Head Shot

Chief of Digital Forensics and Incident Response at SoteriaSec

Digital Forensics and Incident Response Expert

SANS Institute Author and Principal Instructor

Director, Managed Detection and Response at Uptycs


Josh Lemon is the chief of digital forensics and incident response at SoteriaSec. He has over two decades of experience working on large and complex security incidents and investigations with large multinational organisations, government agencies, law enforcement, law firms, and local businesses to help them detect, investigate and eradicate cybercriminals and targeted threat actors from their networks. He is regularly called upon to provide expert witness testimony for legal cases involving breaches and incident response. Josh is currently providing DFIR services to Uptycs as their Director of Global Managed Detection and Response (MDR), helping to secure some of the largest international brands from cyberattacks. He is the co-author of the SANS Institute “Enterprise Cloud Forensics” (FOR509) and “DFIR NetWars” courses, along with being a Principal Instructor for the “Advanced Incident Response and Threat Hunting” (FOR508) and the “Advanced Network Forensics and Threat Hunting” (FOR572) courses.

Josh is passionate about helping the cybersecurity community through his work as an advisory board member for Cydarm Technologies, a young Australian company that makes collaboration for incident response easier. Josh also presents research at international conferences, supports open-source projects, and provides voluntary support within the DFIR community, most notably through the FIRST SIGs, aiding with progressing standards and metrics for the cybersecurity community.

Josh’s previous roles included managing director at Ankura, where he led Ankura’s APAC digital forensics and incident response practice. He was a Director at Salesforce.com in their international Salesforce Security Response Centre, where he led the strategic response and research unit responsible for looking at new cutting-edge ways to approach incident response at scale. He was also the CSIRT Manager for the Commonwealth Bank of Australia, where he built a team of advanced responders that investigated malicious security incidents for local and international operations. Before that, he worked as a managing consultant for BAE Systems Applied Intelligence, where he was responsible for all technical cybersecurity services for the Asia Pacific region, overseeing large and complex incident response and offensive security engagements.

Josh has a varied background in the cybersecurity industry, ranging from Project Management, Incident Response Commander, Forensics Analysis, Reverse Engineering, Penetration Testing, Secure Network Design, and Software Development. He holds a GCFR, GREM, GCFA, GDAT, GNFA, GCIH, GPEN, GPYC and lectures on investigating cyberattacks at Universities in APAC and to international audiences for the SANS Institute.