Most threat intelligence programs are built around reports nobody reads, andindicator feedsthat age out before anyone acts on them. We’re building something different. At Lennar, we’re standing up a CTI program designed from the ground up to protect the business workflows that matter most — real estate transactions, wire transfers, closing processes, and the associate populations that threat actors target through wire fraud, data theft, and ransomware. Raw intelligence signals flow through engineered pipelines into controls, detections, and validated risk reduction. We have pipelines in flight and platforms taking shape, but the architecture is still yours to influence. The foundational decisions — TIP selection, feed collection design, enrichment and scoring logic, closed-loop validation — aren’t locked in. You’ll have real input into how this gets built. If you’ve wanted to own the kind of intelligence decisions that most analysts spend a decade waiting for, and you want to make them in a Fortune 100 environment with real resources and a program lead who wants a partner, this is that role. You’re an analyst who builds. You don’t wait for someone else to stand up the tooling — you write the code, operate the pipeline, and make the platform work. You translate threat context into business risk and then build the systems that act on it at scale. This role is not for you ifyou want to triage alerts and write reports. Your job is to build and operate systems that make that possible, and to make sure the intelligence those systems produceactually reachescontrols, drives detections, and closes risk. Your Responsibilities on the Team Platform Operation & Automation Own day-to-day TIP operation: feed health, indicator lifecycle, enrichment pipeline integrity, data quality controls, and distribution to controls — SIEM, XDR, EDR, NGFW, and email; maintain coverage across government, commercial, and open-source feeds. Build and maintain the automation that scales the program: feed collectors via REST and Graph APIs, enrichment chains, scoring pipelines, and indicator lifecycle workflows — production code, not one-off scripts. Instrument everything you build: structured logs, run IDs, observable outputs; if it runs in production, it’s monitored and you own it. Detection & Exposure Alignment Partner with Detection Engineering on intel-driven analytics rules and hunts; translate threat actor TTPs into detection hypotheses and contribute KQL to coverage against techniques active in your pipeline. Integrate vulnerability management and attack surface findings with active threat intel; correlatemisconfigs, identity risks, and surface exposure with real threat context; open mobilization tasks with evidence attached and owners assigned. Package threat-informed playbooks, ensure safe runs, capture evidence, and confirm findings are validated-closed — not claimed-closed. Threat-Informed Prioritization & Business Risk Translation Fuse threat intelligence with asset inventory, identity context, cloud posture, and data sensitivity to compute blast radius and generate ranked action packages with clear owners; produce crisp, evidence-backed assessments for engineering and executive audiences. Own CVE triage using EPSS, KEV, and in-the-wild evidence; route prioritized findings with blast radius context, not just severity scores. Map active TTPs to countermeasure coverage; classify what’s deployed, validated, broken, and missing — and routefindings accordingly;serve as the connective tissue between threat landscape and internal operations. Requirements 5+ years in threat intelligence, security engineering, or a related discipline — with a track record of both producing intelligence and building the tooling that operationalizes it. 3+yearsoperating a TIP at production maturity: feed collection architecture, enrichment pipelines, indicator lifecycle management, and distribution to security controls. Demonstrated ability to build automation pipelines with schema discipline, observability, and rollback — solid scripts and APIs are the floor; production services are the ceiling. Track record of producing finished intelligence that drove decisions, not just reports that got filed. Background in financial services, real estate, or industries facing wire fraud, BEC, or transaction-based threat vectors is a strong differentiator. Technical Depth Python —Production pipeline code: REST and Graph API clients, enrichment chains, JSON Schema validation, auth patterns, pagination, retries, error handling. Pipeline operation —Owns and operates automation workflows end-to-end; comfortable building, debugging, and extending pipelines via CLI and code; not a UI operator. KQL —Writes analytics rules and hunt queries from scratch; understands cloud-native SIEM table schema; can derive detection logic from a TTP description. ATT&CK —Operational fluency; used to scope coverage,write hunthypotheses, and route findings — not to decorate reports. TIP and feed engineering —Has operated a commercial or custom TIP; has built multi-source collectors and enforced source SLAs at production scale. Exposure platform integration —ASM/CAASM and vulnerability management API integration; scan data enrichment for risk weighting. Certifications (Preferred, Not Required) GIAC Cyber Threat Intelligence (GCTI). SC-200 or demonstrated cloud-native SIEM operational depth. OSCP or CRTO is a differentiator. A GitHub portfolio of production pipelines tells us more than any cert. WHAT MAKES THIS ROLE DIFFERENT This program is built to stay ahead of them, and the analyst in this seat is the one who connects what’s happening in the threat landscape to what Lennar needs to do about it.You’re not filing reports into a queue. You’re building the systems that make the program run, producing the intelligence that drives decisions, and closing risk that would otherwise stay open. Life at Lennar At Lennar, we are committed to fostering a supportive and enriching environment for our Associates, offering a comprehensive array of benefits designed to enhance their well-being and professional growth. Our Associates have access to robust health insurance plans, including Medical, Dental, and Vision coverage, ensuring their health needs are well taken care of. Our 401(k) Retirement Plan, complete with a $1 for $1 Company Match up to 5%, helps secure their financial future, while Paid Parental Leave and an Associate Assistance Plan provide essential support during life9s critical moments. To further support our Associates, we provide an Education Assistance Program and up to $30,000 in Adoption Assistance, underscoring our commitment to their diverse needs and aspirations. From the moment of hire, they can enjoy up to three weeks of vacation annually, alongside generous Holiday, Sick Leave, and Personal Day policies. Additionally, we offer a New Hire Referral Bonus Program, significant Home Purchase Discounts, and unique opportunities such as the Everyone9s Included Day. At Lennar, we believe in investing in our Associates, empowering them to thrive both personally and professionally. Lennar Associates will have access to these benefits as outlined by Lennar9s policies and applicable plan terms. Visit Lennartotalrewards.com to view our suite of benefits. Join the fun and follow us on social media to see what9s happening at our company, and don9t forget to connect with us on Lennar: Overview | LinkedIn for the latest job opportunities.