Security Engineer, Detection and Response
Listed on 2026-07-14
-
IT/Tech
AI Engineer (Applied/Software), Cybersecurity
Who We Are
Notion is the collaborative AI workspace where teams and agents think together. We’re building one place where your knowledge, projects, meetings, and AI tools live side by side, so work is faster, clearer, and less fragmented. Millions of individuals, small teams, and large companies run their work on Notion.
Notinos (our employees) are customer zero in bringing this future of work to life. We care about craft, building things that last, and the belief that great work is still fundamentally human. Our goal isn’t to ship the next feature. Each and every team of Notinos is working to set the standard for how humans work together in the AI era.
From building a business’s system of record to making and managing AI agents to automating away the busy work, we care deeply about giving our customers more time for their life’s work.
The Role
Millions of people rely on Notion to do their most important work, and protecting that trust is foundational to everything we build. We’re looking for a hands‑on Detection Engineer to build and operate the systems and workflows we use to detect and respond to attacks across Notion’s cloud‑native environment. You’ll ship high‑signal detections, improve the platform that powers them, participate in incident response, and help shape how detection and response engineering scales at Notion.
You’ll work closely with Engineering, Corporate Security, and Infrastructure, with broad latitude to identify gaps, prioritize investments, and build what’s needed next.
We view detection and response as a software engineering discipline: detections are code, platforms are products, and measurement matters.
What You’ll Achieve- Design and maintain high‑signal detections across cloud, identity, endpoints, and SaaS environments.
- Build and improve the detection platform, including rule lifecycle management, tuning, measurement, and rollout safety.
- Develop tooling and automation that accelerate triage, enrichment, investigation, and detection authoring, including LLM‑based workflows where useful.
- Translate threat intelligence and adversary TTPs into durable detections, telemetry requirements, and response improvements.
- Participate in investigations, incident response, and post‑mortems that drive long‑term security improvements.
- Define and track key metrics such as coverage, MTTD, and alert quality to guide investment decisions.
- Participate in a shared on‑call rotation for incident response.
- Have 6+ years of experience in detection engineering, security operations, incident response, or threat hunting.
- Have built and operated production detections with strong signal quality and sustainable tuning processes.
- Are fluent in one or more detection languages such as Sigma, KQL, SPL, YARA‑L, EQL, or Panther.
- Have an offensive security mindset and have led purple team, blue team, or adversary emulation exercises that improved detections and telemetry.
- Have strong cloud security experience in AWS, GCP, or Azure, including identity‑focused attack detection.
- Are hands‑on with SIEM, EDR, and SOAR platforms in large‑scale environments.
- Communicate clearly through design docs, runbooks, and incident reports, and can drive projects independently.
- Experience applying LLMs or agent‑style tooling to security workflows.
- Experience securing AI‑enabled systems or endpoint tooling.
- Kubernetes or container detection experience.
- Background in threat intelligence, malware analysis, or digital forensics.
- Contributions to the detection engineering community through research, tooling, or talks.
- Experience at a high‑growth startup or AI company.
We hire talented people from a wide range of backgrounds. If you’re excited about this role but don’t meet every bullet, we still encourage you to apply. Notion is an equal opportunity employer and does not discriminate on the basis of any legally protected characteristic. Consistent with applicable law, we will consider for employment qualified applicants with arrest and conviction records.
Notion provides reasonable accommodations during the application process; if you need one, please let your recruiter…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).