diff --git a/README.md b/README.md
index f799a52..fc4972c 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,19 @@ Covert channel using Linux TC eBPF. Intercepts TCP packets on a port already in
 steals matching ones before the application sees them, forwards or executes per the
 client's instruction. Normal traffic is unaffected. Zero changes to existing services.
 
+---
+
+## Intended Use
+
+**Educational purposes only.** Do not deploy against systems you don't own or have
+explicit authorisation to test.
+
+The core use case this demonstrates: persistence on a firewalled host by piggybacking
+on any already-permitted port (e.g. 80/443). Traffic is stolen at TC ingress before
+the application sees it and never appears in its logs.
+
+---
+
 ```
 Mode 1 — Plain TCP
   Client                        Server (:80)