diff --git a/hack/release.toml b/hack/release.toml
index 121551adc..e6ab88454 100644
--- a/hack/release.toml
+++ b/hack/release.toml
@@ -92,6 +92,7 @@ Talos can be configued to use Kubernetes 1.21 or CAPI v0.4.x components can be u
         description = """\
 * etcd PKI moved to `/system/secrets`
 * kubelet bootstrap CSR auto-signing scoped to kubelet bootstrap tokens only
+* enforce default seccomp profile on all system containers
 """
 
     [notes.equinixmetal]
diff --git a/internal/app/machined/pkg/system/runner/containerd/containerd.go b/internal/app/machined/pkg/system/runner/containerd/containerd.go
index 5cee38f6d..4927db864 100644
--- a/internal/app/machined/pkg/system/runner/containerd/containerd.go
+++ b/internal/app/machined/pkg/system/runner/containerd/containerd.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
+	"github.com/containerd/containerd/contrib/seccomp"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/namespaces"
 	"github.com/containerd/containerd/oci"
@@ -275,6 +276,8 @@ func (c *containerdRunner) newOCISpecOpts(image oci.Image) []oci.SpecOpts {
 		oci.WithEnv(c.opts.Env),
 		oci.WithHostHostsFile,
 		oci.WithHostResolvconf,
+		oci.WithNoNewPrivileges,
+		seccomp.WithDefaultProfile(),
 	)
 
 	specOpts = append(specOpts,