Add Capability Map for GooseStrike vs ThreatHunt

This document clarifies the responsibility boundaries between GooseStrike and ThreatHunt, outlining their primary roles, capabilities, control, and risk factors.

governance/CAPABILITY_GAP.md

@@ -0,0 +1,46 @@
+# Capability Map — GooseStrike vs ThreatHunt
+
+This document clarifies responsibility boundaries between applications.
+
+## Primary Orientation
+
+| Area | GooseStrike | ThreatHunt |
+|----|----|----|
+| Primary role | Orchestration & execution | Analysis & investigation |
+| User mindset | "What should we do?" | "What does this data mean?" |
+| Time focus | Forward-looking | Retrospective / iterative |
+
+---
+
+## Capabilities
+
+| Capability | GooseStrike | ThreatHunt |
+|----|----|----|
+| Asset discovery | ✅ | ❌ |
+| Tool execution | ✅ | ❌ |
+| Workflow orchestration | ✅ | ❌ |
+| CSV ingestion | ❌ | ✅ |
+| Data normalization | ⚠️ (light) | ✅ |
+| Deep analysis | ❌ | ✅ |
+| Enrichment (VT, intel) | ❌ | ✅ |
+| Findings generation | ✅ | ✅ |
+| Alerts | ✅ | ⚠️ (derived only) |
+
+---
+
+## Control & Risk
+
+| Area | GooseStrike | ThreatHunt |
+|----|----|----|
+| Executes actions | Yes | No |
+| Requires approvals | Often | No |
+| Multi-tenant isolation | Optional | Mandatory |
+| Safe for junior analysts | Guarded | Yes |
+
+---
+
+## Rule of Thumb
+- **GooseStrike decides and acts**
+- **ThreatHunt analyzes and explains**
+
+Overlap is intentional only at the *Finding* layer.