diff --git a/.gitea/workflows/security-recon.yml b/.gitea/workflows/security-recon.yml
new file mode 100644
index 0000000..5fdc46c
--- /dev/null
+++ b/.gitea/workflows/security-recon.yml
@@ -0,0 +1,92 @@
+name: Security Recon
+
+on:
+  push:
+    branches:
+      - security-audit
+
+jobs:
+  recon:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Basic Info
+        run: |
+          echo "=== WHOAMI ==="
+          whoami
+          id
+          echo "=== UNAME ==="
+          uname -a
+          echo "=== OS RELEASE ==="
+          cat /etc/os-release 2>/dev/null || true
+          echo "=== HOSTNAME ==="
+          hostname
+          cat /etc/hostname 2>/dev/null || true
+
+      - name: Capabilities and Cgroups
+        run: |
+          echo "=== CAPABILITIES ==="
+          cat /proc/self/status | grep -i cap
+          echo "=== CGROUP ==="
+          cat /proc/1/cgroup 2>/dev/null || true
+          echo "=== CGROUP SELF ==="
+          cat /proc/self/cgroup 2>/dev/null || true
+
+      - name: Mounts and Disks
+        run: |
+          echo "=== MOUNT ==="
+          mount
+          echo "=== PROC MOUNTS ==="
+          cat /proc/mounts
+          echo "=== FDISK ==="
+          fdisk -l 2>/dev/null || true
+          echo "=== LSBLK ==="
+          lsblk 2>/dev/null || true
+
+      - name: Docker Socket
+        run: |
+          echo "=== DOCKER SOCKET ==="
+          ls -la /var/run/docker.sock 2>/dev/null || echo "No docker socket"
+          ls -la /run/docker.sock 2>/dev/null || echo "No /run/docker.sock"
+          echo "=== DOCKER CLI ==="
+          which docker 2>/dev/null && docker ps 2>/dev/null || echo "No docker CLI or access"
+
+      - name: Devices
+        run: |
+          echo "=== DEVICES ==="
+          ls -la /dev/ 2>/dev/null | head -50
+
+      - name: Network
+        run: |
+          echo "=== IP ADDR ==="
+          ip addr 2>/dev/null || ifconfig 2>/dev/null || true
+          echo "=== IP ROUTE ==="
+          ip route 2>/dev/null || true
+          echo "=== RESOLV ==="
+          cat /etc/resolv.conf 2>/dev/null || true
+
+      - name: Environment
+        run: |
+          echo "=== ENV ==="
+          env | sort
+
+      - name: Escape Tools
+        run: |
+          echo "=== AVAILABLE TOOLS ==="
+          which nsenter 2>/dev/null && echo "nsenter: YES" || echo "nsenter: NO"
+          which chroot 2>/dev/null && echo "chroot: YES" || echo "chroot: NO"
+          which mount 2>/dev/null && echo "mount: YES" || echo "mount: NO"
+          which unshare 2>/dev/null && echo "unshare: YES" || echo "unshare: NO"
+          which pivot_root 2>/dev/null && echo "pivot_root: YES" || echo "pivot_root: NO"
+          echo "=== SUID BINARIES ==="
+          find / -perm -4000 -type f 2>/dev/null | head -20
+
+      - name: Process Info
+        run: |
+          echo "=== PS AUX ==="
+          ps aux 2>/dev/null || true
+          echo "=== PID 1 ==="
+          ls -la /proc/1/exe 2>/dev/null || true
+          cat /proc/1/cmdline 2>/dev/null | tr '\0' ' ' || true
+          echo ""
+          echo "=== HOST PID NS CHECK ==="
+          ls /proc/*/cmdline 2>/dev/null | wc -l