Head Shot

Chief of Digital Forensics and Incident Response at SoteriaSec

Digital Forensics and Incident Response Independent Expert

SANS Institute Author and Principal Instructor


Josh Lemon is the Chief of Digital Forensics and Incident Response at SoteriaSec. He has over two decades of experience working on large and complex security incidents and investigations with large multinational organisations, government agencies, law enforcement, law firms, and local businesses to help them detect, investigate and eradicate cybercriminals and targeted threat actors from their networks. He is regularly called upon to provide expert witness testimony for legal cases involving breaches and incident response. He is the co-author of the SANS Institute “Enterprise Cloud Forensics” (FOR509) and “DFIR NetWars” courses, along with being a Principal Instructor for the “Advanced Incident Response and Threat Hunting” (FOR508) and the “Advanced Network Forensics and Threat Hunting” (FOR572) courses.

Josh also brings extensive experience in building and leading high-performing operational teams, developing policies, procedures, and documentation to support cybersecurity operations across both multinational corporations and smaller enterprises. He has worked closely with organisations to design and implement security operations frameworks, enabling teams to effectively plan, manage, and respond to emerging threats. As a member of the Standards SIG within the Forum of Incident Response and Security Teams (FIRST), Josh contributes to the development of international standards for CSIRTs and security operations centres. His work also extends to designing and facilitating tabletop exercises, helping organisations, from board members to technical responders, build resilience and sharpen their readiness to handle cyber incidents at all levels.

Josh is passionate about helping the cybersecurity community through his work as an advisory board member for Cydarm Technologies, a young Australian company that makes collaboration for incident response easier. Josh also presents research at international conferences, supports open-source projects, and provides voluntary support within the DFIR community.

Josh’s previous roles included Director of Global Managed Detection and Response (MDR) for Uptycs, where he helped to secure some of the largest international brands from cyberattacks. Managing Director at Ankura, where he led Ankura’s APAC digital forensics and incident response practice. Director at Salesforce in their international Salesforce Security Response Centre, where he led the strategic response and research unit responsible for looking at new cutting-edge ways to approach incident response at scale. He was also the CSIRT Manager for the Commonwealth Bank of Australia, where he built a team of advanced responders that investigated malicious security incidents for local and international operations. Before that, he worked as a managing consultant for BAE Systems Applied Intelligence, where he was responsible for all technical cybersecurity services for the Asia Pacific region, overseeing large and complex incident response and offensive security engagements.

Josh has a varied background in the cybersecurity industry, ranging from Project Management, Incident Response Commander, Forensics Analysis, Reverse Engineering, Penetration Testing, Secure Network Design, and Software Development. He holds a GEIR, GCFR, GREM, GCFA, GDAT, GNFA, GCIH, GPEN, GPYC and lectures on investigating cyberattacks at Universities in APAC and to international audiences for the SANS Institute.