mirror of
https://github.com/mblanke/Goose-Core.git
synced 2026-03-01 06:10:20 -05:00
mblanke
285de0ce50
This document clarifies the responsibility boundaries between GooseStrike and ThreatHunt, outlining their primary roles, capabilities, control, and risk factors.
47 lines
1.2 KiB
Markdown
47 lines
1.2 KiB
Markdown
# Capability Map — GooseStrike vs ThreatHunt
|
|
|
|
This document clarifies responsibility boundaries between applications.
|
|
|
|
## Primary Orientation
|
|
|
|
| Area | GooseStrike | ThreatHunt |
|
|
|----|----|----|
|
|
| Primary role | Orchestration & execution | Analysis & investigation |
|
|
| User mindset | "What should we do?" | "What does this data mean?" |
|
|
| Time focus | Forward-looking | Retrospective / iterative |
|
|
|
|
---
|
|
|
|
## Capabilities
|
|
|
|
| Capability | GooseStrike | ThreatHunt |
|
|
|----|----|----|
|
|
| Asset discovery | ✅ | ❌ |
|
|
| Tool execution | ✅ | ❌ |
|
|
| Workflow orchestration | ✅ | ❌ |
|
|
| CSV ingestion | ❌ | ✅ |
|
|
| Data normalization | ⚠️ (light) | ✅ |
|
|
| Deep analysis | ❌ | ✅ |
|
|
| Enrichment (VT, intel) | ❌ | ✅ |
|
|
| Findings generation | ✅ | ✅ |
|
|
| Alerts | ✅ | ⚠️ (derived only) |
|
|
|
|
---
|
|
|
|
## Control & Risk
|
|
|
|
| Area | GooseStrike | ThreatHunt |
|
|
|----|----|----|
|
|
| Executes actions | Yes | No |
|
|
| Requires approvals | Often | No |
|
|
| Multi-tenant isolation | Optional | Mandatory |
|
|
| Safe for junior analysts | Guarded | Yes |
|
|
|
|
---
|
|
|
|
## Rule of Thumb
|
|
- **GooseStrike decides and acts**
|
|
- **ThreatHunt analyzes and explains**
|
|
|
|
Overlap is intentional only at the *Finding* layer.
|