mirror of
https://github.com/mblanke/Goose-Core.git
synced 2026-03-01 06:10:20 -05:00
mblanke
285de0ce50
This document clarifies the responsibility boundaries between GooseStrike and ThreatHunt, outlining their primary roles, capabilities, control, and risk factors.
1.2 KiB
1.2 KiB
Capability Map — GooseStrike vs ThreatHunt
This document clarifies responsibility boundaries between applications.
Primary Orientation
| Area | GooseStrike | ThreatHunt |
|---|---|---|
| Primary role | Orchestration & execution | Analysis & investigation |
| User mindset | "What should we do?" | "What does this data mean?" |
| Time focus | Forward-looking | Retrospective / iterative |
Capabilities
| Capability | GooseStrike | ThreatHunt |
|---|---|---|
| Asset discovery | ✅ | ❌ |
| Tool execution | ✅ | ❌ |
| Workflow orchestration | ✅ | ❌ |
| CSV ingestion | ❌ | ✅ |
| Data normalization | ⚠️ (light) | ✅ |
| Deep analysis | ❌ | ✅ |
| Enrichment (VT, intel) | ❌ | ✅ |
| Findings generation | ✅ | ✅ |
| Alerts | ✅ | ⚠️ (derived only) |
Control & Risk
| Area | GooseStrike | ThreatHunt |
|---|---|---|
| Executes actions | Yes | No |
| Requires approvals | Often | No |
| Multi-tenant isolation | Optional | Mandatory |
| Safe for junior analysts | Guarded | Yes |
Rule of Thumb
- GooseStrike decides and acts
- ThreatHunt analyzes and explains
Overlap is intentional only at the Finding layer.