diff --git a/README.md b/README.md
index 0cd10f6..5b35327 100644
--- a/README.md
+++ b/README.md
@@ -105,6 +105,26 @@ make plugin
 | `probeTimeoutMs` | number | `10000` | Per-endpoint dial + handshake timeout. |
 | `includeAuthProbe` | bool | `true` | Open a second connection to enumerate auth methods. |
 
+## Rules
+
+| Code                          | Description                                                                                       | Severity            |
+|-------------------------------|---------------------------------------------------------------------------------------------------|---------------------|
+| `ssh.tcp_reachable`           | Verifies that every probed (address, port) pair accepts a TCP connection.                         | CRITICAL            |
+| `ssh.handshake`               | Verifies that the SSH banner exchange and KEXINIT parse succeed on every reachable endpoint.      | CRITICAL            |
+| `ssh.protocol_version`        | Verifies every endpoint advertises SSH-2 and rejects the legacy SSH-1 protocol.                   | CRITICAL            |
+| `ssh.banner_software`         | Flags servers whose banner is not a recognised OpenSSH build.                                     | INFO                |
+| `ssh.known_vulnerabilities`   | Matches the advertised OpenSSH version against a curated catalog of remotely-observable CVEs.     | CRITICAL            |
+| `ssh.host_key_strength`       | Flags SSH host keys whose size is below the currently accepted minimum (e.g. RSA < 2048 bits).    | CRITICAL            |
+| `ssh.kex_algorithms`          | Flags key-exchange algorithms advertised by the server that are weak or broken.                   | CRITICAL            |
+| `ssh.host_key_algorithms`     | Flags server host-key algorithms that are weak or deprecated (ssh-rsa/SHA-1, ssh-dss, ...).       | CRITICAL            |
+| `ssh.cipher_algorithms`       | Flags symmetric ciphers advertised by the server that are weak or broken (CBC, 3DES, RC4, ...).   | CRITICAL            |
+| `ssh.mac_algorithms`          | Flags MAC algorithms advertised by the server that are weak (SHA-1, non-ETM, ...).                | CRITICAL            |
+| `ssh.strict_kex`              | Verifies the server advertises the strict-KEX marker (CVE-2023-48795 Terrapin mitigation).        | WARNING             |
+| `ssh.preauth_compression`     | Flags servers that offer pre-authentication zlib compression (prefer zlib@openssh.com).           | INFO                |
+| `ssh.auth_methods`            | Reviews the advertised authentication methods (password exposure, public-key availability).       | WARNING             |
+| `ssh.sshfp_alignment`         | Compares published SSHFP records against the observed host keys (match, missing, mismatch).       | CRITICAL            |
+| `ssh.sshfp_hash`              | Flags SSHFP record sets that only publish SHA-1 (type 1) fingerprints instead of SHA-256.         | WARNING             |
+
 ## Observation key
 
 Writes a single observation under `ssh`: