Security Engineer, Corporate Security

Millions of people rely on Notion to do their most important work. Protecting that trust starts with protecting the people who build Notion: our employees, their laptops, their identities, and the SaaS apps they rely on every day.

We are looking for a hands-on Corporate Security Engineer to own and improve the technical controls that keep our workforce and corporate environment safe. This is a security engineering role focused on building scalable controls and automation across identity, endpoints, SaaS, and workforce infrastructure, not a traditional IT support or corporate engineering role.

What You'll Achieve

• Harden our identity and access management stack, including Okta and Google Workspace, with phishing-resistant MFA, strong SSO and SCIM lifecycles, and least-privilege access across SaaS.
• Run our endpoint security program across a macOS-first fleet, including MDM, EDR, and configuration baselines, with working coverage for Windows and ChromeOS.
• Secure AI tool usage at the endpoint, including governance of large language models, AI agents, and model context protocol (MCP) integrations; detect and prevent unauthorized or risky AI service access and data exfiltration through AI-enabled tools.
• Reduce SaaS risk at scale through SSPM tooling and custom automation, including detection of risky OAuth grants, excessive permissions, shadow IT, and configuration drift.
• Write code (Python, Terraform) to automate access reviews, onboarding and offboarding, configuration drift detection, and audit evidence collection.
• Partner with Detection & Response to ensure corporate systems produce the telemetry needed to detect identity, endpoint, and SaaS abuse.
• Support SOC 2, ISO 27001, and customer audits as a byproduct of good engineering, not a separate workstream.
• Partner with Detection & Response on investigation and response for corporate security incidents, including phishing, account compromise, lost devices, and BEC.

Skills You Need To Bring

• 5+ years of hands-on experience in corporate security, enterprise security, or IT security engineering at a cloud-native company.
• Working knowledge of a major identity provider (Okta, Entra, or Google Workspace) and the underlying protocols (SAML, OIDC, OAuth 2.0, SCIM).
• Hands-on experience operating endpoint management and detection tooling across macOS and enterprise environments.
• Production-quality script and automation in Python or Bash, and have shipped Terraform or other infrastructure-as-code for security configuration.
• Familiarity with SaaS security risks (OAuth governance, audit logging, SSPM) and the realities of integrating a long tail of vendors.
• Working knowledge of at least one major cloud platform (AWS, GCP, or Azure) at the security configuration level.
• Clear communication skills in writing and effective collaboration with IT, Engineering, Legal, People, and GRC.

Nice to Haves

• Experience at a fast-growing tech or AI company where the security program had to outpace headcount.
• Background in IT engineering, SRE, or production engineering that transitioned into security engineering.
• Experience building internal security tooling or workflows that improved employee or developer experience.
• Contributions to the security community through open-source tools, blog posts, or conference talks.