About Notion
Notion is one of the best-known software products on the market, with over 100 million users worldwide and adoption by more than half of the Fortune 500. The fast-growing San Francisco-based company offers an all-in-one workspace that helps teams manage projects, capture ideas, and collaborate, earning a passionate global community drawn to the tool’s flexibility and potential to impact productivity.
Executive summary
Before Tines, Notion’s SecOps and IT teams relied on separate tools to build automated workflows, but neither solution met their needs. Tines stood out as a more mature, flexible, and intuitive alternative, helping the SecOps team alone save more than eight hours each week, reducing manual toil and improving consistency across security and IT operations.
The challenge
Both the IT and security teams at Notion struggled with fragmented and inefficient automation tools. The IT team relied on a bundled solution with limited automation capabilities—and found the resulting workflows a “nightmare to maintain,” according to SecOps Engineer Jacobi Persinger. Meanwhile, the security team used Hex Notebooks, a “data-first tool” that was a poor fit for building workflows.
Dan Pyykonen, Head of Platform Security, refers to Hex as “a great tool, but not the right one for this job.”
“There really wasn't a way to make things event-driven,” Jacobi adds. “Webhooks were, at the time, non-existent. You had to call an API to a Hex Notebook and build your own sub-infrastructure. With Tines, I can just drag and drop a webhook, and I have something to send to immediately.”
Why Tines
Notion’s security team led the evaluation of several automation platforms. But most of the tools they tested felt underdeveloped or unnecessarily complex.
“A lot of the other tools in the space felt immature,” Dan says. “With many of the other tools in the bake-off, we had to jump on a call with a solutions engineer just to figure out how to do basic things. It didn’t feel seamless.”
“Tines reminded us of Notion in that it’s highly flexible and customizable. It met our needs as opposed to forcing us to work inside the confines of the tool. And it met our needs for more than just a SOAR.”
Dan Pyykonen, Head of Platform Security
Tines quickly stood out for its flexibility and fast time to value.
“Tines appeared to succinctly do what we wanted and seemed very straightforward,” Dan explains. “We’re a small team in a fast-growing company with many conflicting priorities - we need to get things done quickly. The ability to move quickly is what drew us to Tines initially, and we’ve continued to benefit from that.”
While Notion’s IT team wasn’t originally part of the evaluation, they were brought in after expressing similar frustrations.
“We included them in the POC because of the frustrations they’d shared with us as peers,” Dan explains. “We said, ‘Hey, we’re checking out this tool - want to take a look?’ And they were also very impressed.”
Dan adds that other tools felt like they were built by serial entrepreneurs with a rigid vision, whereas Tines felt shaped by real practitioner feedback and designed to support a wide range of use cases.
Quick adoption for individual team members was another big draw, Jacobi adds.
“When someone asks, ‘How do I start in Tines?’ I literally tell them to go to an API doc, copy a cURL request, and paste it in. And it just clicks.”
The Impact
Tines has helped Notion save time, reduce manual effort, and streamline operations - all while enabling faster experimentation and more consistent incident response.
Time savings
Notion’s security team estimates that a handful of Tines workflows are saving them more than thirty six hours per week. One of the biggest time savings comes from automating incident response and case management, including deep integration with Notion itself.
“When we spin up a new incident, the case, the doc, and everything else are there,” says Jacobi. “That saves us so much time, it’s crazy.”
Reducing friction and manual effort
A major source of time savings for Notion’s security team comes from reducing complexity and eliminating unnecessary context switching.
“One of the most difficult things for security teams is having to jump into so many different systems,” says Dan. “The more we can do to avoid that, the better - not all systems feel intuitive, and there’s a learning curve for each. So if we can use workflows that actually match the functionality we need, those are always going to be the things we focus cycles on.”
By centralizing key workflows in Tines, the team has also dramatically reduced toil and operational overhead.
Greater consistency in security operations
Tines hasn’t just reduced manual toil, it’s also helped Notion’s security team drive consistency, particularly during incident response.
“It ensures we’re always following our standards,” says Dan. “If a new member joins an incident response call and wants to look into an event, that security event is spun up exactly how any senior member of the team would do it.”
This level of consistency reduces the risk of errors, enables faster response times, and ultimately enables the team to strengthen Notion’s overall security posture.
Removing blockers to innovation
Tines hasn’t just helped streamline operations, it’s also made it easier for the team to experiment and innovate.
“There was one workflow that I finished within the first week of adopting Tines, and I was able to expand that story and reiterate on it really quickly,” says Jacobi. “That was the biggest, most exciting strength we gained from Tines. It could be both the stepping stone and the home base for automations you really hate writing.”
By lowering the barrier to building and iterating on automation, Tines helps the team to move faster and try new ideas without friction.
“Tines has worked great for us and really helped reduce toil on the team, which is exactly what we wanted. It’s allowed us to automate tasks and build consistency, which is critical for a security team. It makes things auditable, clean, easy to read, and less chaotic. That reduction in chaos ensures smoother operations. And ultimately, that’s what we all hope for in Security Operations, to operate consistently and successfully.”
Dan Pyykonen, Head of Platform Security
Top workflows
There are currently four Tines builders on Notion’s SecOps team. Among their top workflows to date are:
Alert automation and normalization
Jacobi and her team created a workflow for alert automation and normalization.
She explains, “We centralized alert intake across sources into a detection‑as‑code SIEM and a Notion database powered alert manager. Alerts are normalized to a common schema, auto‑enriched with runbooks and Slack context, and routed to the right responders all with Tines.”
This workflow reduces triage time, increases consistency, and keeps an auditable record for post‑incident reviews.
CrowdStrike data collection and enrichment
Jacobi shares, “If there's an incident and we need data on a laptop, a lot of that data is not readily available from CrowdStrike. There may be the laptop name and serial number, but not the person who's using it. Now we can link all that together. So our incident responders can easily pull all this data and lock down a laptop immediately.”
This workflow provides incident responders with the full context they need to act quickly and effectively.
Case management automation
Jacobi and the team are streamlining incident response by automating away toilsome work through integration with Slack.
“We want the tool that we built for case management in Tines to pull all the information: create the channel, make a Notion doc, and populate timelines. We use Slack reactions to tag messages or threads, and then pull that information in.”
This ensures critical details are captured and organized in real time, helping the team stay focused and aligned.
“I would never want to write that automation myself. But I can string it together in Tines and it’s stable and trustworthy, and I know it's going to work. Analysts who are doing something with cases in Notion don't have to record what they did, or add details, because I already put actions in Tines to do that automatically.”
Jacobi Persinger, SecOps Engineer
Automated takedowns
Notion’s security team uses Tines to power a streamlined brand protection workflow.
“Tines has stepped in and been a really good bridge, something that's really reliable,” Jacobi explains. “We have analysts that perform actions in Notion, and if they want to take down something, they can just press the button in Notion, and it sends it off to our takedown provider.”
“That’s all coordinated through Tines, and they don't have to worry about the metrics. They don't have to record all these different details because Tines does it. I put all those actions in there to do that automatically.”
This automation reduces manual effort, ensures consistent documentation, and gives analysts a faster, more reliable way to take action.
IT workflows
Notion also has three IT team members currently building in Tines.
Jacobi shares, “They use Tines to connect tools like Notion and Okta. I think that’s been a breath of fresh air for them. I know they felt that the automations they built in their other platform were a nightmare to maintain, and now they can easily automate a lot of that in Tines.”
Favorite feature
Jacobi calls out automatic mode in Event Transform as “the most magical” feature of Tines.
“I've coded in Python forever, and there are a lot of things that security practitioners have to memorize, or be familiar with, when it comes to different integrations. Not all data is created equal. With Tines, when you have all these different data structures and you want to move relatively quickly, you can. The nice thing about the automation piece is that you can generate the code, look at it, and get what you want.”
This capability helps the team work faster, even when handling complex or unfamiliar data, reducing time spent on manual formatting and speeding up workflow development.
They also value the flexibility to bring their own AI model to Tines, tailoring automation to their specific needs.
What’s next
Notion’s SecOps team is continuing to expand how it uses Tines, with a focus on speeding up case management and enriching it with additional context through new Slack bots.
The team is also exploring how to leverage AI in Tines to summarize cases.
“One of the things I’m really excited about that we just put into place is when someone starts up a case, they can just put a one-line description of what is happening. And it populates based on a couple of things,” Jacobi explains. “There's knowledge of incident management, but it also makes it into a readable format.”
Looking ahead, Notion plans to build workflows for vulnerability management to sync data, notify the right teams, and accelerate remediation efforts.
“We haven't gotten to the point where we're doing auto remediation or locking down laptops yet,” Jacobi says. “But we have a couple of people on our team that are going to be exploring that.”
“Our team thrives on automating really toilsome things. Like any other security team, we’re just super busy and need time. From that perspective, Tines has been a great tool to use and work with.”
Jacobi Persinger, SecOps Engineer