Platform Operation & Automation 

• Own day-to-day TIP operation: feed health, indicator lifecycle, enrichment pipeline integrity, data quality controls, and distribution to controls — SIEM, XDR, EDR, NGFW, and email; maintain coverage across government, commercial, and open-source feeds. 

• Build and maintain the automation that scales the program: feed collectors via REST and Graph APIs, enrichment chains, scoring pipelines, and indicator lifecycle workflows — production code, not one-off scripts.

• Instrument everything you build: structured logs, run IDs, observable outputs; if it runs in production, it’s monitored and you own it. 

Detection & Exposure Alignment 

• Partner with Detection Engineering on intel-driven analytics rules and hunts; translate threat actor TTPs into detection hypotheses and contribute KQL to coverage against techniques active in your pipeline. 

• Integrate vulnerability management and attack surface findings with active threat intel; correlate misconfigs, identity risks, and surface exposure with real threat context; open mobilization tasks with evidence attached and owners assigned. 

• Package threat-informed playbooks, ensure safe runs, capture evidence, and confirm findings are validated-closed — not claimed-closed. 

Threat-Informed Prioritization & Business Risk Translation 

• Fuse threat intelligence with asset inventory, identity context, cloud posture, and data sensitivity to compute blast radius and generate ranked action packages with clear owners; produce crisp, evidence-backed assessments for engineering and executive audiences. 

• Own CVE triage using EPSS, KEV, and in-the-wild evidence; route prioritized findings with blast radius context, not just severity scores. 

• Map active TTPs to countermeasure coverage; classify what’s deployed, validated, broken, and missing — and route findings accordingly; serve as the connective tissue between threat landscape and internal operations. 

• 5+ years in threat intelligence, security engineering, or a related discipline — with a track record of both producing intelligence and building the tooling that operationalizes it. 

• 3+ years operating a TIP at production maturity: feed collection architecture, enrichment pipelines, indicator lifecycle management, and distribution to security controls. 

• Demonstrated ability to build automation pipelines with schema discipline, observability, and rollback — solid scripts and APIs are the floor; production services are the ceiling. 

• Track record of producing finished intelligence that drove decisions, not just reports that got filed. 

• Background in financial services, real estate, or industries facing wire fraud, BEC, or transaction-based threat vectors is a strong differentiator. 

Technical Depth 

• Python — Production pipeline code: REST and Graph API clients, enrichment chains, JSON Schema validation, auth patterns, pagination, retries, error handling. 

• Pipeline operation — Owns and operates automation workflows end-to-end; comfortable building, debugging, and extending pipelines via CLI and code; not a UI operator. 

• KQL — Writes analytics rules and hunt queries from scratch; understands cloud-native SIEM table schema; can derive detection logic from a TTP description. 

• ATT&CK — Operational fluency; used to scope coverage, write hunt hypotheses, and route findings — not to decorate reports. 

• TIP and feed engineering — Has operated a commercial or custom TIP; has built multi-source collectors and enforced source SLAs at production scale. 

• Exposure platform integration — ASM/CAASM and vulnerability management API integration; scan data enrichment for risk weighting. 

Certifications (Preferred, Not Required) 

• GIAC Cyber Threat Intelligence (GCTI). 

• SC-200 or demonstrated cloud-native SIEM operational depth. 

• OSCP or CRTO is a differentiator. 

• A GitHub portfolio of production pipelines tells us more than any cert. 

WHAT MAKES THIS ROLE DIFFERENT 

This program is built to stay ahead of them, and the analyst in this seat is the one who connects what’s happening in the threat landscape to what Lennar needs to do about it. You’re not filing reports into a queue. You’re building the systems that make the program run, producing the intelligence that drives decisions, and closing risk that would otherwise stay open.