diff --git a/deploy/files/etc/sysctl.d/99-left4me.conf b/deploy/files/etc/sysctl.d/99-left4me.conf
index 0860833..e18daa6 100644
--- a/deploy/files/etc/sysctl.d/99-left4me.conf
+++ b/deploy/files/etc/sysctl.d/99-left4me.conf
@@ -34,3 +34,8 @@ net.core.default_qdisc = fq_codel
 # backups, package fetches, web-app responses) so a long flow does not push
 # the bottleneck queue ahead of game UDP. UDP srcds is unaffected.
 net.ipv4.tcp_congestion_control = bbr
+
+# Block ptrace except from CAP_SYS_PTRACE holders. Belt-and-braces with
+# SystemCallFilter=~@debug + PrivateUsers=true in the gameserver unit.
+# See docs/superpowers/specs/2026-05-15-hardening-defenses-survey.md.
+kernel.yama.ptrace_scope = 2
diff --git a/deploy/tests/test_example_units.py b/deploy/tests/test_example_units.py
index 4a1e606..6a14a92 100644
--- a/deploy/tests/test_example_units.py
+++ b/deploy/tests/test_example_units.py
@@ -194,6 +194,7 @@ def test_sysctl_conf_present_with_perf_settings():
         "net.ipv4.udp_wmem_min = 16384",
         "net.core.default_qdisc = fq_codel",
         "net.ipv4.tcp_congestion_control = bbr",
+        "kernel.yama.ptrace_scope = 2",
     ):
         assert line in text, f"missing {line!r} in 99-left4me.conf"