FCI provides hands-on forensic investigation for urgent cybersecurity incidents — whatever the surface, wherever the evidence leads. Our work is led by cybersecurity experts who regularly present findings to the FBI, financial regulators, and cyber insurance carriers. This is not an automated process. It is manual, evidence-driven work performed by people who know what examiners and insurers need to see.
This document outlines FCI's urgent incident response and forensic investigation service. When the firm calls, we don't assume we know what happened. The surface could be an endpoint, an email account, a cloud application, a network, a file share, a user, or something that doesn't fit any of those. Wire transfer fraud, business email compromise, account takeover, ransomware, phishing with malware, unauthorized access, data loss — the starting point is always the same: we listen.
We begin by asking who found the incident, when, and what they observed. From there, FCI scopes the investigation, deploys the right tooling where the evidence lives, isolates what needs to be isolated, and conducts a forensic examination.
The purpose of every investigation is to give the firm the information it needs to make an informed decision. Not every incident is the same, and the regulatory and insurance implications depend entirely on what the evidence shows. FCI's report is designed to help the firm answer the question that matters most: what kind of incident is this?
The initial phase of every investigation follows the same structured process, no matter where the incident sits. What happens after the initial phase depends on the findings: the report may be final, or it may recommend a second phase with a separate scope and estimate.
FCI deploys investigation tooling to whatever surface the incident implicates. The exact tools vary by situation — remote access, endpoint detection and response, log collection, email forensics, cloud audit review, identity monitoring. What stays constant is the intent: secure access for our team and real-time visibility into what is happening. All tooling is removed when the work is complete.
Incident response is inherently unpredictable. Every case is different — even incidents that start the same way can lead to very different places. FCI will always be transparent about where the investigation is heading, but the following is true for every engagement.
Once FCI isolates an affected surface — a device, an account, an application — nobody can use it except FCI. We cannot accept pressure to release it early; the integrity of the investigation depends on it.
We do not know in advance how long the investigation will take or when we can release the affected systems. The timeline depends entirely on what the evidence shows.
The investigation may not stop where it started. If the compromised user or system had access to other drives, cloud applications, or systems, FCI may need to follow the evidence beyond the original surface.
Except for the initial phase, additional work cannot be quoted upfront — the cost depends on the environment, the evidence available, and the scope of the compromise. FCI provides an estimate before any additional phase begins.
"We go where the evidence takes us. Even when we use tools, this is a manual task performed by a team of cybersecurity experts — not an algorithm, not a scan."
The initial engagement covers intake, tool deployment, containment, and the first phase of the forensic investigation. In some cases, five hours is enough to complete the work entirely and produce a final report — but we never know going in. When additional investigation is needed, the firm receives an initial report with findings to date and an estimate before committing further.
If it turns out to be a false alarm
If we engage and quickly determine there was no incident — just a false alert, nothing to report — we charge you only for the time we actually spent. That can mean a final price below the initial fee. We never know going in, but if that is where the evidence leads, we will be honest about it and refund any overpayment.
Every engagement produces a written report suitable for submission to regulators, home offices, and cyber insurance carriers. Depending on the case, the report may cover areas including but not limited to:
When FCI's investigation confirms a breach determination, the situation changes. Regulatory notification timelines start counting. The firm may need to report to FINRA, state regulators, the SEC, or cyber insurance carriers — and depending on the nature and scope of the breach, the FBI may be involved. There is no grace period for getting organized after the fact.
One of the first things regulators and affected individuals will ask about is the firm's existing cybersecurity posture: policy documents, the most recent vulnerability scan, and the latest network penetration testing. If those don't exist — or if they're outdated — it creates an immediate credibility problem at exactly the wrong moment.
The Question They Will Ask
Can you show us your cybersecurity policies and the results of your last vulnerability assessment and network penetration testing?
FCI maintains an emergency response team that can perform a rapid vulnerability assessment and network penetration testing on a compressed timeline. If the firm needs this work done — because it was never performed, because the results are stale, or because the scope of the breach demands a fresh assessment — FCI can mobilize quickly.
This is not a fixed-price service. Every firm's environment is different, and the scope of the assessment depends on the applicable cyber regulations, the infrastructure involved, the number of endpoints, and the urgency of the regulatory timeline. When the need arises, FCI provides a quote based on what the situation actually requires.
"The worst time to find out your policies are missing or your last network penetration testing was three years ago is when a regulator is asking for them."