Security Operations Engineer, Detection and Response Team

Location: Prakāshamnagar

About Us

We're on a mission to make it possible for every person, team, and company to tailor their software to solve any problem and take on any challenge. Computers may be our most powerful tools, but most of us can't build or modify the software we use every day. At Notion, we're changing that through focus, design, and craft.

Since 2016, we've worked alongside customers like Pixar, Mitsubishi, Figma, Plaid, Match Group, and thousands more. We're growing quickly and are excited to welcome teammates who are passionate about building secure, trusted systems for millions of users worldwide.

Notion is an in-person company and currently requires employees to come to our Hyderabad office for three Anchor Days each week (Mondays, Tuesdays, and Thursdays).

About

The Role

Millions of people rely on Notion to do their most important work. Protecting that trust is foundational to everything we build.

Notion is looking for a  Security Operations Engineer  to join our  Detection and Response team . In this role, you will help monitor, investigate, and respond to security events across Notion's cloud-native and SaaS-focused environment,  while serving as the technical and operational lead for Detection and Response in our Hyderabad office .

This role is well-suited for someone who enjoys hands-on security operations and wants to take on  meaningful ownership over investigations, detections, and response workflows  over time. Over the course of the year, you will  mentor and lead an expanded cast of security engineers in Hyderabad , including the planned hiring and onboarding of additional Security Engineers, while continuing to operate as a senior individual contributor.

You'll work closely with experienced security engineers and analysts globally in a collaborative, high-trust environment that values learning, iteration, and operational excellence.

What You'll Achieve

You will play a key role in protecting Notion's systems, users, and employees by responding to security events and improving how we detect and respond to threats at scale.

Investigate and respond to security alerts end-to-end, including triage, scoping, containment, remediation, and documentation.
Participate in a 24/7 on-call rotation, responding to security alerts and incidents as part of a shared team responsibility.
Take ownership of specific detections, log sources, or investigation workflows, ensuring their quality, reliability, and ongoing improvement.
Contribute to detection development and tuning, identifying gaps, reducing false positives, and improving signal quality across telemetry sources.
Support incident response efforts, working with cross-functional partners to investigate and resolve security incidents.
Participate in proactive threat hunting, developing hypotheses based on threat intelligence, attacker behavior, and internal telemetry.
Analyze and correlate logs across cloud, identity, endpoint, and SaaS platforms to identify suspicious or anomalous behavior.
Improve operational processes and documentation, including runbooks, playbooks, and investigation procedures, to enable consistent execution across a growing team.
Provide hands-on coaching and technical guidance to less-experienced responders through investigation reviews, pairing, and real-time incident support.

Skills You'll Need to Bring

7+ years of experience  in security operations, incident response, detection engineering, or a related security role,  including experience acting as a technical lead or mentor for other security engineers .

Security Monitoring & Detection

Experience triaging and investigating alerts across SIEM, EDR, and cloud-native platforms.
Familiarity with detection development and tuning, including rule logic and false-positive reduction.
Working knowledge of attacker TTPs and frameworks such as MITRE ATT&CK, and how to detect them using available telemetry.

Experience with scripting or automation (e.g., Python, Bash) to streamline investigations or improve analyst workflows.
Familiarity with detection logic or query languages such as Sigma, KQL, Splunk SPL, YAML, or YARA.

Incident Response

Understanding of the incident response lifecycle, including investigation, containment, eradication, recovery, and lessons learned.
Experience supporting real-world security investigations and documenting findings.
Ability to collaborate effectively with partners across Security, IT, and Engineering, and provide technical guidance during incidents.

Cloud & SaaS Security

Familiarity with cloud environments (e.g., AWS, GCP, Azure) and common security risks.
Experience investigating identity and access activity in systems such as Okta, Google Workspace, or cloud IAM platforms.
Comfort working with logs from diverse sources, including authentication, endpoint, and infrastructure systems.

Collaboration & Communication

Clear and thoughtful communicator who can explain technical issues to varied audiences.
Strong documentation skills to support consistent, repeatable incident handling.
Comfortable working…