Security Engineer, Detection and Response

About the company

Notion is a collaborative AI workspace that brings knowledge, projects, meetings, and AI tools into a single environment so teams can work with more speed, clarity, and less fragmentation. It is used by millions of individuals, small teams, and enterprises. Employees are expected to act as customers themselves and are focused on high craft, durable systems, and enabling people to do their best work in the AI era.

About the role

This position is for a hands-on Detection Engineer who will design, run, and improve the systems and workflows used to identify and respond to threats across a cloud-native environment. The role focuses on building strong detections, strengthening the underlying platform, participating in incident response, and helping the function scale. You will work closely with Engineering, Corporate Security, and Infrastructure, with room to identify gaps, decide priorities, and create the needed solutions.

The team treats detection and response as a software engineering practice: detections are treated like code, the platform is treated like a product, and measurable outcomes matter.

Key responsibilities

• Create and manage effective detections across cloud services, identity systems, endpoints, and SaaS tools.
• Improve the detection platform by handling rule lifecycle processes, tuning, measurement, and safe rollout practices.
• Build tooling and automation that speed up triage, enrichment, investigation, and detection development, including useful LLM-enabled workflows.
• Turn threat intelligence and adversary tactics, techniques, and procedures into durable detections, better telemetry, and stronger response playbooks.
• Support investigations, incident response, and post-incident reviews that lead to long-term security gains.
• Define and monitor metrics such as coverage, mean time to detect, and alert quality to support investment decisions.
• Take part in a shared on-call rotation for incident response.

Requirements

• At least 6 years of experience in detection engineering, security operations, incident response, or threat hunting.
• Proven experience creating and operating production-grade detections with strong signal quality and maintainable tuning workflows.
• Working knowledge of one or more detection languages such as Sigma, KQL, SPL, YARA-L, EQL, or Panther.
• Strong offensive-security perspective, with experience leading purple team, blue team, or adversary emulation work that improved detections or telemetry.
• Solid cloud security background in AWS, GCP, or Azure, including detection of identity-related attacks.
• Hands-on experience with SIEM, EDR, and SOAR platforms in large-scale environments.
• Ability to communicate clearly through design documents, runbooks, and incident reports, and to drive projects independently.

Preferred experience

• Exposure to LLMs or agent-style tooling for security workflows.
• Experience protecting AI-enabled systems or endpoint tooling.
• Knowledge of Kubernetes or container-focused detections.
• Background in threat intelligence, malware analysis, or digital forensics.
• Evidence of contributions to the detection engineering community through research, tools, or speaking engagements.
• Experience working in a high-growth startup or AI company.

Compensation and benefits

The company offers competitive cash compensation, equity, and benefits. The expected base salary range for this role is €127,000 to €142,000 per year, with the final offer depending on factors such as location, scope of the role, and the candidate’s background and expertise.

AI approach

The organization expects employees to be curious, willing to experiment, and comfortable using AI as a practical partner in their work. Deep AI specialization is not required for every role, but an interest in learning and applying AI thoughtfully is valued.

Equal opportunity and accommodations

The employer welcomes applicants from varied backgrounds and encourages candidates to apply even if they do not meet every requirement. Hiring decisions are made without discrimination based on any legally protected characteristic. Qualified applicants with arrest or conviction records may be considered where permitted by law. Reasonable accommodations are available during the application process and for qualified individuals with disabilities or disabled veterans; candidates should inform their recruiter if support is needed.

Application notice

By submitting an application, candidates acknowledge that the company and its affiliates will collect and process personal information according to the company’s global recruiting privacy policy.