diff --git a/hack/lib/tilt/concierge.Dockerfile b/hack/lib/tilt/concierge.Dockerfile
index b24a10b5..ea4d5959 100644
--- a/hack/lib/tilt/concierge.Dockerfile
+++ b/hack/lib/tilt/concierge.Dockerfile
@@ -10,5 +10,8 @@ COPY build/pinniped-concierge /usr/local/bin/pinniped-concierge
 # Document the port
 EXPOSE 8443
 
+# Run as non-root for security posture
+USER 1001:1001
+
 # Set the entrypoint
 ENTRYPOINT ["/usr/local/bin/pinniped-concierge"]
diff --git a/hack/lib/tilt/local-user-authenticator.Dockerfile b/hack/lib/tilt/local-user-authenticator.Dockerfile
index 5f0d314c..0dd1523c 100644
--- a/hack/lib/tilt/local-user-authenticator.Dockerfile
+++ b/hack/lib/tilt/local-user-authenticator.Dockerfile
@@ -10,5 +10,8 @@ COPY build/local-user-authenticator /usr/local/bin/local-user-authenticator
 # Document the port
 EXPOSE 8443
 
+# Run as non-root for security posture
+USER 1001:1001
+
 # Set the entrypoint
 ENTRYPOINT ["/usr/local/bin/local-user-authenticator"]
diff --git a/hack/lib/tilt/supervisor.Dockerfile b/hack/lib/tilt/supervisor.Dockerfile
index 6a18da00..a62772e1 100644
--- a/hack/lib/tilt/supervisor.Dockerfile
+++ b/hack/lib/tilt/supervisor.Dockerfile
@@ -8,7 +8,10 @@ FROM debian:10.5-slim
 COPY build/pinniped-supervisor /usr/local/bin/pinniped-supervisor
 
 # Document the port
-EXPOSE 8443
+EXPOSE 8080 8443
+
+# Run as non-root for security posture
+USER 1001:1001
 
 # Set the entrypoint
 ENTRYPOINT ["/usr/local/bin/pinniped-supervisor"]