FCI provides hands-on forensic investigation for compromised endpoints — led by cybersecurity experts who regularly present findings to the FBI, financial regulators, and cyber insurance carriers. This is not an automated process. It is manual, evidence-driven work performed by people who know what examiners and insurers need to see.
This document outlines FCI's forensic investigation services for endpoint incidents — a compromised computer, a phishing attack that installed malware, a remote-access intrusion, or any situation where a specific device needs to be examined. FCI also handles other types of incidents, including wire transfer fraud, business email compromise, and account takeover. Those engagements follow a different process and are scoped separately.
For endpoint investigations, FCI deploys tooling directly onto the affected machine, isolates it from the network, and conducts a forensic examination.
The purpose of every endpoint investigation is to give the firm the information it needs to make an informed decision. Not every incident is the same, and the regulatory and insurance implications depend entirely on what the evidence shows. FCI's report is designed to help the firm answer the question that matters most: what kind of incident is this?
The initial phase of every endpoint investigation follows the same structured process. The firm's involvement is minimal — someone clicks a link to install two programs, and FCI takes it from there. What happens after the initial phase depends on the findings: the report may be final, or it may recommend a second phase with a separate scope and estimate.
Two programs are deployed at the start of every investigation. Installation requires someone at the firm to click a link — it takes a few minutes. Both are removed automatically when the work is complete.
Incident response is inherently unpredictable. Every case is different — even incidents that start the same way can lead to very different places. FCI will always be transparent about where the investigation is heading, but the following is true for every engagement.
Once FCI isolates the computer, nobody can use it except FCI. We cannot accept pressure to release the device early — the integrity of the investigation depends on it.
We do not know in advance how long the investigation will take or when we can release the computer. The timeline depends entirely on what the evidence shows.
The investigation may not stop at one computer. If the compromised user had access to shared drives, cloud applications, or other systems, FCI may need to follow the evidence beyond the original device.
Except for the initial phase, additional work cannot be quoted upfront — the cost depends on the environment, the evidence available, and the scope of the compromise. FCI provides an estimate before any additional phase begins.
"We go where the evidence takes us. Even when we use tools, this is a manual task performed by a team of cybersecurity experts — not an algorithm, not a scan."
The initial engagement covers tool deployment, device isolation, and the first phase of the forensic investigation. In some cases, five hours is enough to complete the work entirely and produce a final report — but we never know going in. When additional investigation is needed, the firm receives an initial report with findings to date and an estimate before committing further.
Every engagement produces a written report suitable for submission to regulators, home offices, and cyber insurance carriers. Depending on the case, the report may cover areas including but not limited to:
When FCI's investigation confirms a breach determination, the situation changes. Regulatory notification timelines start counting. The firm may need to report to FINRA, state regulators, the SEC, or cyber insurance carriers — and depending on the nature and scope of the breach, the FBI may be involved. There is no grace period for getting organized after the fact.
One of the first things regulators and affected individuals will ask about is the firm's existing cybersecurity posture: policy documents, the most recent vulnerability scan, and the latest network penetration testing. If those don't exist — or if they're outdated — it creates an immediate credibility problem at exactly the wrong moment.
The Question They Will Ask
Can you show us your cybersecurity policies and the results of your last vulnerability assessment and network penetration testing?
FCI maintains an emergency response team that can perform a rapid vulnerability assessment and network penetration testing on a compressed timeline. If the firm needs this work done — because it was never performed, because the results are stale, or because the scope of the breach demands a fresh assessment — FCI can mobilize quickly.
This is not a fixed-price service. Every firm's environment is different, and the scope of the assessment depends on the applicable cyber regulations, the infrastructure involved, the number of endpoints, and the urgency of the regulatory timeline. When the need arises, FCI provides a quote based on what the situation actually requires.
"The worst time to find out your policies are missing or your last network penetration testing was three years ago is when a regulator is asking for them."