# Software Engineer, Security

**Company:** [Notion](https://hotfix.jobs/companies/notion)
**Location:** San Francisco, CA
**Role:** Security Engineering
**Salary:** $290k – $350k/yr
**Experience:** 10+ years
**Skills:** SAML, OIDC, OAuth, Passkeys, Csp, Spicedb, Macaroons, Ai Safety, Prompt Injection, Authorization Systems
**Posted:** 2026-06-09

> Security engineer owning cross-cutting auth, authorization, and AI guardrail programs across product and infrastructure. Requires 10+ years shipping security-critical infrastructure and experience with AI/LLM protections.

## Job Description

## What You'll Achieve
- Modernize and migrate authentication across Notion’s product surfaces (SAML/OIDC, OAuth flows, session semantics, passkeys, CSP, redirect handling), landing multi-quarter changes with clear rollout plans and minimal customer disruption.
- Build and operate Notion’s AI safety guardrail stack, including prompt-injection protections (vendor evaluation, deployment model decisions, integration with agents) and an external-source provenance system for AI-generated content across Mail, Calendar, and MCP.
- Advance our authorization platform direction by driving crisp architectural trade-offs (e.g., SpiceDB vs. Macaroons) and shipping reusable primitives that product teams can adopt without bespoke security work.
- By day 90: own one P0 security program end-to-end—RFC, rollout plan, partner alignment, execution, and measurable risk reduction—plus ship one piece of AI leverage (e.g., an internal security agent for triage/verification/continuous checks) that improves correctness and reduces time-to-resolution.
- By end of year 1: raise the bar on security engineering craft by setting clearer standards for secure primitives (auth/authz, provenance, domain posture), improving adoption paths for partner teams, and reducing recurring classes of vulnerabilities through better systems—not heroics.

## Skills You'll Need to Bring
- Demonstrated ability to ship security-critical infrastructure in production systems (identity/authentication, authorization, platform primitives), including migrations that affect customers and require careful rollout and backwards compatibility.
- Strong judgment navigating ambiguous trade-offs (security vs. product velocity, correctness vs. ergonomics, centralized platforms vs. local autonomy), with a track record of writing clear RFCs and aligning cross-functional stakeholders.
- Experience building or operating AI/LLM security protections (e.g., prompt injection, tool/data provenance, policy enforcement) or a clear ability to ramp quickly and lead in an emerging domain.
- High agency and systems mindset: you proactively find the real constraint, unblock partner teams, and build primitives that compound across the org (not one-off fixes).
- Comfort mentoring and multiplying others—through intern/project ownership, enablement sessions, and pragmatic security guidance that engineers actually adopt.

## Similar roles

- [Staff Security Reliability Engineer](https://hotfix.jobs/jobs/626c14c3-6d35-433f-a4a1-7e4e17fa2b28) - OpenAI - San Francisco, CA - $293k – $385k/yr
- [Member of Technical Staff, SecOps & Threat Detection Engineer](https://hotfix.jobs/jobs/39765d60-0022-4a70-9f23-866a5b6b63e5) - Envoy - San Francisco, CA - $265k – $310k/yr
- [Staff+ Application Security Engineer](https://hotfix.jobs/jobs/176eddbe-ab46-4c6b-b459-b97404661b42) - Anthropic - San Francisco, CA - $320k – $485k/yr
- [Staff Software Engineer, Fraud](https://hotfix.jobs/jobs/aa86d79c-af69-4a6a-bdd8-8bd480bb43a9) - Replit - Foster City, CA - $250k – $315k/yr
- [Staff Software Engineer, Risk](https://hotfix.jobs/jobs/5cc2b135-9342-4987-9b19-269e001150fe) - Replit - Foster City, CA - $250k – $315k/yr

**Apply:** https://hotfix.jobs/jobs/e6283f18-9abb-4d55-acf7-cc3220bb1636
**Canonical:** https://hotfix.jobs/jobs/e6283f18-9abb-4d55-acf7-cc3220bb1636