diff --git a/services/monitoring/alerttonotify.nix b/services/monitoring/alerttonotify.nix
index f6b3a9f..49cc276 100644
--- a/services/monitoring/alerttonotify.nix
+++ b/services/monitoring/alerttonotify.nix
@@ -19,19 +19,25 @@
     serviceConfig = {
       Type = "exec";
       ExecStart = "${pkgs.alerttonotify}/bin/alerttonotify";
-      DynamicUser = "yes";
+
       CapabilityBoundingSet = "";
-      RestrictAddressFamilies = "AF_INET AF_INET6";
-      SystemCallArchitectures = "native";
+      DynamicUser = "yes";
+      LoadCredential = "nats_nkey:/run/secrets/nats_nkey";
       LockPersonality = "yes";
       MemoryDenyWriteExecute = "yes";
       PrivateDevices = "yes";
       PrivateUsers = "yes";
+      ProtectClock = "yes";
       ProtectControlGroups = "yes";
       ProtectHome = "yes";
       ProtectHostname = "yes";
-      RestrictNamespace = "yes";
-      LoadCredential = "nats_nkey:/run/secrets/nats_nkey";
+      ProtectKernelLogs = "yes";
+      ProtectKernelModules = "yes";
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces = "yes";
+      RestrictRealtime = "yes";
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "~@privileged";
     };
   };
 }