Role in brief
Notion is seeking a Security Engineer specializing in detection and response for its cloud-native environment. This role involves designing and maintaining security detections, building out the detection platform, and participating in incident response. Candidates with strong experience in cloud security, SIEM, EDR, and SOAR, and an offensive security mindset, are encouraged to apply.
About the role
This role focuses on developing and operating systems to identify and counter cyber attacks within Notion's cloud infrastructure. A core responsibility is designing and maintaining high-signal detection mechanisms across various environments, including cloud, identity, endpoints, and SaaS. The engineer will also be instrumental in enhancing the detection platform, managing the lifecycle of detection rules, and ensuring their effectiveness and safe deployment.
A significant part of the work involves creating tools and automation to streamline security operations, such as accelerating triage, investigation, and the authoring of new detections. This includes exploring the use of large language models for efficiency. The engineer will translate threat intelligence into actionable detections and contribute to improving response capabilities, while also participating in incident investigations and post-mortems to drive long-term security enhancements.
Success in this position means continuously improving Notion's security posture by defining and tracking key metrics like coverage and alert quality to inform investment decisions. The role requires active participation in a shared on-call rotation to respond to incidents, ensuring the timely and effective handling of security events. The ideal candidate will have a proven track record in building and operating production detections with reliable signal quality.
The estimated base salary range for this role is $230,000 to $260,000 per year, specifically for positions based in San Francisco or New York City.
Skills that matter here
- detection engineering: This role is centered on designing, building, and maintaining systems to identify security threats.
- incident response: The engineer will participate in investigations, incident response activities, and post-mortems to improve security.
- threat hunting: Experience in threat hunting is required to translate threat intelligence into durable detections.
- cloud security: Strong experience with cloud security in AWS, GCP, or Azure is essential for detecting attacks in these environments.
- SIEM: Hands-on experience with Security Information and Event Management platforms in large-scale environments is necessary.
- SOAR: The role requires hands-on experience with Security Orchestration, Automation, and Response platforms.
Who this role suits
- A candidate with at least six years of experience in detection engineering, security operations, incident response, or threat hunting.
- Someone who has successfully built and operated production detections with high signal quality and sustainable tuning processes.
- An individual fluent in detection languages such as Sigma, KQL, SPL, YARA-L, EQL, or Panther.
- A professional with an offensive security mindset who has led purple team, blue team, or adversary emulation exercises.
From the employer
- Design and maintain high-signal detections across cloud, identity, endpoints, and SaaS environments.
- Build and improve the detection platform, including rule lifecycle management, tuning, measurement, and rollout safety.
- Develop tooling and automation that accelerate triage, enrichment, investigation, and detection authoring, including LLM-based workflows where useful.
- Translate threat intelligence and adversary TTPs into durable detections, telemetry requirements, and response improvements.
- Participate in investigations, incident response, and postmortems that drive long-term security improvements.
- Define and track key metrics such as coverage, MTTD, and alert quality to guide investment decisions.
- Participate in a shared on-call rotation for incident response.
- Have 6+ years of experience in detection engineering, security operations, incident response, or threat hunting.
- Have built and operated production detections with strong signal quality and sustainable tuning processes.
- Are fluent in one or more detection languages such as Sigma, KQL, SPL, YARA-L, EQL, or Panther.
- Have an offensive security mindset and have led purple team, blue team, or adversary emulation exercises that improved detections and telemetry.
- Have strong cloud security experience in AWS, GCP, or Azure, including identity-focused attack detection.
- Are hands-on with SIEM, EDR, and SOAR platforms in large-scale environments.
- Communicate clearly through design docs, runbooks, and incident reports, and can drive projects independently.
- Notion is committed to providing highly competitive cash compensation, equity, and benefits.
- The estimated base salary range for this role is $230,000 - $260,000 per year for roles based in San Francisco or New York City.
Questions about this role
What is the remote work policy for this role?
This is a remote position, but the listed salary range is specifically for roles based in San Francisco or New York City.
What level of experience is required?
Candidates should have at least 6 years of experience in relevant security fields such as detection engineering, security operations, incident response, or threat hunting.
What are the key technical skills needed?
Key technical skills include detection engineering, security operations, incident response, threat hunting, cloud security (AWS, GCP, Azure), and hands-on experience with SIEM, EDR, and SOAR platforms.