diff --git a/templates/ssh/Dockerfile b/templates/ssh/Dockerfile
index f9db1ce..9f67c9f 100644
--- a/templates/ssh/Dockerfile
+++ b/templates/ssh/Dockerfile
@@ -16,6 +16,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     inotify-tools \
     psmisc \
     iproute2 \
+    iputils-ping \
+    ca-certificates \
+    nmap \
     jq \
     && rm -rf /var/lib/apt/lists/*
 
diff --git a/tests/test_ssh.py b/tests/test_ssh.py
index 51b88f6..d2f40f0 100644
--- a/tests/test_ssh.py
+++ b/tests/test_ssh.py
@@ -210,6 +210,13 @@ def test_dockerfile_installs_attribution_tools():
         assert pkg in df, f"missing {pkg} in Dockerfile"
 
 
+def test_dockerfile_installs_default_recon_tools():
+    df = _dockerfile_text()
+    # Attacker-facing baseline: a lived-in box has these.
+    for pkg in ("iputils-ping", "ca-certificates", "nmap"):
+        assert pkg in df, f"missing {pkg} in Dockerfile"
+
+
 def test_dockerfile_copies_capture_script():
     df = _dockerfile_text()
     # Installed under plausible udev path to hide from casual `ps` inspection.