Security Operations Engineer, Detection and Response Team

Who We Are Notion is the collaborative AI workspace where teams and agents think together . We're building one place where your knowledge, projects, meetings, and AI tools live side by side, so work feels faster, clearer, and less fragmented. Millions of individuals, small teams, and large companies run their work on Notion. Notinos (our employees) are customer zero in bringing this future of work to life. We care about craft, humanity, and building things that last — not just shipping the next feature, but setting a standard for how modern teams (with humans and agents working together) think and execute. About The Role Notion is looking for a talented Security Engineer with solid communication and analytical skills to help us improve and optimize our security monitoring program. We are seeking someone with a mixture of technical ability, attention to detail, and who can function comfortably in a variety of cyber security disciplines. In addition to technical acumen and enthusiasm, we need a self-motivator to stay on top of emerging threats and vulnerabilities to Notion; providing a continuous proactive monitoring approach. If you're passionate about data privacy and Security, understand the security monitoring process, and enjoy designing creative approaches to provide effective security monitoring at scale. This could be just the opportunity you’ve been looking for. The Notion application is flexible, powerful and always evolving. With a product that needs to scale to meet the needs of many thousands of businesses globally. They rely on us to protect their data and that of their customers. Notion’s Security team builds and evolves our detection, response, and security automation capabilities to protect our users and data. We proactively monitor, detect, and investigate threats across Notion’s cloud-native environment, ensuring a resilient security posture. We partner closely with Engineering, Infrastructure, and Security leadership to continuously enhance our ability to respond to emerging threats at scale. What You'll Achieve You will design and implement advanced detections, automate security workflows, lead incident investigations, and conduct proactive threat hunts to identify and mitigate risks before they impact Notion. You will work in a highly collaborative team to evolve security defenses, reduce dwell time, and respond to sophisticated adversaries. Lead detection engineering efforts, designing scalable, high-fidelity security detections across cloud, endpoint, and application environments. Develop automation & orchestration solutions to improve response and containment times and enhance security workflows. Own and drive incident response and command, leading major security incidents, containment, and remediation efforts. Conduct proactive threat hunting, leveraging threat intelligence and hypothesis-driven methodologies to detect hidden adversary activity. Reverse-engineer attacks, analyzing adversary behavior and developing robust detection strategies. Continuously improve security defenses, applying lessons learned from incidents, hunting exercises, and emerging threat trends. Skills You'll Need to Bring 5+ years of experience in security detection, response, or related fields. Detection Engineering & Automation Strong ability to write, tune, and optimize detections across various platforms (e.g., EDR, SIEM, network monitoring). Proficiency in scripting and automation (Python, Go, or similar) to enhance detection and response capabilities. Experience with detection rule development (Sigma, YARA, Splunk SPL, KQL) and security event correlation. Incident Response Deep expertise in the incident response lifecycle, including investigation, containment, remediation, and recovery. Lead security incidents and command response efforts, ensuring rapid containment and mitigation—even in unfamiliar environments and across team boundaries. Lead post-incident learning, conducting blameless postmortems and driving follow-up actions that address systemic issues and prevent recurrence. Cloud Security Experience securing cloud-native environments (AWS, GCP, or Azure), including detection and response strategies for cloud workloads. Practical knowledge of detecting malicious activity in application and infrastructure architectures in a SaaS environment. Ability to assess security gaps and propose detection & response improvements across cloud and endpoint platforms. Collaboration & Communication Pragmatic and business-oriented: You focus on high-impact security efforts, balancing security investments with real-world risk. Not ideological about technology: You see technologies and programming languages as tools with tradeoffs—you’re opinionated but adaptable, always willing to learn new technologies. Empathetic communication: You clearly articulate complex security issues, whether in technical discussions or executive briefings. You engage thoughtfully in disagreements and find common ground when needed. Team p