Additional Information
We are Lennar
Lennar is one of the nation's leading homebuilders, dedicated to making an impact and creating an extraordinary experience for their Homeowners, Communities, and Associates by building quality homes and providing exceptional customer service, giving back to the communities in which we work and live in, and fostering a culture of opportunity and growth for our Associates throughout their career. Lennar has been recognized as a Fortune 500® company and consistently ranked among the top homebuilders in the United States.
Join a Company that Empowers you to Build your Future
Most threat intelligence programs are built around reports nobody reads, and indicator feeds that age out before anyone acts on them. We're building something different.
At Lennar, we're standing up a CTI program designed from the ground up to protect the business workflows that matter most - real estate transactions, wire transfers, closing processes, and the associate populations that threat actors target through wire fraud, data theft, and ransomware. Raw intelligence signals flow through engineered pipelines into controls, detections, and validated risk reduction. We have pipelines in flight and platforms taking shape, but the architecture is still yours to influence. The foundational decisions - TIP selection, feed collection design, enrichment and scoring logic, closed-loop validation - aren't locked in. You'll have real input into how this gets built.
If you've wanted to own the kind of intelligence decisions that most analysts spend a decade waiting for, and you want to make them in a Fortune 100 environment with real resources and a program lead who wants a partner, this is that role.
You're an analyst who builds. You don't wait for someone else to stand up the tooling - you write the code, operate the pipeline, and make the platform work. You translate threat context into business risk and then build the systems that act on it at scale.
This role is not for you if you want to triage alerts and write reports. Your job is to build and operate systems that make that possible, and to make sure the intelligence those systems produce actually reaches controls , drives detections, and closes risk.
A career with purpose.
A career built on making dreams come true.
A career built on building zero defect homes, cost management, and adherence to schedules.
Your Responsibilities on the Team
Platform Operation & Automation
Own day-to-day TIP operation: feed health, indicator lifecycle, enrichment pipeline integrity, data quality controls, and distribution to controls - SIEM, XDR, EDR, NGFW, and email; maintain coverage across government, commercial, and open-source feeds.
Build and maintain the automation that scales the program: feed collectors via REST and Graph APIs, enrichment chains, scoring pipelines, and indicator lifecycle workflows - production code, not one-off scripts.
Instrument everything you build: structured logs, run IDs, observable outputs; if it runs in production, it's monitored and you own it.
Detection & Exposure Alignment
Partner with Detection Engineering on intel-driven analytics rules and hunts; translate threat actor TTPs into detection hypotheses and contribute KQL to coverage against techniques active in your pipeline.
Integrate vulnerability management and attack surface findings with active threat intel; correlate misconfigs , identity risks, and surface exposure with real threat context; open mobilization tasks with evidence attached and owners assigned.
Package threat-informed playbooks, ensure safe runs, capture evidence, and confirm findings are validated-closed - not claimed-closed.
Threat-Informed Prioritization & Business Risk Translation
Fuse threat intelligence with asset inventory, identity context, cloud posture, and data sensitivity to compute blast radius and generate ranked action packages with clear owners; produce crisp, evidence-backed assessments for engineering and executive audiences.
Own CVE triage using EPSS, KEV, and in-the-wild evidence; route prioritized findings with blast radius context, not just severity scores.
Map active TTPs to countermeasure coverage; classify what's deployed, validated, broken, and missing - and route findings accordingly; serve as the connective tissue between threat landscape and internal operations.
Lennar · Miami