Sr. Threat Intelligence Analyst

Lennar•Irving, TX

About The Position

We are Lennar Lennar is one of the nation's leading homebuilders, dedicated to making an impact and creating an extraordinary experience for their Homeowners, Communities, and Associates by building quality homes and providing exceptional customer service, giving back to the communities in which we work and live in, and fostering a culture of opportunity and growth for our Associates throughout their career. Lennar has been recognized as a Fortune 500® company and consistently ranked among the top homebuilders in the United States. Join a Company that Empowers you to Build your Future Most threat intelligence programs are built around reports nobody reads, and indicator feeds that age out before anyone acts on them. We’re building something different. At Lennar, we’re standing up a CTI program designed from the ground up to protect the business workflows that matter most — real estate transactions, wire transfers, closing processes, and the associate populations that threat actors target through wire fraud, data theft, and ransomware. Raw intelligence signals flow through engineered pipelines into controls, detections, and validated risk reduction. We have pipelines in flight and platforms taking shape, but the architecture is still yours to influence. The foundational decisions — TIP selection, feed collection design, enrichment and scoring logic, closed-loop validation — aren’t locked in. You’ll have real input into how this gets built. If you’ve wanted to own the kind of intelligence decisions that most analysts spend a decade waiting for, and you want to make them in a Fortune 100 environment with real resources and a program lead who wants a partner, this is that role. You’re an analyst who builds. You don’t wait for someone else to stand up the tooling — you write the code, operate the pipeline, and make the platform work. You translate threat context into business risk and then build the systems that act on it at scale. This role is not for you if you want to triage alerts and write reports. Your job is to build and operate systems that make that possible, and to make sure the intelligence those systems produce actually reaches controls, drives detections, and closes risk. A career with purpose. A career built on making dreams come true. A career built on building zero defect homes, cost management, and adherence to schedules.

Requirements

5+ years in threat intelligence, security engineering, or a related discipline — with a track record of both producing intelligence and building the tooling that operationalizes it.
3+ years operating a TIP at production maturity: feed collection architecture, enrichment pipelines, indicator lifecycle management, and distribution to security controls.
Demonstrated ability to build automation pipelines with schema discipline, observability, and rollback — solid scripts and APIs are the floor; production services are the ceiling.
Track record of producing finished intelligence that drove decisions, not just reports that got filed.
Python — Production pipeline code: REST and Graph API clients, enrichment chains, JSON Schema validation, auth patterns, pagination, retries, error handling.
Pipeline operation — Owns and operates automation workflows end-to-end; comfortable building, debugging, and extending pipelines via CLI and code; not a UI operator.
KQL — Writes analytics rules and hunt queries from scratch; understands cloud-native SIEM table schema; can derive detection logic from a TTP description.
ATT&CK — Operational fluency; used to scope coverage, write hunt hypotheses, and route findings — not to decorate reports.
TIP and feed engineering — Has operated a commercial or custom TIP; has built multi-source collectors and enforced source SLAs at production scale.
Exposure platform integration — ASM/CAASM and vulnerability management API integration; scan data enrichment for risk weighting.

Nice To Haves

Background in financial services, real estate, or industries facing wire fraud, BEC, or transaction-based threat vectors is a strong differentiator.
GIAC Cyber Threat Intelligence (GCTI).
SC-200 or demonstrated cloud-native SIEM operational depth.
OSCP or CRTO is a differentiator.
A GitHub portfolio of production pipelines tells us more than any cert.

Responsibilities

Own day-to-day TIP operation: feed health, indicator lifecycle, enrichment pipeline integrity, data quality controls, and distribution to controls — SIEM, XDR, EDR, NGFW, and email; maintain coverage across government, commercial, and open-source feeds.
Build and maintain the automation that scales the program: feed collectors via REST and Graph APIs, enrichment chains, scoring pipelines, and indicator lifecycle workflows — production code, not one-off scripts.
Instrument everything you build: structured logs, run IDs, observable outputs; if it runs in production, it’s monitored and you own it.
Partner with Detection Engineering on intel-driven analytics rules and hunts; translate threat actor TTPs into detection hypotheses and contribute KQL to coverage against techniques active in your pipeline.
Integrate vulnerability management and attack surface findings with active threat intel; correlate misconfigs, identity risks, and surface exposure with real threat context; open mobilization tasks with evidence attached and owners assigned.
Package threat-informed playbooks, ensure safe runs, capture evidence, and confirm findings are validated-closed — not claimed-closed.
Fuse threat intelligence with asset inventory, identity context, cloud posture, and data sensitivity to compute blast radius and generate ranked action packages with clear owners; produce crisp, evidence-backed assessments for engineering and executive audiences.
Own CVE triage using EPSS, KEV, and in-the-wild evidence; route prioritized findings with blast radius context, not just severity scores.
Map active TTPs to countermeasure coverage; classify what’s deployed, validated, broken, and missing — and route findings accordingly — and serve as the connective tissue between threat landscape and internal operations.