Security engineer owning cross-cutting auth, authorization, and AI guardrail programs across product and infrastructure. Requires 10+ years shipping security-critical infrastructure and experience with AI/LLM protections.
290k – 350k
Hybrid10+ YOESecurity Engineering
About the role
What You'll Achieve
Modernize and migrate authentication across Notion’s product surfaces (SAML/OIDC, OAuth flows, session semantics, passkeys, CSP, redirect handling), landing multi-quarter changes with clear rollout plans and minimal customer disruption.
Build and operate Notion’s AI safety guardrail stack, including prompt-injection protections (vendor evaluation, deployment model decisions, integration with agents) and an external-source provenance system for AI-generated content across Mail, Calendar, and MCP.
Advance our authorization platform direction by driving crisp architectural trade-offs (e.g., SpiceDB vs. Macaroons) and shipping reusable primitives that product teams can adopt without bespoke security work.
By day 90: own one P0 security program end-to-end—RFC, rollout plan, partner alignment, execution, and measurable risk reduction—plus ship one piece of AI leverage (e.g., an internal security agent for triage/verification/continuous checks) that improves correctness and reduces time-to-resolution.
By end of year 1: raise the bar on security engineering craft by setting clearer standards for secure primitives (auth/authz, provenance, domain posture), improving adoption paths for partner teams, and reducing recurring classes of vulnerabilities through better systems—not heroics.
Skills You'll Need to Bring
Demonstrated ability to ship security-critical infrastructure in production systems (identity/authentication, authorization, platform primitives), including migrations that affect customers and require careful rollout and backwards compatibility.
Strong judgment navigating ambiguous trade-offs (security vs. product velocity, correctness vs. ergonomics, centralized platforms vs. local autonomy), with a track record of writing clear RFCs and aligning cross-functional stakeholders.
Experience building or operating AI/LLM security protections (e.g., prompt injection, tool/data provenance, policy enforcement) or a clear ability to ramp quickly and lead in an emerging domain.
High agency and systems mindset: you proactively find the real constraint, unblock partner teams, and build primitives that compound across the org (not one-off fixes).
Comfort mentoring and multiplying others—through intern/project ownership, enablement sessions, and pragmatic security guidance that engineers actually adopt.
Skills
SAMLOIDCOAuthPasskeysCspSpicedbMacaroonsAi SafetyPrompt InjectionAuthorization Systems
Senior technical owner designing, building, and operating secure, reliable infrastructure-as-code platforms for identity, access, and shared services. Requires 10+ years of hands-on SRE experience in high-reliability on-prem/hybrid environments.
293k – 385k
Hybrid10+ YOESecurity Engineering
Member of Technical Staff, SecOps & Threat Detection Engineer
EnvoySan Francisco, CA
Staff Security Engineer owning threat detection, SIEM architecture, and security operations for cloud, apps, and endpoints. Requires 6+ years in security/SRE/infra engineering with experience building detection-as-code, endpoint monitoring (SentinelOne), and driving MTTD/MTTR improvements in AWS environments.
265k – 310k
On-site7+ YOESecurity Engineering
Staff+ Application Security Engineer
AnthropicSan Francisco, CA +2
Staff Application Security Engineer focused on M&A due diligence and secure integration of acquired codebases and systems at Anthropic. Lead security assessments, risk readouts, post-close remediation and automation using Claude, while contributing to core AppSec work. Requires 7+ years AppSec experience, rapid codebase assessment skills, and coding ability.
320k – 485k
Hybrid7+ YOESecurity Engineering
Staff Software Engineer, Fraud
ReplitFoster City, CA
Build and operate AI-powered fraud/abuse detection systems defending Replit's platform from phishing, cryptomining, account takeover, and LLM abuse. Requires 8+ years in security/anti-abuse, Python/TypeScript, SQL at scale, and ML/LLM classifier experience.
250k – 315k
Hybrid8+ YOESecurity Engineering
Staff Software Engineer, Risk
ReplitFoster City, CA
Build and operate AI-powered abuse detection systems that defend Replit's platform from phishing, cryptomining, LLM token farming, and other attacks. Own end-to-end detection, investigation, and automated response across millions of daily actions.