diff --git a/README.md b/README.md
index 0059ad6..08ca70f 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
 # Tinker Tickets
 
 [![Lint](https://code.lotusguild.org/LotusGuild/tinker_tickets/actions/workflows/lint.yml/badge.svg)](https://code.lotusguild.org/LotusGuild/tinker_tickets/actions?workflow=lint.yml)
+[![Security](https://code.lotusguild.org/LotusGuild/tinker_tickets/actions/workflows/security.yml/badge.svg)](https://code.lotusguild.org/LotusGuild/tinker_tickets/actions?workflow=security.yml)
 
 A feature-rich PHP-based ticketing system designed for tracking and managing data center infrastructure issues with enterprise-grade workflow management and a retro terminal aesthetic.
 
@@ -569,12 +570,13 @@ Key conventions and gotchas for working with this codebase:
 |---|---|---|
 | `lint.yml` (php-lint) | phpcs PSR-12 standard | Every push and PR |
 | `lint.yml` (js-lint) | ESLint on `assets/js/` | Every push and PR |
-| `security.yml` | `npm audit --audit-level=high` (not applicable — no runtime npm deps) | — |
-| `deploy` job in `lint.yml` | Calls deploy webhooks on CT132 (10.10.10.45): `tinker-deploy` (main) or `tinker-beta-deploy` (development) | Push to `main` or `development`, after both lint jobs pass |
+| `security.yml` | semgrep with `p/php` + `p/owasp-top-ten` configs | Every push, PR, and weekly (Monday 6am) |
+| `deploy` job in `lint.yml` | Calls deploy webhooks on CT132 (10.10.10.45): `tinker-deploy` (main) or `tinker-beta-deploy` (development); tags deployed commit `deploy-YYYY.MM.DD-N` | Push to `main` or `development`, after both lint jobs pass |
+| `notify-failure` job in `lint.yml` | Posts CI failure alert to Matrix via webhook | Push to any branch when lint fails |
 
 Branch protection is enabled on `main` — both lint jobs must pass before any PR can merge.
 
-Lint config: `.phpcs.xml` (PSR-12 with project-specific tweaks), `.eslintrc.json` per directory.
+Lint config: `.phpcs.xml` (PSR-12 with project-specific tweaks), `.eslintrc.json` (root, browser env).
 
 ## License