After a company discovers a cybersecurity incident, it must understand exactly what happened and how it happened. That means bringing in the experts. The number of forensic firms from which companies can choose has grown along with the number and size of cyber breaches. How can companies evaluate the firms? What should be included in the contract? What should companies expect from these firms? How can they best collaborate with them for an effective and efficient investigation? With input from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series provides answers to these vital questions and others. This first part explains the expertise of forensic firms, why they are used, and their role before and after an incident. Part two will examine contract considerations, key terms and what companies can and should expect in deliverables. Part three will provide advice on how to evaluate the forensic firm to determine if it has the right expertise and how to communicate and work with these experts once they are brought on board. See also “Key Strategies to Manage the First 72 Hours Following an Incident” (Feb. 8, 2017).