Security Engineer, Detection and Response
Fresh Ventures · San Francisco, CA · Today
On-siteInformation Technology$230k–$260k/yrFull-time
About the role
Millions of people rely on Notion to do their most important work, and protecting that trust is foundational to everything we build. We’re looking for a hands-on Detection Engineer to build and operate the systems and workflows we use to detect and respond to attacks across Notion’s cloud-native environment.
Responsibilities
- Design and maintain high-signal detections across cloud, identity, endpoints, and SaaS environments.
- Build and improve the detection platform, including rule lifecycle management, tuning, measurement, and rollout safety.
- Develop tooling and automation that accelerate triage, enrichment, investigation, and detection authoring, including LLM-based workflows where useful.
- Translate threat intelligence and adversary TTPs into durable detections, telemetry requirements, and response improvements.
- Participate in investigations, incident response, and postmortems that drive long-term security improvements.
- Define and track key metrics such as coverage, MTTD, and alert quality to guide investment decisions.
- Participate in a shared on-call rotation for incident response.
Requirements
- Have 6+ years of experience in detection engineering, security operations, incident response, or threat hunting.
- Have built and operated production detections with strong signal quality and sustainable tuning processes.
- Be fluent in one or more detection languages such as Sigma, KQL, SPL, YARA-L, EQL, or Panther.
- Have an offensive security mindset and have led purple team, blue team, or adversary emulation exercises that improved detections and telemetry.
- Have strong cloud security experience in AWS, GCP, or Azure, including identity-focused attack detection.
- Be hands-on with SIEM, EDR, and SOAR platforms in large-scale environments.
- Communicate clearly through design docs, runbooks, and incident reports, and can drive projects independently.
Skills
- Have 6+ years of experience in detection engineering, security operations, incident response, or threat hunting.
- Have built and operated production detections with strong signal quality and sustainable tuning processes.
- Be fluent in one or more detection languages such as Sigma, KQL, SPL, YARA-L, EQL, or Panther.
- Have an offensive security mindset and have led purple team, blue team, or adversary emulation exercises that improved detections and telemetry.
- Have strong cloud security experience in AWS, GCP, or Azure, including identity-focused attack detection.
- Be hands-on with SIEM, EDR, and SOAR platforms in large-scale environments.
- Communicate clearly through design docs, runbooks, and incident reports, and can drive projects independently.
Nice to Have
- Experience applying LLMs or agent-style tooling to security workflows.
- Experience securing AI-enabled systems or endpoint tooling.
- Kubernetes or container detection experience.
- Background in threat intelligence, malware analysis, or digital forensics.
- Contributions to the detection engineering community through research, tooling, or talks.
- Experience at a high-growth startup or AI company.