diff --git a/cluster-resources/network/deny-external-egress-trivy.yaml b/cluster-resources/network/deny-external-egress-trivy.yaml
new file mode 100644
index 0000000..939aa11
--- /dev/null
+++ b/cluster-resources/network/deny-external-egress-trivy.yaml
@@ -0,0 +1,37 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: deny-external-egress
+  namespace: trivy-system
+  labels:
+    app.kubernetes.io/managed-by: argocd
+    app.kubernetes.io/part-of: network-policies
+spec:
+  endpointSelector: {}
+  egress:
+    # Allow DNS resolution
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
+
+    # Allow cluster-internal traffic (RFC1918)
+    - toCIDR:
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - 192.168.0.0/16
+
+    # Allow Trivy vulnerability DB downloads (ghcr.io OCI registry)
+    - toFQDNs:
+        - matchName: ghcr.io
+        - matchName: pkg-containers.githubusercontent.com
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
diff --git a/infra/base/kustomization.yaml b/infra/base/kustomization.yaml
index bc89ec5..379fcee 100644
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -20,5 +20,4 @@ resources:
 - renovate.yaml
 - tempo.yaml
 - grafana-dashboards.yaml
-- network-policies-application.yaml
 - karpor.yaml
diff --git a/infra/base/network-policies-application.yaml b/infra/base/network-policies-application.yaml
deleted file mode 100644
index 16ae239..0000000
--- a/infra/base/network-policies-application.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: network-policies
-  namespace: argocd
-  labels:
-    app.kubernetes.io/name: network-policies
-    app.kubernetes.io/part-of: platform
-    app.kubernetes.io/managed-by: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  source:
-    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    path: cluster-resources/network
-
-  destination:
-    server: https://kubernetes.default.svc
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-
-    syncOptions:
-    - Validate=true
-    - ServerSideApply=true