeline: when it started, when we noticed, what we tried, what worked. Half of that lives in a Slack thread, half in the PagerDuty timeline, and the "what we tried" part lives only in the responder's memory. Building the narrative is an hour of archaeology, days after the fact.
Why it happens. The authoritative record is scattered. PagerDuty knows the paging and escalation events precisely; it does not know that someone rolled back a deploy in a terminal or ran a query that confirmed the cause. Those actions happened in tools that never wrote back to the incident, so the human has to remember and transcribe them.
How to measure it. PagerDuty's timeline is your skeleton — pull it with the same log_entries endpoint above, and note how much of your finished postmortem came from it versus from Slack scrollback and memory. If you use Postmortems in PagerDuty, the gap between the auto-populated timeline and your final narrative is exactly the manual reconstruction cost.
Typical impact. Commonly 30–90 minutes per postmortem of pure assembly work, which is why postmortems slip, get thinner over time, or quietly stop happening for anything below SEV1.
5. Pages-per-on-call-week that nobody is tracking
What it is. The metric that predicts burnout better than MTTR does: how many times a person got paged during their on-call week, and how many of those pages were nights and weekends. Most teams can tell you last month's MTTR to the minute and have no idea that one engineer took 40 pages in seven days while another took four.
Why it happens. MTTR is the number leadership asks for, so it's the number that gets dashboards. Load per human requires joining incident data to the on-call schedule — who was actually holding the pager when each page fired — and that join is nobody's job by default.
How to measure it. PagerDuty's analytics expose incident counts, but for true per-person load you correlate incidents against on-call shifts. Pull who was on call for a window:
curl -s -H "Authorization: Token token=$PD_TOKEN" \
-H "Accept: application/vnd.pagerduty+json;version=2" \
"https://api.pagerduty.com/oncalls?since=2026-06-01T00:00:00Z&until=2026-07-01T00:00:00Z&time_zone=UTC" \
| jq '.oncalls[] | {user: .user.summary, schedule: .schedule.summary, start, end}'
Then bucket resolved incidents into those shift windows and count per user, flagging any that landed outside business hours. A common healthy target is under 10 actionable pages per on-call week, with off-hours pages the exception.
Typical impact. Uneven load and silent off-hours volume are the leading indicators of attrition on an SRE team — and they're invisible until someone builds this join, usually right after a good engineer quits.
Why the toil survives good paging
Notice the pattern across all five: PagerDuty does its job — routing, escalation, tracking — cleanly. The toil sits in the seam after the page and before resolution, where a human has to gather context, correlate related failures, communicate progress, reconstruct history, and carry an uncounted load. None of that is a routing problem, so tuning your escalation policies harder won't touch it.
And these aren't one-time fixes. Every new service adds another context hunt. Every deploy is a potential cascade of related pages. Every incident that resolves without writing back to the timeline is another hour of postmortem archaeology owed. The toil regenerates at the rate you ship.
The honest first step is to measure it: run the checks above for a month and put real numbers on your context-hunt delta, your duplicate ratio, and your pages-per-person. Then decide whether the fix is process — the next article walks through what you can automate with PagerDuty's native tools — or whether investigation itself needs to happen before the human arrives.
Close the gap to root cause
The two-timestamp gap is automatable. CloudThinker agents connect to PagerDuty through read-only access, pick up triggered incidents, and investigate the underlying infrastructure — metrics around the alert window, recent deploys, related service state — posting a diagnosis into the incident notes while the responder is still waking up. Your escalation policies stay exactly as configured; humans stay paged. Part three shows how the agent works end to end.
Try CloudThinker free — 100 premium credits, no card required.
