diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 4582fe94a..befd1fb78 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -51,4 +51,12 @@ spec:
         - containerPort: 9782
           name: metrics
           protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - All
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
       terminationGracePeriodSeconds: 10
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
index 7deaef8e6..cafc3261d 100644
--- a/internal/resource/statefulset.go
+++ b/internal/resource/statefulset.go
@@ -570,8 +570,12 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st
 		Spec: corev1.PodSpec{
 			TopologySpreadConstraints: builder.defaultTopologySpreadConstraints(),
 			SecurityContext: &corev1.PodSecurityContext{
-				FSGroup:   ptr.To(int64(0)),
-				RunAsUser: &rabbitmqUID,
+				FSGroup:      ptr.To(int64(0)),
+				RunAsUser:    &rabbitmqUID,
+				RunAsNonRoot: ptr.To(bool(true)),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
 			},
 			ImagePullSecrets:              builder.Instance.Spec.ImagePullSecrets,
 			TerminationGracePeriodSeconds: builder.Instance.Spec.TerminationGracePeriodSeconds,
@@ -640,6 +644,18 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st
 							},
 						},
 					},
+					SecurityContext: &corev1.SecurityContext{
+						AllowPrivilegeEscalation: ptr.To(bool(false)),
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
+						ReadOnlyRootFilesystem: ptr.To(bool(true)),
+						RunAsNonRoot:           ptr.To((bool(true))),
+						Privileged:             ptr.To(bool(false)),
+						SeccompProfile: &corev1.SeccompProfile{
+							Type: corev1.SeccompProfileTypeRuntimeDefault,
+						},
+					},
 				},
 			},
 		},
@@ -786,6 +802,18 @@ func setupContainer(instance *rabbitmqv1beta1.RabbitmqCluster) corev1.Container
 				MountPath: "/var/lib/rabbitmq/mnesia/",
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: ptr.To(bool(false)),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+			Privileged:             ptr.To(bool(false)),
+			ReadOnlyRootFilesystem: ptr.To(bool(true)),
+			RunAsNonRoot:           ptr.To(bool(true)),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: corev1.SeccompProfileTypeRuntimeDefault,
+			},
+		},
 	}
 
 	if instance.VaultDefaultUserSecretEnabled() {
diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
index efe68cd38..878b09f98 100644
--- a/internal/resource/statefulset_test.go
+++ b/internal/resource/statefulset_test.go
@@ -1357,8 +1357,12 @@ default_pass = {{ .Data.data.password }}
 			rmqUID := int64(999)
 
 			expectedPodSecurityContext := &corev1.PodSecurityContext{
-				FSGroup:   ptr.To(int64(0)),
-				RunAsUser: &rmqUID,
+				FSGroup:      ptr.To(int64(0)),
+				RunAsUser:    &rmqUID,
+				RunAsNonRoot: ptr.To(bool(true)),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
 			}
 
 			Expect(statefulSet.Spec.Template.Spec.SecurityContext).To(Equal(expectedPodSecurityContext))
@@ -1419,6 +1423,18 @@ default_pass = {{ .Data.data.password }}
 						SubPath:   "default_user.conf",
 					},
 				}),
+				"SecurityContext": BeEquivalentTo(&corev1.SecurityContext{
+					AllowPrivilegeEscalation: ptr.To(bool(false)),
+					Capabilities: &corev1.Capabilities{
+						Drop: []corev1.Capability{"ALL"},
+					},
+					Privileged:             ptr.To(bool(false)),
+					ReadOnlyRootFilesystem: ptr.To(bool(true)),
+					RunAsNonRoot:           ptr.To(bool(true)),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: corev1.SeccompProfileTypeRuntimeDefault,
+					},
+				}),
 			}))
 		})
 
@@ -1518,6 +1534,35 @@ default_pass = {{ .Data.data.password }}
 			})
 		})
 
+		It("sets the container security context", func() {
+			instance.Spec.Resources = &corev1.ResourceRequirements{
+				Requests: corev1.ResourceList{},
+				Limits:   corev1.ResourceList{},
+			}
+
+			builder = &resource.RabbitmqResourceBuilder{
+				Instance: &instance,
+				Scheme:   scheme,
+			}
+
+			stsBuilder := builder.StatefulSet()
+			Expect(stsBuilder.Update(statefulSet)).To(Succeed())
+
+			container := extractContainer(statefulSet.Spec.Template.Spec.Containers, "rabbitmq")
+			Expect(container.SecurityContext).To(BeEquivalentTo(&corev1.SecurityContext{
+				AllowPrivilegeEscalation: ptr.To(bool(false)),
+				Capabilities: &corev1.Capabilities{
+					Drop: []corev1.Capability{"ALL"},
+				},
+				Privileged:             ptr.To(bool(false)),
+				ReadOnlyRootFilesystem: ptr.To(bool(true)),
+				RunAsNonRoot:           ptr.To(bool(true)),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			}))
+		})
+
 		It("sets the replica count of the StatefulSet to the instance value", func() {
 			instance.Spec.Replicas = ptr.To(int32(3))
 			builder = &resource.RabbitmqResourceBuilder{