All interviews
Notion logo

Notion

Mid

Build high-signal detections across Notion's cloud-native attack surface

Notion is hiring a hands-on Detection Engineer to build and operate detection and response across cloud, identity, endpoint, and SaaS environments, treating detections as code and the detection platform as a product. Expect deep questions on detection languages (Sigma/KQL/SPL/YARA-L/EQL), rule lifecycle/tuning, incident response, and translating adversary TTPs into durable telemetry.

Step into this interview

Free · a live voice mock calibrated to this exact role

Practice this interview

What this interview tests

  • Detection engineering across cloud/identity/endpoint/SaaS
  • Detection languages: Sigma, KQL, SPL, YARA-L, EQL, Panther
  • Rule lifecycle: tuning, rollout safety, measurement (coverage, MTTD)
  • Purple team / adversary emulation experience
  • Cloud identity attack detection (AWS/GCP/Azure)
  • Incident response and postmortems

Common question themes

Walk through a high-signal detection you built from threat intel to shipped rule

How do you tune a noisy detection without losing signal

Describe a purple team or adversary emulation exercise you led

Design an identity-based attack detection in a cloud environment

Live incident triage and response walkthrough

How would you apply LLM/agent tooling to detection engineering workflows

View the original posting

Related interviews