diff --git a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
index 19787405d8bf7..a8631e2b4686f 100644
--- a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
+++ b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml
@@ -3,6 +3,10 @@ base_images:
     name: "5.0"
     namespace: ocp
     tag: base-rhel9
+  hypershift-operator:
+    name: hypershift-operator
+    namespace: hypershift
+    tag: latest
   ocp_builder_rhel-9-golang-1.25-openshift-4.22:
     name: builder
     namespace: ocp
@@ -129,6 +133,21 @@ tests:
     test:
     - ref: tls-scanner-run
     workflow: openshift-e2e-aws-ovn-tls-13
+- as: periodic-hypershift-tls
+  interval: 72h
+  reporter_config:
+    channel: '#forum-case'
+    job_states_to_report:
+    - success
+    - failure
+    - error
+    report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}*
+      ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> {{else}} :warning:
+      Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs>
+      {{end}}'
+  steps:
+    cluster_profile: hypershift-aws
+    workflow: tls-scanner-hypershift-aws
 zz_generated_metadata:
   branch: main
   org: openshift
diff --git a/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml
index 1280d69642045..1011db130462a 100644
--- a/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml
+++ b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml
@@ -93,6 +93,100 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build03
+  decorate: true
+  decoration_config:
+    sparse_checkout_files:
+    - Dockerfile
+  extra_refs:
+  - base_ref: main
+    org: openshift
+    repo: tls-scanner
+    sparse_checkout_files:
+    - Dockerfile
+  interval: 72h
+  labels:
+    ci-operator.openshift.io/cloud: hypershift-aws
+    ci-operator.openshift.io/cloud-cluster-profile: hypershift-aws
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-tls-scanner-main-periodic-hypershift-tls
+  reporter_config:
+    slack:
+      channel: '#forum-case'
+      job_states_to_report:
+      - success
+      - failure
+      - error
+      report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}*
+        ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> {{else}} :warning:
+        Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View
+        logs> {{end}}'
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=periodic-hypershift-tls
+      command:
+      - ci-operator
+      env:
+      - name: HTTP_SERVER_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.podIP
+      image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+      imagePullPolicy: Always
+      name: ""
+      ports:
+      - containerPort: 8080
+        name: http
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build03
   decorate: true
diff --git a/ci-operator/step-registry/hypershift/modern-tls/OWNERS b/ci-operator/step-registry/hypershift/modern-tls/OWNERS
new file mode 100644
index 0000000000000..6364a26c9f53a
--- /dev/null
+++ b/ci-operator/step-registry/hypershift/modern-tls/OWNERS
@@ -0,0 +1,4 @@
+approvers:
+- gangwgr
+reviewers:
+- gangwgr
diff --git a/ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-commands.sh b/ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-commands.sh
new file mode 100755
index 0000000000000..af80d03dd983d
--- /dev/null
+++ b/ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-commands.sh
@@ -0,0 +1,114 @@
+#!/bin/bash
+set -euo pipefail
+
+echo "Configuring Modern TLS Security Profile for HyperShift cluster..."
+
+export KUBECONFIG=${SHARED_DIR}/kubeconfig
+
+if [[ -f "${SHARED_DIR}/cluster-name" ]]; then
+  HOSTED_CLUSTER_NAME="$(<"${SHARED_DIR}/cluster-name")"
+  HOSTED_CLUSTER_NAMESPACE="clusters"
+else
+  HOSTED_CLUSTER_NAME=$(oc get hostedcluster -A -o jsonpath='{.items[0].metadata.name}')
+  HOSTED_CLUSTER_NAMESPACE=$(oc get hostedcluster -A -o jsonpath='{.items[0].metadata.namespace}')
+fi
+
+if [[ -z "${HOSTED_CLUSTER_NAME}" ]]; then
+  echo "Error: Could not find HostedCluster"
+  exit 1
+fi
+
+HCP_NAMESPACE=$(oc get hostedcontrolplane -A -o jsonpath="{.items[?(@.metadata.name==\"${HOSTED_CLUSTER_NAME}\")].metadata.namespace}" 2>/dev/null || true)
+if [[ -z "${HCP_NAMESPACE}" ]]; then
+  HCP_NAMESPACE="clusters-${HOSTED_CLUSTER_NAME}"
+fi
+
+echo "Found HostedCluster: ${HOSTED_CLUSTER_NAME} in namespace ${HOSTED_CLUSTER_NAMESPACE}"
+echo "Hosted control plane namespace: ${HCP_NAMESPACE}"
+
+kas_generation="$(oc get deployment -n "${HCP_NAMESPACE}" kube-apiserver -o jsonpath='{.metadata.generation}')"
+
+echo "Applying Modern TLS Security Profile to HostedCluster..."
+oc patch hostedcluster -n "${HOSTED_CLUSTER_NAMESPACE}" "${HOSTED_CLUSTER_NAME}" --type=merge -p '{
+  "spec": {
+    "configuration": {
+      "apiServer": {
+        "tlsSecurityProfile": {
+          "type": "Modern",
+          "modern": {}
+        }
+      }
+    }
+  }
+}'
+
+hc_tls_profile=$(oc get hostedcluster -n "${HOSTED_CLUSTER_NAMESPACE}" "${HOSTED_CLUSTER_NAME}" -o jsonpath='{.spec.configuration.apiServer.tlsSecurityProfile.type}')
+if [[ "${hc_tls_profile}" != "Modern" ]]; then
+  echo "Error: HostedCluster TLS Security Profile is '${hc_tls_profile}', expected 'Modern'"
+  exit 1
+fi
+echo "✓ HostedCluster spec.configuration.apiServer.tlsSecurityProfile.type is Modern"
+
+echo "Waiting for kube-apiserver to reconcile the TLS profile..."
+rollout_deadline=$((SECONDS + 300))
+while (( SECONDS < rollout_deadline )); do
+  current_generation="$(oc get deployment -n "${HCP_NAMESPACE}" kube-apiserver -o jsonpath='{.metadata.generation}')"
+  if (( current_generation > kas_generation )); then
+    echo "kube-apiserver generation changed (${kas_generation} -> ${current_generation}), waiting for rollout..."
+    oc rollout status deployment -n "${HCP_NAMESPACE}" kube-apiserver --timeout=15m
+    break
+  fi
+  sleep 15
+done
+if (( SECONDS >= rollout_deadline )); then
+  echo "kube-apiserver generation unchanged after 5m; continuing with TLS verification"
+fi
+
+verify_modern_tls_endpoint() {
+  local api_server api_host api_port
+
+  api_server="$(oc whoami --show-server)"
+  api_host="${api_server#https://}"
+  api_host="${api_host%:*}"
+  api_port="${api_server##*:}"
+
+  echo "Verifying Modern TLS profile on API server endpoint ${api_host}:${api_port}..."
+  if ! echo | openssl s_client -connect "${api_host}:${api_port}" -tls1_3 -servername "${api_host}" 2>/dev/null | grep -qE 'Protocol.*TLSv1\.3'; then
+    echo "Error: API server does not negotiate TLS 1.3"
+    return 1
+  fi
+  if echo | openssl s_client -connect "${api_host}:${api_port}" -tls1_2 -servername "${api_host}" 2>/dev/null | grep -qE 'Protocol.*TLSv1\.2'; then
+    echo "Error: API server still negotiates TLS 1.2 (expected Modern profile)"
+    return 1
+  fi
+  echo "✓ API server endpoint enforces Modern TLS (TLS 1.3 only)"
+}
+
+export KUBECONFIG=${SHARED_DIR}/nested_kubeconfig
+
+echo "Waiting for guest cluster APIServer to reflect Modern TLS profile..."
+for i in {1..40}; do
+  tls_profile=$(oc get apiserver/cluster -o jsonpath='{.spec.tlsSecurityProfile.type}' 2>/dev/null || echo "")
+  if [[ "$tls_profile" == "Modern" ]]; then
+    echo "✓ Guest cluster APIServer tlsSecurityProfile.type is Modern"
+    echo "✓ Modern TLS Security Profile successfully applied"
+    exit 0
+  fi
+  if verify_modern_tls_endpoint; then
+    echo "Guest cluster APIServer tlsSecurityProfile.type is '${tls_profile}' (HyperShift may not mirror this field)"
+    echo "✓ Modern TLS Security Profile successfully applied"
+    exit 0
+  fi
+  echo "Waiting for Modern TLS profile to propagate (attempt $i/40)..."
+  sleep 15
+done
+
+tls_profile=$(oc get apiserver/cluster -o jsonpath='{.spec.tlsSecurityProfile.type}' 2>/dev/null || echo "NotFound")
+if [[ "$tls_profile" == "Modern" ]]; then
+  echo "✓ Modern TLS Security Profile successfully applied"
+  exit 0
+fi
+
+echo "Guest cluster APIServer tlsSecurityProfile.type is '${tls_profile}'"
+verify_modern_tls_endpoint
+echo "✓ Modern TLS Security Profile successfully applied"
diff --git a/ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.metadata.json b/ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.metadata.json
new file mode 100644
index 0000000000000..9d45ebb49d983
--- /dev/null
+++ b/ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.metadata.json
@@ -0,0 +1,11 @@
+{
+	"path": "hypershift/modern-tls/hypershift-modern-tls-ref.yaml",
+	"owners": {
+		"approvers": [
+			"gangwgr"
+		],
+		"reviewers": [
+			"gangwgr"
+		]
+	}
+}
\ No newline at end of file
diff --git a/ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.yaml b/ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.yaml
new file mode 100644
index 0000000000000..919a4eefcac4c
--- /dev/null
+++ b/ci-operator/step-registry/hypershift/modern-tls/hypershift-modern-tls-ref.yaml
@@ -0,0 +1,23 @@
+ref:
+  as: hypershift-modern-tls
+  from_image:
+    namespace: ocp
+    name: "5.0"
+    tag: cli
+  commands: hypershift-modern-tls-commands.sh
+  resources:
+    requests:
+      cpu: 100m
+      memory: 200Mi
+  documentation: |-
+    Configures Modern TLS Security Profile on a HyperShift hosted cluster.
+
+    This step patches the HostedCluster CR to enable Modern TLS profile, which
+    enforces TLS 1.3 for all API server connections. It waits for the hosted
+    control plane kube-apiserver to roll out on the management cluster, then
+    verifies the profile on the guest APIServer object or via a TLS 1.3 endpoint
+    probe when HyperShift does not mirror the field into the guest cluster.
+
+    Note: Due to current HyperShift limitations, the Modern TLS profile may not
+    propagate to etcd and some other control plane components. This is a known
+    issue being tracked upstream.
diff --git a/ci-operator/step-registry/tls/scanner/hypershift-aws/OWNERS b/ci-operator/step-registry/tls/scanner/hypershift-aws/OWNERS
new file mode 100644
index 0000000000000..8d50643e36ca1
--- /dev/null
+++ b/ci-operator/step-registry/tls/scanner/hypershift-aws/OWNERS
@@ -0,0 +1,8 @@
+approvers:
+  - richardsonnick
+  - rhmdnd
+  - smith-xyz
+reviewers:
+  - richardsonnick
+  - rhmdnd
+  - smith-xyz
diff --git a/ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.metadata.json b/ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.metadata.json
new file mode 100644
index 0000000000000..2debde89f7586
--- /dev/null
+++ b/ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.metadata.json
@@ -0,0 +1,15 @@
+{
+	"path": "tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"richardsonnick",
+			"rhmdnd",
+			"smith-xyz"
+		],
+		"reviewers": [
+			"richardsonnick",
+			"rhmdnd",
+			"smith-xyz"
+		]
+	}
+}
\ No newline at end of file
diff --git a/ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml b/ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml
new file mode 100644
index 0000000000000..555210716e1b0
--- /dev/null
+++ b/ci-operator/step-registry/tls/scanner/hypershift-aws/tls-scanner-hypershift-aws-workflow.yaml
@@ -0,0 +1,29 @@
+workflow:
+  as: tls-scanner-hypershift-aws
+  documentation: |-
+    The HyperShift AWS TLS scanner workflow provisions an ephemeral HyperShift
+    hosted cluster with Modern TLS Security Profile enabled and runs the TLS
+    scanner against both clusters involved in hosted control planes.
+
+    HyperShift uses two clusters:
+    - Management cluster: hosts the hosted control plane pods (kube-apiserver,
+      etcd, oauth-openshift) in the clusters-<name> namespace on a shared cluster
+    - Guest (hosted) cluster: the actual OpenShift cluster with worker nodes and
+      no in-cluster control plane pods
+
+    The workflow configures Modern TLS (TLS 1.3) on the hosted cluster and scans
+    TLS endpoints in both the management control plane and the guest cluster.
+
+    The management cluster is hosted in the `osd-hypershift` AWS account and
+    destroyed after the scan completes.
+  steps:
+    pre:
+    - ref: ipi-install-rbac
+    - chain: hypershift-setup-root-management-cluster
+    - chain: hypershift-aws-create
+    - ref: hypershift-modern-tls
+    test:
+    - ref: tls-scanner-hypershift-run
+    post:
+    - chain: hypershift-dump
+    - chain: hypershift-aws-destroy
diff --git a/ci-operator/step-registry/tls/scanner/hypershift-run/OWNERS b/ci-operator/step-registry/tls/scanner/hypershift-run/OWNERS
new file mode 100644
index 0000000000000..8d50643e36ca1
--- /dev/null
+++ b/ci-operator/step-registry/tls/scanner/hypershift-run/OWNERS
@@ -0,0 +1,8 @@
+approvers:
+  - richardsonnick
+  - rhmdnd
+  - smith-xyz
+reviewers:
+  - richardsonnick
+  - rhmdnd
+  - smith-xyz
diff --git a/ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-commands.sh b/ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-commands.sh
new file mode 120000
index 0000000000000..13743a4edb908
--- /dev/null
+++ b/ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-commands.sh
@@ -0,0 +1 @@
+../run/tls-scanner-run-commands.sh
\ No newline at end of file
diff --git a/ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.metadata.json b/ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.metadata.json
new file mode 100644
index 0000000000000..c9c30a9a696df
--- /dev/null
+++ b/ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.metadata.json
@@ -0,0 +1,15 @@
+{
+	"path": "tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml",
+	"owners": {
+		"approvers": [
+			"richardsonnick",
+			"rhmdnd",
+			"smith-xyz"
+		],
+		"reviewers": [
+			"richardsonnick",
+			"rhmdnd",
+			"smith-xyz"
+		]
+	}
+}
\ No newline at end of file
diff --git a/ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml b/ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml
new file mode 100644
index 0000000000000..962465de31798
--- /dev/null
+++ b/ci-operator/step-registry/tls/scanner/hypershift-run/tls-scanner-hypershift-run-ref.yaml
@@ -0,0 +1,70 @@
+ref:
+  as: tls-scanner-hypershift-run
+  from: cli
+  cli: latest
+  commands: tls-scanner-hypershift-run-commands.sh
+  env:
+  - name: TLS_SCANNER_RUN_HYPERSHIFT
+    default: "true"
+    documentation: |-
+      When true, run TLS scans against both HyperShift management and guest
+      clusters in a single step.
+  - name: SCAN_NAMESPACE
+    default: ""
+    documentation: "Comma-separated list of namespaces to scan. Empty means scan all namespaces."
+  - name: PQC_CHECK
+    default: "false"
+    documentation: "Set to 'true' to check post-quantum cryptography readiness (scanner will only check TLS 1.3 and mlkem/mlkem25519 support)."
+  - name: SCAN_LIMIT_IPS
+    default: ""
+    documentation: "Max IPs to scan (empty/0 = no limit). Bounds actual TLS scans after full endpoint discovery."
+  - name: SCANNER_CPU
+    default: "4"
+    documentation: "CPU request/limit for the scanner pod on the management cluster."
+  - name: SCANNER_MEMORY
+    default: "4Gi"
+    documentation: "Memory request/limit for the scanner pod on the management cluster."
+  - name: SCANNER_CPU_GUEST
+    default: "1"
+    documentation: |-
+      CPU request/limit for the scanner pod on the guest cluster. Defaults to 1
+      because HyperShift guest workers (e.g. m5.xlarge) cannot schedule a 4 CPU
+      Guaranteed pod.
+  - name: SCANNER_MEMORY_GUEST
+    default: "2Gi"
+    documentation: "Memory request/limit for the scanner pod on the guest cluster."
+  - name: TLS_PROFILE_TYPE
+    default: "Modern"
+    documentation: |-
+      Expected TLS profile for compliance checks on HyperShift clusters. The
+      hosted cluster APIServer CR and shared management cluster APIServer CR do
+      not reflect the HostedCluster Modern TLS configuration, so the scanner
+      uses this value instead of querying the API.
+  dependencies:
+  - env: RELEASE_IMAGE_LATEST
+    name: release:latest
+  - env: OPENSHIFT_UPGRADE_RELEASE_IMAGE_OVERRIDE
+    name: release:latest
+  - env: OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE
+    name: release:latest
+  - env: PULL_SPEC_TLS_SCANNER_TOOL
+    name: tls-scanner-tool
+  resources:
+    requests:
+      cpu: 100m
+      memory: 200Mi
+  timeout: 8h0m0s
+  grace_period: 5m0s
+  documentation: |-
+    Runs the TLS scanner against both HyperShift clusters.
+
+    HyperShift jobs involve two distinct clusters:
+    - management: shared cluster hosting the hosted control plane pods
+      (kube-apiserver, etcd, oauth-openshift in clusters-<name>)
+    - guest: the hosted cluster with worker nodes and no in-cluster control plane
+
+    Each scan writes artifacts under tls-scanner/<label>/ and publishes separate
+    JUnit files (junit_tls_scan_management.xml and junit_tls_scan_guest.xml).
+
+    TLS_PROFILE_TYPE defaults to Modern because HyperShift does not mirror the
+    effective TLS profile into APIServer/cluster on the guest or management cluster.
diff --git a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh
index dd533c36133d1..e764315ad981b 100644
--- a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh
+++ b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-commands.sh
@@ -3,68 +3,168 @@ set -o nounset
 set -o errexit
 set -o pipefail
 
-# TLS Scanner - scans TLS configurations of all pods in the cluster
-NAMESPACE="tls-scanner"
-SCANNER_IMAGE="${PULL_SPEC_TLS_SCANNER_TOOL}"
-ARTIFACT_DIR="${ARTIFACT_DIR:-/tmp/artifacts}"
-SCANNER_ARTIFACT_DIR="${ARTIFACT_DIR}/tls-scanner"
-
-# Determine scanner arguments based on whether a specific namespace is requested
-if [[ -n "${SCAN_NAMESPACE:-}" ]]; then
-    SCANNER_ARGS="--all-pods --namespace-filter ${SCAN_NAMESPACE}"
-else
-    SCANNER_ARGS="--all-pods"
-fi
+run_tls_scan() {
 
-# Enable post-quantum cryptography checks when requested by the step ref.
-if [[ "${PQC_CHECK:-false}" == "true" ]]; then
-    SCANNER_ARGS="${SCANNER_ARGS} --pqc-check"
-    echo "PQC readiness mode enabled: checks TLS 1.3 support and mlkem or mlkem25519 support per target."
-fi
+  # TLS Scanner - scans TLS configurations of all pods in the cluster
+  local NAMESPACE="tls-scanner"
+  local OWNS_NAMESPACE=true
+  local SCANNER_IMAGE="${PULL_SPEC_TLS_SCANNER_TOOL}"
+  local ARTIFACT_DIR="${ARTIFACT_DIR:-/tmp/artifacts}"
 
-if [[ -n "${SCAN_LIMIT_IPS:-}" && "${SCAN_LIMIT_IPS}" != "0" ]]; then
-    SCANNER_ARGS="${SCANNER_ARGS} --limit-ips ${SCAN_LIMIT_IPS}"
-    echo "Limiting scan to ${SCAN_LIMIT_IPS} IPs (smoke testing)."
-fi
+  if [[ -n "${TLS_SCANNER_CLUSTER_LABEL:-}" ]]; then
+    SCANNER_ARTIFACT_DIR="${ARTIFACT_DIR}/tls-scanner/${TLS_SCANNER_CLUSTER_LABEL}"
+    case "${TLS_SCANNER_CLUSTER_LABEL}" in
+      management)
+        export KUBECONFIG="${SHARED_DIR}/kubeconfig"
+        if [[ -z "${SCAN_NAMESPACE:-}" && -f "${SHARED_DIR}/cluster-name" ]]; then
+          CLUSTER_NAME="$(<"${SHARED_DIR}/cluster-name")"
+          SCAN_NAMESPACE="clusters-${CLUSTER_NAME}"
+        fi
+        ;;
+      guest)
+        export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig"
+        ;;
+      *)
+        echo "Unknown TLS_SCANNER_CLUSTER_LABEL: ${TLS_SCANNER_CLUSTER_LABEL}"
+        exit 1
+        ;;
+    esac
+  else
+    SCANNER_ARTIFACT_DIR="${ARTIFACT_DIR}/tls-scanner"
+  fi
 
-mkdir -p "${SCANNER_ARTIFACT_DIR}"
+  echo "TLS scanner target: ${TLS_SCANNER_CLUSTER_LABEL:-default} cluster"
+  echo "KUBECONFIG: ${KUBECONFIG:-<unset>}"
+  if [[ -n "${SCAN_NAMESPACE:-}" ]]; then
+    echo "Namespace filter: ${SCAN_NAMESPACE}"
+  fi
 
-echo "=== TLS Scanner ==="
-echo "Image: ${SCANNER_IMAGE}"
+  # Determine scanner arguments based on whether a specific namespace is requested
+  if [[ -n "${SCAN_NAMESPACE:-}" ]]; then
+      SCANNER_ARGS="--all-pods --namespace-filter ${SCAN_NAMESPACE}"
+  else
+      SCANNER_ARGS="--all-pods"
+  fi
 
-# Create namespace
-oc create namespace "${NAMESPACE}" --dry-run=client -o yaml | oc apply -f -
+  # Enable post-quantum cryptography checks when requested by the step ref.
+  if [[ "${PQC_CHECK:-false}" == "true" ]]; then
+      SCANNER_ARGS="${SCANNER_ARGS} --pqc-check"
+      echo "PQC readiness mode enabled: checks TLS 1.3 support and mlkem or mlkem25519 support per target."
+  fi
 
-# Cleanup on exit
-cleanup() {
-    echo "Cleaning up..."
-    oc delete namespace "${NAMESPACE}" --ignore-not-found --wait=false || true
-}
-trap cleanup EXIT
+  if [[ -n "${SCAN_LIMIT_IPS:-}" && "${SCAN_LIMIT_IPS}" != "0" ]]; then
+      SCANNER_ARGS="${SCANNER_ARGS} --limit-ips ${SCAN_LIMIT_IPS}"
+      echo "Limiting scan to ${SCAN_LIMIT_IPS} IPs (smoke testing)."
+  fi
+
+  if [[ -n "${TLS_PROFILE_TYPE:-}" ]]; then
+      SCANNER_ARGS="${SCANNER_ARGS} --tls-profile-type ${TLS_PROFILE_TYPE}"
+      echo "Using expected TLS profile type for compliance checks: ${TLS_PROFILE_TYPE}"
+  fi
+
+  local scanner_cpu="${SCANNER_CPU}"
+  local scanner_memory="${SCANNER_MEMORY}"
+  if [[ "${TLS_SCANNER_CLUSTER_LABEL:-}" == "guest" ]]; then
+    scanner_cpu="${SCANNER_CPU_GUEST:-1}"
+    scanner_memory="${SCANNER_MEMORY_GUEST:-2Gi}"
+  fi
+  echo "Scanner pod resources: cpu=${scanner_cpu} memory=${scanner_memory}"
+
+  mkdir -p "${SCANNER_ARTIFACT_DIR}"
+
+  echo "=== TLS Scanner ==="
+  echo "Image: ${SCANNER_IMAGE}"
+
+  # For management cluster scans, deploy the scanner pod into the HCP namespace
+  # so it satisfies the HCP NetworkPolicy intra-namespace allow rules.
+  # The HCP namespace already exists and must not be deleted at cleanup.
+  if [[ "${TLS_SCANNER_CLUSTER_LABEL:-}" == "management" && -n "${SCAN_NAMESPACE:-}" ]]; then
+      NAMESPACE="${SCAN_NAMESPACE}"
+      OWNS_NAMESPACE=false
+  fi
+
+  if [[ "${OWNS_NAMESPACE}" == "true" ]]; then
+      # Shared clusters can retain tls-scanner resources from prior jobs.
+      # Pods are immutable; delete any leftover namespace before recreating.
+      echo "Removing any previous tls-scanner resources..."
+      oc delete namespace "${NAMESPACE}" --ignore-not-found --wait=true --timeout=120s || true
+      oc create namespace "${NAMESPACE}"
+  else
+      # Just remove any leftover scanner pod from a prior run; do not touch the namespace.
+      oc delete pod/tls-scanner -n "${NAMESPACE}" --ignore-not-found --wait=true --timeout=60s || true
+  fi
+
+  # Cleanup on exit
+  cleanup() {
+      echo "Cleaning up..."
+      if [[ "${OWNS_NAMESPACE}" == "true" ]]; then
+          oc delete namespace "${NAMESPACE}" --ignore-not-found --wait=false || true
+      else
+          oc delete pod/tls-scanner -n "${NAMESPACE}" --ignore-not-found --wait=false || true
+      fi
+  }
+  trap cleanup EXIT
 
-# Grant cluster-admin to the default service account for full access
-oc adm policy add-cluster-role-to-user cluster-admin -z default -n "${NAMESPACE}"
+  # hostNetwork/hostPID are required for host-mode scanning but defeat NetworkPolicy
+  # for pod-mode management cluster scans (host-networked pods source from the node
+  # IP, which does not match any pod/namespace selector in HCP ingress rules).
+  # Pod-mode scanning uses the kube API for discovery and exec, so neither is needed.
+  if [[ "${OWNS_NAMESPACE}" == "false" ]]; then
+      HOST_NETWORK="false"
+      HOST_PID="false"
+      PRIVILEGED_CONTAINER="false"
+      # PodSecurity restricted-compliant securityContext for HCP namespace scans.
+      # The scanner binary only needs kube API access in pod-mode, so root is not required.
+      SECURITY_CONTEXT_YAML="      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      runAsUser: 65532
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        type: RuntimeDefault"
+  else
+      HOST_NETWORK="true"
+      HOST_PID="true"
+      PRIVILEGED_CONTAINER="true"
+      SECURITY_CONTEXT_YAML="      privileged: true
+      runAsUser: 0"
+  fi
 
-# Grant privileged SCC to the service account (required for hostNetwork, hostPID, privileged container)
-oc adm policy add-scc-to-user privileged -z default -n "${NAMESPACE}"
+  # Grant cluster-admin to the default service account for full API access
+  oc adm policy add-cluster-role-to-user cluster-admin -z default -n "${NAMESPACE}"
 
-# Wait for RBAC/SCC changes to propagate before creating the pod
-# This ensures the SCC admission controller sees the new binding
-echo "Waiting for RBAC/SCC changes to propagate..."
-sleep 10
+  # Grant privileged SCC to the service account (required for hostNetwork/hostPID/privileged
+  # container in host-mode scans).
+  if [[ "${OWNS_NAMESPACE}" == "true" ]]; then
+      oc adm policy add-scc-to-user privileged -z default -n "${NAMESPACE}"
+  fi
 
-# Create the scanner pod with privileged access
-cat <<EOF | oc apply -f -
+  # Wait for RBAC/SCC changes to propagate before creating the pod
+  # This ensures the SCC admission controller sees the new binding
+  echo "Waiting for RBAC/SCC changes to propagate..."
+  sleep 10
+
+  # Create the scanner pod
+  cat <<EOF | oc create -f -
 apiVersion: v1
 kind: Pod
 metadata:
   name: tls-scanner
   namespace: ${NAMESPACE}
+  labels:
+    app: tls-scanner
+    # Required when running in an HCP namespace (OWNS_NAMESPACE=false): HyperShift's
+    # management-kas NetworkPolicy isolates pods without this label from the management
+    # cluster kube API (172.30.x.x service CIDR) via OVN ACLs that sit below standard
+    # NetworkPolicy. The label exempts the scanner so it can list pods via the
+    # management cluster API, which is the first thing tls-scanner does on startup.
+    hypershift.openshift.io/need-management-kas-access: "true"
 spec:
   serviceAccountName: default
   restartPolicy: Never
-  hostNetwork: true
-  hostPID: true
+  hostNetwork: ${HOST_NETWORK}
+  hostPID: ${HOST_PID}
   containers:
   - name: scanner
     image: ${SCANNER_IMAGE}
@@ -81,20 +181,18 @@ spec:
       SCAN_EXIT_CODE=\${PIPESTATUS[0]}
       echo "Scan complete. Exit code: \${SCAN_EXIT_CODE}" | tee -a /results/output.log
       touch /results/scan.done
-      # Keep pod alive for artifact collection
+      # Keep pod alive for artifact collection before exiting with the scanner's code.
       sleep 120
-      # We are intentionally ignoring the scanner exit code for the moment
-      # exit \${SCAN_EXIT_CODE}
+      exit \${SCAN_EXIT_CODE}
     resources:
       requests:
-        cpu: "${SCANNER_CPU}"
-        memory: ${SCANNER_MEMORY}
+        cpu: "${scanner_cpu}"
+        memory: ${scanner_memory}
       limits:
-        cpu: "${SCANNER_CPU}"
-        memory: ${SCANNER_MEMORY}
+        cpu: "${scanner_cpu}"
+        memory: ${scanner_memory}
     securityContext:
-      privileged: true
-      runAsUser: 0
+${SECURITY_CONTEXT_YAML}
     volumeMounts:
     - name: results
       mountPath: /results
@@ -103,57 +201,83 @@ spec:
     emptyDir: {}
 EOF
 
-echo "Waiting for scanner pod to start..."
-oc wait --for=condition=Ready pod/tls-scanner -n "${NAMESPACE}" --timeout=5m || {
-    echo "Pod failed to start:"
-    oc describe pod/tls-scanner -n "${NAMESPACE}"
-    oc get events -n "${NAMESPACE}"
-    exit 1
-}
+  echo "Waiting for scanner pod to start..."
+  oc wait --for=condition=Ready pod/tls-scanner -n "${NAMESPACE}" --timeout=5m || {
+      echo "Pod failed to start:"
+      oc describe pod/tls-scanner -n "${NAMESPACE}"
+      oc get events -n "${NAMESPACE}"
+      exit 1
+  }
 
-echo "Streaming scanner logs (live)..."
-oc logs -f pod/tls-scanner -n "${NAMESPACE}" &
-LOGS_PID=$!
-
-echo "Waiting for scan to finish (pod stays alive 120s after scan for artifact collection)..."
-while true; do
-    phase=$(oc get pod/tls-scanner -n "${NAMESPACE}" -o jsonpath='{.status.phase}' 2>/dev/null || echo "Unknown")
-    echo "Poll: phase=${phase}"
-    # Scanner completion check first — must copy artifacts while pod is still running.
-    if oc exec pod/tls-scanner -n "${NAMESPACE}" -- test -f /results/scan.done 2>/dev/null; then
-        echo "/results/scan.done found — proceeding to copy artifacts"
-        break
-    fi
-    # Fallback: pod already exited (sleep window expired or crash).
-    if [[ "$phase" == "Succeeded" || "$phase" == "Failed" ]]; then
-        echo "Warning: pod ${phase} before artifact collection — oc cp will likely fail"
-        break
-    fi
-    sleep 15
-done
-
-echo "Copying artifacts..."
-oc cp "${NAMESPACE}/tls-scanner:/results/." "${SCANNER_ARTIFACT_DIR}/" || echo "Warning: Failed to copy some artifacts"
-
-if [[ -f "${SCANNER_ARTIFACT_DIR}/junit_tls_scan.xml" ]]; then
-    cp "${SCANNER_ARTIFACT_DIR}/junit_tls_scan.xml" "${ARTIFACT_DIR}/junit_tls_scan.xml"
-    echo "JUnit results copied to ${ARTIFACT_DIR}/junit_tls_scan.xml for Spyglass"
-fi
+  echo "Streaming scanner logs (live)..."
+  oc logs -f pod/tls-scanner -n "${NAMESPACE}" &
+  LOGS_PID=$!
 
-wait $LOGS_PID 2>/dev/null || true
+  echo "Waiting for scan to finish (pod stays alive 120s after scan for artifact collection)..."
+  while true; do
+      phase=$(oc get pod/tls-scanner -n "${NAMESPACE}" -o jsonpath='{.status.phase}' 2>/dev/null || echo "Unknown")
+      echo "Poll: phase=${phase}"
+      # Scanner completion check first — must copy artifacts while pod is still running.
+      if oc exec pod/tls-scanner -n "${NAMESPACE}" -- test -f /results/scan.done 2>/dev/null; then
+          echo "/results/scan.done found — proceeding to copy artifacts"
+          break
+      fi
+      # Fallback: pod already exited (sleep window expired or crash).
+      if [[ "$phase" == "Succeeded" || "$phase" == "Failed" ]]; then
+          echo "Warning: pod ${phase} before artifact collection — oc cp will likely fail"
+          break
+      fi
+      sleep 15
+  done
 
-if [[ "$(oc get pod/tls-scanner -n "${NAMESPACE}" -o jsonpath='{.status.phase}' 2>/dev/null)" == "Failed" ]]; then
-    echo "Scanner pod failed"
-    oc describe pod/tls-scanner -n "${NAMESPACE}"
-    exit 1
-fi
+  echo "Copying artifacts..."
+  oc cp "${NAMESPACE}/tls-scanner:/results/." "${SCANNER_ARTIFACT_DIR}/" || echo "Warning: Failed to copy some artifacts"
+
+  if [[ -f "${SCANNER_ARTIFACT_DIR}/junit_tls_scan.xml" ]]; then
+      if [[ -n "${TLS_SCANNER_CLUSTER_LABEL:-}" ]]; then
+        junit_artifact="${ARTIFACT_DIR}/junit_tls_scan_${TLS_SCANNER_CLUSTER_LABEL}.xml"
+      else
+        junit_artifact="${ARTIFACT_DIR}/junit_tls_scan.xml"
+      fi
+      cp "${SCANNER_ARTIFACT_DIR}/junit_tls_scan.xml" "${junit_artifact}"
+      echo "JUnit results copied to ${junit_artifact} for Spyglass"
+  fi
+
+  wait $LOGS_PID 2>/dev/null || true
 
-oc wait --for=jsonpath='{.status.phase}'=Succeeded pod/tls-scanner -n "${NAMESPACE}" --timeout=10m || {
-    echo "Scanner did not complete successfully - timeout exceeded"
-    oc describe pod/tls-scanner -n "${NAMESPACE}"
-    exit 1
+  if [[ "$(oc get pod/tls-scanner -n "${NAMESPACE}" -o jsonpath='{.status.phase}' 2>/dev/null)" == "Failed" ]]; then
+      echo "Scanner pod failed"
+      oc describe pod/tls-scanner -n "${NAMESPACE}"
+      exit 1
+  fi
+
+  oc wait --for=jsonpath='{.status.phase}'=Succeeded pod/tls-scanner -n "${NAMESPACE}" --timeout=10m || {
+      echo "Scanner did not complete successfully - timeout exceeded"
+      oc describe pod/tls-scanner -n "${NAMESPACE}"
+      exit 1
+  }
+
+  echo "=== TLS Scanner Complete ==="
+  echo "Artifacts saved to: ${SCANNER_ARTIFACT_DIR}"
+  ls -la "${SCANNER_ARTIFACT_DIR}" || true
+
+  # Unregister the trap so it doesn't fire after the function returns (local
+  # variables NAMESPACE/OWNS_NAMESPACE would be unbound at that point).
+  trap - EXIT
 }
 
-echo "=== TLS Scanner Complete ==="
-echo "Artifacts saved to: ${SCANNER_ARTIFACT_DIR}"
-ls -la "${SCANNER_ARTIFACT_DIR}" || true
+if [[ "${TLS_SCANNER_RUN_HYPERSHIFT:-false}" == "true" ]]; then
+  OVERALL_EXIT_CODE=0
+  for label in management guest; do
+    echo "=== TLS scanner: ${label} cluster ==="
+    (
+      export TLS_SCANNER_CLUSTER_LABEL="${label}"
+      run_tls_scan
+    ) || OVERALL_EXIT_CODE=1
+    echo "=== TLS scanner: ${label} cluster complete ==="
+  done
+  echo "=== HyperShift TLS scanner complete (management + guest) ==="
+  exit "${OVERALL_EXIT_CODE}"
+fi
+
+run_tls_scan
diff --git a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml
index 10c944ec92a11..d7d22f177e0aa 100644
--- a/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml
+++ b/ci-operator/step-registry/tls/scanner/run/tls-scanner-run-ref.yaml
@@ -19,6 +19,20 @@ ref:
   - name: SCANNER_MEMORY
     default: "4Gi"
     documentation: "Memory request/limit for the scanner pod."
+  - name: TLS_SCANNER_CLUSTER_LABEL
+    default: ""
+    documentation: |-
+      HyperShift scan target label. Set to "management" to scan the shared
+      management cluster hosted control plane namespace, or "guest" to scan the
+      hosted cluster. Empty uses the step KUBECONFIG and scans all namespaces.
+  - name: TLS_PROFILE_TYPE
+    default: ""
+    documentation: |-
+      Expected cluster TLS profile type for compliance checks (Old, Intermediate,
+      Modern). When set, passes --tls-profile-type to tls-scanner instead of
+      reading APIServer/cluster from the API. Required for HyperShift hosted
+      control planes where the guest APIServer CR may not mirror HostedCluster
+      configuration.
   dependencies:
   - env: RELEASE_IMAGE_LATEST
     name: release:latest