diff --git a/modules/deploy/pages/redpanda/manual/production/production-readiness.adoc b/modules/deploy/pages/redpanda/manual/production/production-readiness.adoc
index 413ea68305..87b5b8ca19 100644
--- a/modules/deploy/pages/redpanda/manual/production/production-readiness.adoc
+++ b/modules/deploy/pages/redpanda/manual/production/production-readiness.adoc
@@ -318,6 +318,15 @@ In the logs, verify `enabled: 1`.
 
 See also: xref:manage:security/listener-configuration.adoc#multiple-listeners[Multiple listeners]
 
+[NOTE]
+====
+You can also use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint to generate a security report for your cluster and verify TLS, authentication, and authorization settings:
+
+```bash
+curl 'http://localhost:9644/v1/security/report'
+```
+====
+
 [[redpanda-tuners]]
 === Run Redpanda tuners
 
@@ -643,6 +652,11 @@ Review your deployment automation. Specifically, if you need to reprovision a cl
 
 Check that your xref:manage:audit-logging.adoc#audit-log-flow[audit logs] are forwarded to an enterprise security information and event management (SIEM) system. 
 
+=== Monitor security settings
+
+Regularly review your cluster's security settings using the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint. Investigate and address any issues identified in the alerts section.
+
+include::manage:partial$security-report.adoc[]
 
 == Suggested reading
 
diff --git a/modules/develop/partials/http-proxy.adoc b/modules/develop/partials/http-proxy.adoc
index 94481c84c9..a7b99ab98e 100644
--- a/modules/develop/partials/http-proxy.adoc
+++ b/modules/develop/partials/http-proxy.adoc
@@ -952,6 +952,16 @@ ifndef::env-cloud[]
 For details about configuring OIDC authentication, see xref:manage:security/authentication.adoc#oidc-http[OIDC Authentication].
 endif::[]
 
+ifndef::env-cloud[]
+== Generate a security report for HTTP Proxy
+
+Use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint to generate a comprehensive security report for your cluster. This endpoint provides detailed information about TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces, including HTTP Proxy.
+
+include::manage:partial$security-report.adoc[]
+
+endif::[]
+
+
 == Use Swagger with HTTP Proxy
 
 You can use Swagger UI to test and interact with Redpanda HTTP Proxy endpoints.
diff --git a/modules/get-started/pages/release-notes/redpanda.adoc b/modules/get-started/pages/release-notes/redpanda.adoc
index 35682ae25e..41a044387c 100644
--- a/modules/get-started/pages/release-notes/redpanda.adoc
+++ b/modules/get-started/pages/release-notes/redpanda.adoc
@@ -41,6 +41,14 @@ Redpanda Schema Registry now supports an import mode that allows you to import e
 Starting with this release, import mode must be used when importing schemas. Read-write mode no longer allows specifying a schema ID and version when registering a schema.
 See xref:manage:schema-reg/schema-reg-api.adoc#set-schema-registry-mode[Use the Schema Registry API] for more information.
 
+== Security report
+
+You can now generate a security report for your Redpanda cluster using the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint. The report provides detailed information about TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces (Kafka, RPC, Admin, Schema Registry, HTTP Proxy).
+
+== Topic identifiers
+
+Redpanda v25.3 implements topic identifiers using 16 byte UUIDs as proposed in https://cwiki.apache.org/confluence/display/KAFKA/KIP-516%3A+Topic+Identifiers[KIP-516^].
+
 == Deprecations
 
 Several TLSv1.2 and TLSv1.3 cipher suites have been deprecated. See xref:upgrade:deprecated/index.adoc[Deprecated Features].
diff --git a/modules/manage/pages/cluster-maintenance/compaction-settings.adoc b/modules/manage/pages/cluster-maintenance/compaction-settings.adoc
index c9b6f1fcbc..17a8475445 100644
--- a/modules/manage/pages/cluster-maintenance/compaction-settings.adoc
+++ b/modules/manage/pages/cluster-maintenance/compaction-settings.adoc
@@ -154,6 +154,8 @@ If obtaining a complete snapshot of the log, including tombstone records, is imp
 
 On the other hand, if more frequent cleanup of tombstones is important for optimizing workloads and space management, consider setting a shorter tombstone retention, for example the typical default of 24 hours (86400000 ms).
 
+Compaction and tombstone removal are coordinated across replicas, preventing inconsistencies and ensuring that deleted records are properly recognized by all readers. As a result, tombstone removal on one replica may be delayed if another replica is stopped or lagging. 
+
 == Compaction policy settings
 
 The various cleanup policy settings rely on proper tuning of a cluster's compaction and retention policy options. The applicable settings are:
diff --git a/modules/manage/pages/schema-reg/schema-reg-api.adoc b/modules/manage/pages/schema-reg/schema-reg-api.adoc
index e9e1dd6f1a..16f6a7f3ab 100644
--- a/modules/manage/pages/schema-reg/schema-reg-api.adoc
+++ b/modules/manage/pages/schema-reg/schema-reg-api.adoc
@@ -1176,6 +1176,15 @@ The `serialized` format returns the Protobuf schema in its wire binary format in
 - For Protobuf, `serialized` and `ignore_extensions` are valid, but only `serialized` is currently supported; passing `ignore_extensions` returns a 501 Not Implemented error.
 - Cross-schema conditions such as `resolved` with Protobuf or `serialized` with Avro are ignored and the schema is returned in the default format.
 
+ifndef::env-cloud[]
+== Generate a security report for Schema Registry
+
+Use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint to generate a comprehensive security report for your cluster. This endpoint provides detailed information about TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces, including Schema Registry.
+
+include::manage:partial$security-report.adoc[]
+
+endif::[]
+
 == Suggested reading
 ifndef::env-cloud[]
 * xref:manage:schema-reg/schema-reg-overview.adoc[]
diff --git a/modules/manage/pages/security/index.adoc b/modules/manage/pages/security/index.adoc
index d290a6941b..cd5bcd8df7 100644
--- a/modules/manage/pages/security/index.adoc
+++ b/modules/manage/pages/security/index.adoc
@@ -4,5 +4,6 @@
 :page-aliases: security:index.adoc, security:index/index.adoc
 :page-categories: Management, Security
 
+{description}
 
-NOTE: All concepts described in this section are compatible with Kafka and its client libraries and CLIs. This section does not cover ways you can protect your Redpanda cluster externally; for example, through network ACLs or private networks.
+This section does not cover ways you can protect your Redpanda cluster externally; for example, through network ACLs or private networks.
diff --git a/modules/manage/pages/use-admin-api.adoc b/modules/manage/pages/use-admin-api.adoc
index 2a8d8c1395..8e82068b92 100644
--- a/modules/manage/pages/use-admin-api.adoc
+++ b/modules/manage/pages/use-admin-api.adoc
@@ -40,7 +40,6 @@ The base URL for all requests to the legacy endpoints is:
 http://<broker-address>:<admin-api-port>/v1/
 ```
 
-// TODO: Update link if necessary when v2 URLs are finalized
 For a full list of available endpoints, see the link:/api/doc/admin/v1/[Admin API Reference]. Select "v1" in the version selector to view legacy endpoints.
 
 ==== Example request
diff --git a/modules/manage/partials/authentication.adoc b/modules/manage/partials/authentication.adoc
index 1b7c57edad..34219aede1 100644
--- a/modules/manage/partials/authentication.adoc
+++ b/modules/manage/partials/authentication.adoc
@@ -1898,3 +1898,11 @@ redpanda:
       authentication_method: none
 ----
 endif::[]
+
+== Generate security report
+
+Use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] endpoint to generate a comprehensive security report for your cluster. This endpoint provides detailed information about current TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces (Kafka, RPC, Admin, Schema Registry, HTTP Proxy).
+
+To generate a security report for your Redpanda cluster, run:
+
+include::manage:partial$security-report.adoc[]
diff --git a/modules/manage/partials/security-report.adoc b/modules/manage/partials/security-report.adoc
new file mode 100644
index 0000000000..c42de7a629
--- /dev/null
+++ b/modules/manage/partials/security-report.adoc
@@ -0,0 +1,92 @@
+.Input
+[source,bash]
+----
+curl 'http://localhost:9644/v1/security/report'
+----
+
+.View output
+[%collapsible]
+====
+[source,bash,role=no-copy]
+----
+{
+  "interfaces": {
+    "kafka": [
+      {
+        "name": "test_kafka_listener",
+        "host": "0.0.0.0",
+        "port": 9092,
+        "advertised_host": "0.0.0.0",
+        "advertised_port": 9092,
+        "tls_enabled": false,
+        "mutual_tls_enabled": false,
+        "authentication_method": "None",
+        "authorization_enabled": false
+      }
+    ],
+    "rpc": {
+      "host": "0.0.0.0",
+      "port": 33145,
+      "advertised_host": "127.0.0.1",
+      "advertised_port": 33145,
+      "tls_enabled": false,
+      "mutual_tls_enabled": false
+    },
+    "admin": [
+      {
+        "name": "test_admin_listener",
+        "host": "0.0.0.0",
+        "port": 9644,
+        "tls_enabled": false,
+        "mutual_tls_enabled": false,
+        "authentication_methods": [],
+        "authorization_enabled": false
+      }
+    ]
+  },
+  "alerts": [
+    {
+      "affected_interface": "kafka",
+      "listener_name": "test_kafka_listener",
+      "issue": "NO_TLS",
+      "description": "\"kafka\" interface \"test_kafka_listener\" is not using TLS. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "kafka",
+      "listener_name": "test_kafka_listener",
+      "issue": "NO_AUTHN",
+      "description": "\"kafka\" interface \"test_kafka_listener\" is not using authentication. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "kafka",
+      "listener_name": "test_kafka_listener",
+      "issue": "NO_AUTHZ",
+      "description": "\"kafka\" interface \"test_kafka_listener\" is not using authorization. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "rpc",
+      "issue": "NO_TLS",
+      "description": "\"rpc\" interface is not using TLS. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "admin",
+      "listener_name": "test_admin_listener",
+      "issue": "NO_TLS",
+      "description": "\"admin\" interface \"test_admin_listener\" is not using TLS. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "admin",
+      "listener_name": "test_admin_listener",
+      "issue": "NO_AUTHZ",
+      "description": "\"admin\" interface \"test_admin_listener\" is not using authorization. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "admin",
+      "listener_name": "test_admin_listener",
+      "issue": "NO_AUTHN",
+      "description": "\"admin\" interface \"test_admin_listener\" is not using authentication. This is insecure and not recommended."
+    }
+  ]
+}
+----
+====
\ No newline at end of file