diff --git a/charts/sure/CHANGELOG.md b/charts/sure/CHANGELOG.md
index 0d1842c6b..43d9a9498 100644
--- a/charts/sure/CHANGELOG.md
+++ b/charts/sure/CHANGELOG.md
@@ -5,9 +5,10 @@ All notable changes to the Sure Helm chart will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [0.6.9-alpha] - 2026-03-02
+## [0.6.9-alpha] - 2026-03-21
 
 ### Added
+- **Bumped** `pipelock.image.tag` from `0.3.2` to `1.5.0`
 - **Pipelock security proxy** (`pipelock.enabled=true`): Separate Deployment + Service that provides two scanning layers
   - **Forward proxy** (port 8888): Scans outbound HTTPS from Faraday-based clients (e.g. ruby-openai). Auto-injects `HTTPS_PROXY`/`HTTP_PROXY`/`NO_PROXY` env vars into app pods
   - **MCP reverse proxy** (port 8889): Scans inbound MCP traffic for DLP, prompt injection, and tool poisoning. Auto-computes upstream URL via `sure.pipelockUpstream` helper
diff --git a/charts/sure/README.md b/charts/sure/README.md
index bf30f3071..d5a91f6bf 100644
--- a/charts/sure/README.md
+++ b/charts/sure/README.md
@@ -651,7 +651,7 @@ Pipelock is an optional sidecar that scans AI agent traffic for secret exfiltrat
 pipelock:
   enabled: true
   image:
-    tag: "0.3.2"
+    tag: "1.5.0"
   mode: balanced   # strict, balanced, or audit
 ```
 
diff --git a/charts/sure/values.yaml b/charts/sure/values.yaml
index d0635b92f..cc2683769 100644
--- a/charts/sure/values.yaml
+++ b/charts/sure/values.yaml
@@ -488,7 +488,7 @@ pipelock:
   enabled: false
   image:
     repository: ghcr.io/luckypipewrench/pipelock
-    tag: "0.3.2"
+    tag: "1.5.0"
     pullPolicy: IfNotPresent
     imagePullSecrets: []
   replicas: 1
diff --git a/compose.example.ai.yml b/compose.example.ai.yml
index 57f95b30a..ea3f637fe 100644
--- a/compose.example.ai.yml
+++ b/compose.example.ai.yml
@@ -88,7 +88,7 @@ x-rails-env: &rails_env
 
 services:
   pipelock:
-    image: ghcr.io/luckypipewrench/pipelock:latest  # pin to a specific version (e.g., :0.2.7) for production
+    image: ghcr.io/luckypipewrench/pipelock:1.5.0
     container_name: pipelock
     hostname: pipelock
     restart: unless-stopped
diff --git a/docs/hosting/pipelock.md b/docs/hosting/pipelock.md
index 622253999..8f7a51f5c 100644
--- a/docs/hosting/pipelock.md
+++ b/docs/hosting/pipelock.md
@@ -77,7 +77,7 @@ Enable Pipelock in your Helm values:
 pipelock:
   enabled: true
   image:
-    tag: "0.3.2"
+    tag: "1.5.0"
   mode: balanced
 ```