Megan Roddie-Fonseca

Megan Roddie-Fonseca currently works as a Senior Security Engineer at Datadog. She is also a co-author of FOR509: Enterprise Cloud Forensics and Incident Response and a frequent presenter at security conferences. In addition to her technical expertise, Megan serves as the CFO of Mental Health Hackers, advocating for mental wellness within the industry. She holds two Master’s degrees—one in Digital Forensics and the other in Information Security Engineering—along with several industry certifications that span a wide range of specialties.

Megan is passionate about providing students with practical, hands-on training that mirrors real-world challenges, enabling them to tackle incidents with confidence. Outside of her work, she’s a fierce competitor in Muay Thai and Brazilian Jiu-Jitsu, bringing the same tenacity to her sport as she does fighting cybercrime.

More About Megan

Profile

When Megan Roddie-Fonseca worked at a startup where she and her colleagues were consulting on an IR investigation affecting a Google Workspace Customer, she found there wasn’t much publicly available information on methodology for Google Workspace DFIR. “That is when I decided to be the one to help make the content exist,” she says.

She is thrilled to have been invited by SANS to become an author. “I had taken SANS courses for years and knew the quality of the materials, instructors, and entire program. The idea that I was being invited to be a part of the creation of that content and experience was too good to pass up. Knowing the quality and standards that SANS strives to meet, the fact they considered me up to par was a major achievement.” She has been looking up to many of the senior staff of SANS, and almost cannot believe she is now working alongside them. “Crazy surreal, but an amazing experience!”

Megan is part of the SANS DFIR Faculty and has co-authored the FOR509 course: Enterprise Cloud Forensics and Incident Response. The biggest challenge she sees for practitioners is the ever-evolving nature of the cloud. “The same goes for us as authors,” she adds. “The UI’s for the portals, the logging policies, and more can change week to week. Similarly, the clouds vary so differently, AWS versus Azure versus GCP.”

With SANS course content only updated every six months, she has made it her goal to write about DFIR concepts as a whole, so students can apply them regardless of the changes cloud providers make. “While the location of tools in a portal or how long logs are retained for may change and vary across different cloud platforms, the concepts of a DFIR investigation remain the same. The analytical process is equal across all platforms, so don’t let yourself be thrown off by different terminology or commands.”

Resources: