diff --git a/internal/agentdeployer/_static/docker-agent-base.yml.tmpl b/internal/agentdeployer/_static/docker-agent-base.yml.tmpl
index 6cabbb802b..4067306790 100644
--- a/internal/agentdeployer/_static/docker-agent-base.yml.tmpl
+++ b/internal/agentdeployer/_static/docker-agent-base.yml.tmpl
@@ -18,6 +18,8 @@ services:
       - {{ . }}
     {{- end }}
     {{ end }}
+    cap_drop:
+      - ALL
     {{ if .ports }}
     ports:
     {{- range .ports }}
diff --git a/internal/servicedeployer/_static/docker-custom-agent-base.yml b/internal/servicedeployer/_static/docker-custom-agent-base.yml
index 462813f137..8aa5e1a9f7 100644
--- a/internal/servicedeployer/_static/docker-custom-agent-base.yml
+++ b/internal/servicedeployer/_static/docker-custom-agent-base.yml
@@ -6,6 +6,8 @@ services:
       retries: 180
       interval: 1s
     hostname: docker-custom-agent
+    cap_drop:
+      - ALL
     environment:
       - FLEET_ENROLL=1
       - FLEET_URL=https://fleet-server:8220
diff --git a/internal/stack/_static/docker-compose-stack.yml.tmpl b/internal/stack/_static/docker-compose-stack.yml.tmpl
index b1bd50dc99..319e69a899 100644
--- a/internal/stack/_static/docker-compose-stack.yml.tmpl
+++ b/internal/stack/_static/docker-compose-stack.yml.tmpl
@@ -139,6 +139,8 @@ services:
       interval: 5s
     hostname: docker-fleet-agent
     env_file: "./elastic-agent.env"
+    cap_drop:
+    - ALL
     volumes:
     - "../certs/ca-cert.pem:/etc/ssl/certs/elastic-package.pem"
     - type: bind
diff --git a/internal/stack/_static/serverless-docker-compose.yml.tmpl b/internal/stack/_static/serverless-docker-compose.yml.tmpl
index a61f718dc8..47d1e653f1 100644
--- a/internal/stack/_static/serverless-docker-compose.yml.tmpl
+++ b/internal/stack/_static/serverless-docker-compose.yml.tmpl
@@ -9,6 +9,8 @@ services:
       interval: 5s
     hostname: docker-fleet-agent
     env_file: "./elastic-agent.env"
+    cap_drop:
+    - ALL
     volumes:
     - type: bind
       source: ../../../tmp/service_logs/