Joshua Lemon

With a keen interest in both computers and investigative work, and a passion for teaching those around him, Josh Lemon is perfectly fit for his job in cybersecurity and incident response and his role as a SANS instructor.

In the years before cybersecurity roles were the norm, Josh started out building, managing, and securing large, complex computer networks and software systems. He worked in a variety of fields providing incident response, digital forensics, and penetration testing services to government, law enforcement, and the commercial sector before eventually taking on a full-time incident response role.  "I took the chance and never looked back," he says.

Today, as a cybersecurity incident response director at, Josh manages the Strategic Response and Research Unit within the Salesforce Security Response Center (SSRC), which provide a dedicated team of highly trained and experienced incident responders to research, develop and champion future technical capabilities for the Incident Response team.

Previously, Josh was the CSIRT Manager for the Commonwealth Bank of Australia leading one of the largest dedicated incident response teams in the Australian commercial sector. He also worked as a managing consult for BAE Systems Applied Intelligence, where he was responsible for all technical cybersecurity services for the Asia Pacific region, overseeing large and complex incident response and offensive security engagements.

In addition to his role at, Josh stays busy teaching two SANS courses: FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics and FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response.

Josh says that even with all the different roles he's held, every job has included a component of teaching others. Josh's teaching skills are so evident, that a former manager and SANS principal instructor encouraged him to explore an instructor role after observing Josh teaching his clients during his time as a consultant.

And the SANS curriculum is a perfect fit from Josh's perspective. "One of the reasons I enjoy teaching for SANS is their DFIR courses are continually updated and tuned to include the most current techniques seen in the wild," says Josh. "I always want to make sure my students are armed with the most up-to-date information to uncover attacks and be able to efficiently investigate them."

In the classroom, Josh sees the massive amount of highly technical information students must consume over the span of only six days as the biggest challenge for his students. "It can be overwhelming for new students and seasoned professional alike", he says. To address this, Josh keeps students focused on the elements they can start using as soon as class ends. "I always leave students with more information to read in the future and encourage them to start keeping a file of 'cool things to read about later,'" he says.

In addition to his work with students, a highlight of Josh's career has been seeing his cases in court. "While the results of court cases are always different, being able to find enough evidence to successfully determine who the malicious actor is behind the keyboard and see law enforcement carry out their work, has been a huge highlight for me," says Josh. "It's rare that DFIR professionals ever get to put a face to someone conducting malicious activity, however, finally seeing a criminal in court, or law enforcement carry out a warrant, brings a large sense of closure to an investigation you've worked hard on."

Josh also has a deep interest in operational efficiency for teams and is constantly working to understand how to improve the work environment for DFIR professionals. "The challenges and stresses of doing DFIR work are fairly unique and that's usually why we see DFIR professionals really only spend approximately 2 years at the cold face of chasing malicious actors around networks," he says. "Understanding how to make that environment better for our industry has been an interest of mine ever since I started managing teams of people."

Josh's current work on tools, technologies, techniques, and automating IR processes has allowed him to see IR and SOC teams become more efficient, more motivated, and more focused on their operational IR work, rather than trying to struggle with tools that aren't really suited to DFIR work.

Josh maintains an infosec blog,, and holds a number of certifications including GCFA, GCIH, GNFA, GPEN, GDAT, GPYC, and GREM.

When he's not helping his team or students, or chasing the malicious actors around a computer network, Josh stays busy in his role as Dad, spending time with his family.

Qualifications Summary

  • Cyber security incident response director at
  • Instructor for FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics and FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response


  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Certified Incident Handler (GCIH)
  • GIAC Certified Network Forensic Analyst (GNFA)
  • GIAC Certified Penetration Tester (GPEN)
  • GIAC Defending Advanced Threats (GDAT)
  • GIAC Python Coder (GPYC)
  • GIAC Reverse Engineering Malware (GREM)

Get to know Josh Lemon

Here's what students are saying about instructor Josh Lemon:

"Great delivery! Josh has great knowledge about the topic." - Mohamed Gafar, United Nations WFP

"This is my first SANS experience. Josh is very good. I am very happy with both the course content and the delivery." -Vik Somi, Superloop