Notion

Security Operations Engineer, Detection and Response Team

Notion

full-time

Posted on:

Location Type: Hybrid

Location: HyderabadIndia

Visit company website

Explore more

AI Apply
Apply

Job Level

SeniorLead

Tech Stack

AWSAzureCloudGoogle Cloud PlatformPythonSplunk

About the role

  • Monitor, investigate, and respond to security events across Notion’s cloud-native and SaaS-focused environment.
  • Serve as the technical and operational lead for Detection and Response in our Hyderabad office.
  • Mentor and lead an expanded cast of security engineers in Hyderabad.
  • Investigate and respond to security alerts end-to-end, including triage, scoping, containment, remediation, and documentation.
  • Participate in a 24/7 on-call rotation, responding to security alerts and incidents as part of a shared team responsibility.
  • Take ownership of specific detections, log sources, or investigation workflows, ensuring their quality, reliability, and ongoing improvement.
  • Contribute to detection development and tuning, identifying gaps, reducing false positives, and improving signal quality across telemetry sources.
  • Support incident response efforts, working with cross-functional partners to investigate and resolve security incidents.
  • Participate in proactive threat hunting, developing hypotheses based on threat intelligence, attacker behavior, and internal telemetry.
  • Analyze and correlate logs across cloud, identity, endpoint, and SaaS platforms to identify suspicious or anomalous behavior.
  • Improve operational processes and documentation, including runbooks, playbooks, and investigation procedures, to enable consistent execution across a growing team.
  • Provide hands-on coaching and technical guidance to less-experienced responders through investigation reviews, pairing, and real-time incident support.

Requirements

  • 7+ years of experience in security operations, incident response, detection engineering, or a related security role, including experience acting as a technical lead or mentor for other security engineers.
  • Experience triaging and investigating alerts across SIEM, EDR, and cloud-native platforms.
  • Familiarity with detection development and tuning, including rule logic and false-positive reduction.
  • Working knowledge of attacker TTPs and frameworks such as MITRE ATT&CK, and how to detect them using available telemetry.
  • Experience with scripting or automation (e.g., Python, Bash) to streamline investigations or improve analyst workflows.
  • Familiarity with detection logic or query languages such as Sigma, KQL, Splunk SPL, YAML, or YARA.
  • Understanding of the incident response lifecycle, including investigation, containment, eradication, recovery, and lessons learned.
  • Experience supporting real-world security investigations and documenting findings.
  • Ability to collaborate effectively with partners across Security, IT, and Engineering, and provide technical guidance during incidents.
  • Familiarity with cloud environments (e.g., AWS, GCP, Azure) and common security risks.
  • Experience investigating identity and access activity in systems such as Okta, Google Workspace, or cloud IAM platforms.
  • Comfort working with logs from diverse sources, including authentication, endpoint, and infrastructure systems.
  • Strong documentation skills to support consistent, repeatable incident handling.
Benefits
  • Notion is an in-person company and currently requires employees to come to our Hyderabad office for three Anchor Days each week (Mondays, Tuesdays, and Thursdays).
  • 24/7 on-call rotation
Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools
security operationsincident responsedetection engineeringtriaging alertsdetection developmentscriptingautomationdetection logicquery languagesincident response lifecycle
Soft Skills
mentoringcollaborationtechnical guidancecoachingdocumentation skills