All Notion interviews
Notion logo

Notion

Notion Security Engineer Interview

Focus areas and question themes aggregated from 2 current openings — pick any opening below and practice a voice mock calibrated to it.

Notion Security Engineer mock interview

A live voice mock calibrated to this role — real questions, the real follow-up rhythm, and a score at the end. Free to start.

Start the mock interview

Two security engineering tracks sit in this family: corporate security, which hardens identity, endpoints, and SaaS sprawl across a growing headcount, and detection and response, which builds the rules and pipelines that catch attackers once they're inside. Both roles expect production-grade automation code, not just policy writing.

What this interview tests

  • Identity and endpoint hardeningHarden Okta, Google Workspace, or Entra with SAML/OIDC/OAuth/SCIM, and manage endpoint security (MDM, EDR) across a macOS-first fleet.
  • SaaS and shadow-IT risk reductionUse SSPM tooling and OAuth governance to cut risk across a long tail of SaaS vendors, automating access reviews at scale.
  • Detection engineering and languagesWrite and tune detections in Sigma, KQL, SPL, YARA-L, or EQL, and measure their coverage and mean-time-to-detect over their lifecycle.
  • Cloud identity attack detection and purple teamingDesign detections for cloud identity attacks across AWS, GCP, or Azure, informed by purple-team or adversary-emulation exercises.
  • Security automation as codeWrite production Python, Bash, or Terraform for access reviews, SaaS configuration drift detection, or CI-integrated security tooling.
  • Securing AI tool usageGovern or detect risky use of LLM, agent, and MCP tooling by employees — an explicit focus in both postings.

Common question themes

Walk through hardening an identity provider end to end — MFA, SSO, SCIM lifecycle.

IAM hardening is the core focus area of the Corporate Security posting.

How would you detect and prevent unauthorized or risky AI or MCP tool usage on employee endpoints?

Securing AI tool usage is listed as a focus area in both postings.

Describe a Python or Terraform automation you built for access reviews or SaaS config drift detection.

Security automation and IaC is a named focus area for Corporate Security.

How do you reduce shadow IT and OAuth over-permissioning across a long tail of SaaS vendors?

SaaS risk reduction at scale is directly listed as a question theme.

Walk through a high-signal detection you built, from threat intel to a shipped rule.

This is the central arc of the Detection and Response posting's question themes.

How do you tune a noisy detection without losing signal?

Rule lifecycle tuning is an explicit focus area for the detection role.

Describe a purple-team or adversary-emulation exercise you led.

Purple team experience is listed as a named focus area.

Design an identity-based attack detection in a cloud environment.

Cloud identity attack detection across AWS, GCP, and Azure is a listed focus area.

Likely format

Both postings leave interviewFormat blank, so the following is inferred from question style. The repeated 'walk through' and 'describe a tool you built' phrasing across both tracks points to a portfolio-style loop grounded in real automations and detections you've shipped, plus live scenario questions like incident triage and rule tuning, rather than closed-book trivia.

All 2 Notion openings in this role

Frequently asked questions

Is this role about IT helpdesk work or security engineering?

Security engineering, not IT support — the Corporate Security posting explicitly distinguishes itself from IT support, expecting candidates to write production Python and Terraform and scale controls as headcount grows rather than manually gatekeeping.

Do I need SIEM or detection-language experience for both tracks?

The Detection and Response track explicitly tests detection languages like Sigma, KQL, SPL, YARA-L, and EQL plus rule-lifecycle tuning. The Corporate Security track instead centers on IAM hardening and endpoint/SaaS risk — match your prep to the specific posting.

Why does AI or LLM tool usage show up as an interview topic for a security role?

Both postings list securing or detecting AI, agent, or MCP tool usage as an explicit focus area — treat employee use of AI tooling as a live attack surface and come ready to discuss a governance or detection approach for it specifically.

All Notion interviews