tigera
diff --git a/‎__tests__/crawler.test.js
+1 b/‎__tests__/crawler.test.js
+1
diff --git a/‎calico-cloud/about/index.mdx
-11 b/‎calico-cloud/about/index.mdx
-11
diff --git a/‎calico-cloud/about/product-comparison.mdx
-6 b/‎calico-cloud/about/product-comparison.mdx
-6
diff --git a/‎calico-cloud/compliance/compliance-reports-cis.mdx
+5-3 b/‎calico-cloud/compliance/compliance-reports-cis.mdx
+5-3
diff --git a/‎calico-cloud/compliance/enable-compliance.mdx
+5-3 b/‎calico-cloud/compliance/enable-compliance.mdx
+5-3
diff --git a/‎calico-cloud/compliance/overview.mdx
+5-3 b/‎calico-cloud/compliance/overview.mdx
+5-3
diff --git a/‎calico-cloud/get-started/install-automated.mdx
+24-5 b/‎calico-cloud/get-started/install-automated.mdx
+24-5
diff --git a/‎calico-cloud/get-started/install-cluster.mdx
+38-9 b/‎calico-cloud/get-started/install-cluster.mdx
+38-9
@@ -182,6 +182,7 @@ test('Crawl the docs and execute tests', async () => {
     'https://www.f5.com/glossary/cross-site-scripting', //TEMPORARY
     'https://www.f5.com/glossary/sql-injection', //TEMPORARY
     'https://www.f5.com/labs/articles/threat-intelligence/application-protection-report-2019--episode-2--2018-breach-trend', //TEMPORARY
+    'https://installer.calicocloud.io/manifests/cc-operator/latest/deploy-with-container-security.yaml', //TEMPORARY
   ];
 
   const lc = linkChecker();
 
@@ -10,16 +10,6 @@ $[prodname] is a security solution for cloud-native applications running on cont
 
 ![calico-cloud](/img/calico/calico-cloud.svg)
 
-Beyond the **Kubernetes security** features that you get from Calico Enterprise and Calico Open Source, $[prodname] adds these **container security** solutions:
-
-- **Image Assurance**
-
-Automated image scanning and blocking so you can monitor and assess workloads for new and existing CVEs 24/7.
-
-- **Container threat defense**
-
-Fully automated protection against known and unknown attacks (network or container-based).
-
 ## Best fit
 
 The best fit for $[prodname] is small teams who need to manage the full spectrum of compliance in a web-based console. To jumpstart learning for teams, $[prodname] provides:
@@ -35,5 +25,4 @@ The best fit for $[prodname] is small teams who need to manage the full spectrum
 - To connect your cluster to $[prodname] in 15 minutes, [start a free trial](https://auth.calicocloud.io/u/signup/identifier?state=hKFo2SB3ekhybXN1TGdxTkZTUWIwQV9BSzNlaHBEUk0wMENJdKFur3VuaXZlcnNhbC1sb2dpbqN0aWTZIEE5b2NkREs1eWZKR0twc0ZWZmh2LWZCZEZxb2ZRNkJOo2NpZNkgc3NJQkNFdEdkZFpLNlVubDNOYWl2ZzhrY2RmcWd6dFE)
 - [Calico Cloud pricing](https://www.tigera.io/tigera-products/calico-cloud-pricing/)
 - [Connect a cluster to $[prodname] documentation](../get-started/connect-cluster.mdx)
-- [Image assurance documentation](../image-assurance)
 - [Container threat defense documentation](../threat/container-threat-detection.mdx)
@@ -71,10 +71,6 @@ What is the best fit for you? It depends on your needs. The following table prov
 | iptables                                                                    | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | Windows HNS                                                                 | <center><CheckIcon /></center>               | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | VPP                                                                         | <center><CheckIcon /></center>               |                                   |                                        |
-| **Image Assurance**                                                         |                                         |                                   |                                        |
-| Scan images for vulnerabilities for workloads in Kubernetes cluster         |                                         | <center><CheckIcon /></center>         |                                        |
-| Create policy to block vulnerable images from your clusters                 |                                         | <center><CheckIcon /></center>         |                                        |
-| Runtime view to assess impact of newly-found vulnerabilities                |                                         | <center><CheckIcon /></center>         |                                        |
 | **Observability and troubleshooting**                                       |                                         |                                   |                                        |
 | Application level observability and troubleshooting                         |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | Service Graph                                                               |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
@@ -87,8 +83,6 @@ What is the best fit for you? It depends on your needs. The following table prov
 | Multi-cluster management                                                    |                                         |                                   | <center><CheckIcon /></center>              |
 | Federated identity and services                                             |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | **Threat defense**                                                          |                                         |                                   |                                        |
-| Anomaly detection                                                           |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
-| Container threat detection                                                  |                                         | <center><CheckIcon /></center>         |                                        |
 | Workload-centric Web Application Firewall (WAF)                             |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | Add threatfeeds to trace suspicious network flows                           |                                         | <center><CheckIcon /></center>         | <center><CheckIcon /></center>              |
 | **Reports**                                                                 |                                         |                                   |                                        |
 
@@ -4,10 +4,12 @@ description: Configure reports to assess compliance for all assets in a Kubernet
 
 # Configure CIS benchmark reports
 
-:::info deprecation notice
+:::warning[deprecation and removal notice]
 
-The compliance features described on this page are deprecated and will be removed in a future release.
-We're building a new compliance reporting system that will eventually replace the current one.
+This feature was deprecated in Calico Cloud version 21.1.0 and will be removed in a future release. Availability depends on when you started using Calico Cloud.
+
+- For users who started using Calico Cloud in April 2025 or later, this feature is not available.
+- Legacy users, who started using Calico Cloud before April 2025, can continue to use this feature until it is removed in a future release.
 
 :::
 
 
@@ -4,10 +4,12 @@ description: Enable compliance reports to configure reports to assess compliance
 
 # Enable compliance reports
 
-:::info deprecation notice
+:::warning[deprecation and removal notice]
 
-The compliance features described on this page are deprecated and will be removed in a future release.
-We're building a new compliance reporting system that will eventually replace the current one.
+This feature was deprecated in Calico Cloud version 21.1.0 and will be removed in a future release. Availability depends on when you started using Calico Cloud.
+
+- For users who started using Calico Cloud in April 2025 or later, this feature is not available.
+- Legacy users, who started using Calico Cloud before April 2025, can continue to use this feature until it is removed in a future release.
 
 :::
 
 
@@ -4,10 +4,12 @@ description: Get the reports for regulatory compliance on Kubernetes workloads a
 
 # Schedule and run compliance reports
 
-:::info deprecation notice
+:::warning[deprecation and removal notice]
 
-The compliance features described on this page are deprecated and will be removed in a future release.
-We're building a new compliance reporting system that will eventually replace the current one.
+This feature was deprecated in Calico Cloud version 21.1.0 and will be removed in a future release. Availability depends on when you started using Calico Cloud.
+
+- For users who started using Calico Cloud in April 2025 or later, this feature is not available.
+- Legacy users, who started using Calico Cloud before April 2025, can continue to use this feature until it is removed in a future release.
 
 :::
 
 
@@ -78,21 +78,40 @@ If you're using a private registry, you must set the following parameters.
 ### Optional parameters for features
 
 The following parameters enable certain features in Calico Cloud.
-These features can be enabled or diabled only by setting them in your `values.yaml` file at installation.
+These features can be enabled or disabled only by setting them in your `values.yaml` file at installation.
 
 | Feature name | Parameter | Values |
 |---------|-----|--------|
-| Image Assurance | `installer.components.imageAssurance.state` | `Enabled` (default), `Disabled` |
-| Container Threat Detection | `installer.components.runtimeSecurity.state` | `Enabled`, `Disabled` (default) |
 | Packet Capture | `installer.components.packetCaptureAPI.state` |  `Enabled`, `Disabled` (default) |
-| Compliance Reports | `installer.components.compliance.enabled` | `true` (default), `false` |
 
 :::note
 
-If you're upgrading from Calico Cloud 19 or earlier, the Container Threat Detection and Packet Capture features will remain enabled unless you explicitly set them to `Disabled`.
+If you're upgrading from Calico Cloud 19, the Packet Capture features will remain enabled unless you explicitly set them to `Disabled`.
 
 :::
 
+<details>
+  <summary>Use alternate feature keys for legacy features</summary>
+
+  The Image Assurance, Container Threat Detection, and Compliance Reports features were removed for new users in Calico Cloud 21.1.0.
+  Legacy users of those features can continue to use a deprecated version until the features are completely removed in a future release.
+
+
+  | Feature | Key | Values |
+  |---------|-----|--------|
+  | Image Assurance | `installer.components.imageAssurance.state` | `Enabled`, `Disabled` (default) |
+  | Container Threat Detection | `installer.components.runtimeSecurity.state` | `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. |
+  | Packet Capture | `installer.components.packetCaptureAPI.state` |  `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. |
+  | Compliance Reports | `installer.components.compliance.enabled` | `true`, `false` (default) |
+
+  :::note
+
+  If you're upgrading from Calico Cloud 19, the Container Threat Detection and Packet Capture features will remain enabled unless you explicitly set them to `Disabled`.
+
+  :::
+
+</details>
+
 ### Optional parameters for pod scheduling and resource management
 
 For many Calico Cloud components, you can specify node selectors, tolerations, and resource requests and limits.
 
@@ -23,9 +23,20 @@ You can quickly connect a cluster to Calico Cloud by generating a unique kubectl
    We always recommend the latest version, which is installed by default.
 1. Click **Connect** to generate a unique kubectl command. Copy the command.
 
-   ```bash title="Example of generated kubectl installation command"
-   kubectl apply -f https://installer.calicocloud.io/manifests/cc-operator/latest/deploy.yaml && curl -H "Authorization: Bearer mprcnz04t:9dav6eoag:s8w7xjslez1x1xkf6ds0h23miz5b1fw6phh9897d0n76e4pjfdekijowjv5lw9dd" "https://www.calicocloud.io/api/managed-cluster/deploy.yaml?version=v19.1.0" | kubectl apply -f -
-   ```
+   <details>
+     <summary>Use alternate manifest for legacy features</summary>
+
+     The Image Assurance, Container Threat Detection, and Compliance Reports features were removed for new users in Calico Cloud 21.1.0.
+     Legacy users of those features can continue to use a deprecated version until the features are completely removed in a future release.
+
+     To continue using these features, modify the generated command by replacing `deploy.yaml` with `deploy-with-container-security.yaml`.
+     This change gives you a manifest with all three legacy features enabled.
+     You cannot enable or disable these features individually.
+
+     ```bash title="Example of generated kubectl command with alternate manifest"
+     kubectl apply -f https://installer.calicocloud.io/manifests/cc-operator/latest/deploy-with-container-security.yaml && curl -H "Authorization: Bearer ..." "https://www.calicocloud.io/api/managed-cluster/deploy-with-container-security.yaml?version=$[cloudUserVersion]" | kubectl apply -f -
+     ```
+   </details>
 
 1. From a terminal, paste and run the command.
 1. On the **Managed Clusters** page, you should immediately see your cluster in the list of managed clusters.
@@ -39,26 +50,44 @@ You can quickly connect a cluster to Calico Cloud by generating a unique kubectl
 1. Optional: If you must install a specific older release, select the Calico Cloud version you want to install.
    We always recommend the latest version, which is installed by default.
 1. Click **Connect** to generate a unique Helm installation command. Copy the command.
-
    ```bash title="Example of generated Helm installation command"
    helm repo add calico-cloud https://installer.calicocloud.io/charts --force-update && helm upgrade --install calico-cloud-crds calico-cloud/calico-cloud-crds --namespace calico-cloud --create-namespace && helm upgrade --install calico-cloud calico-cloud/calico-cloud --namespace calico-cloud --set apiKey=ryl34elz8:9dav6eoag:ifk1uwruwlgp7vzn7ecijt5zjbf5p9p1il1ag8877ylwjo4muu19wzg2g8x5qa7x --set installer.clusterName=my-cluster --set installer.calicoCloudVersion=v19.1.0
    ```
-1. Optional: To make changes to what features are enabled during installation, paste the command to a text editor and append the `--set` option any of the following key-value pairs.
-   You can change these options only by reinstalling or upgrading Calico Cloud and changing the values.
+1. Optional: If you want to enable the Packet Capture feature, you can append `--set installer.components.packetCaptureAPI.state=Enabled` to the generated Helm command.
+   You can change this option only by reinstalling or upgrading Calico Cloud and changing the values.
+   | Feature | Key | Values |
+   |---------|-----|--------|
+   | Packet Capture | `installer.components.packetCaptureAPI.state` |  `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. |
+
+   ```bash title="Example of generated Helm command with user-added parameters"
+   helm repo add calico-cloud https://installer.calicocloud.io/charts --force-update && helm upgrade --install calico-cloud-crds calico-cloud/calico-cloud-crds --namespace calico-cloud --create-namespace && helm upgrade --install calico-cloud calico-cloud/calico-cloud --namespace calico-cloud --set apiKey=ryl34elz8:9dav6eoag:ifk1uwruwlgp7vzn7ecijt5zjbf5p9p1il1ag8877ylwjo4muu19wzg2g8x5qa7x --set installer.clusterName=my-cluster --set installer.calicoCloudVersion=v19.1.0 \
+   --set installer.components.packetCaptureAPI.state=Enabled
+   ```
+
+   In this example, the command connects the cluster to Calico Cloud with the Packet Capture feature enabled.
+
+   <details>
+     <summary>Use alternate feature keys for legacy features</summary>
+
+   The Image Assurance, Container Threat Detection, and Compliance Reports features were removed for new users in Calico Cloud 21.1.0.
+   Legacy users of those features can continue to use a deprecated version until the features are completely removed in a future release.
+
 
    | Feature | Key | Values |
    |---------|-----|--------|
-   | Image Assurance | `installer.components.imageAssurance.state` | `Enabled` (default), `Disabled` |
+   | Image Assurance | `installer.components.imageAssurance.state` | `Enabled`, `Disabled` (default) |
    | Container Threat Detection | `installer.components.runtimeSecurity.state` | `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. |
    | Packet Capture | `installer.components.packetCaptureAPI.state` |  `Enabled`, `Disabled` (default\*) <br/> * The default for new clusters is `Disabled`. For upgrades for previously connected clusters, the default will retain the previous state. |
-   | Compliance Reports | `installer.components.compliance.enabled` | `true` (default), `false` |
+   | Compliance Reports | `installer.components.compliance.enabled` | `true`, `false` (default) |
 
    ```bash title="Example of generated Helm command with user-added parameters"
    helm repo add calico-cloud https://installer.calicocloud.io/charts --force-update && helm upgrade --install calico-cloud-crds calico-cloud/calico-cloud-crds --namespace calico-cloud --create-namespace && helm upgrade --install calico-cloud calico-cloud/calico-cloud --namespace calico-cloud --set apiKey=ryl34elz8:9dav6eoag:ifk1uwruwlgp7vzn7ecijt5zjbf5p9p1il1ag8877ylwjo4muu19wzg2g8x5qa7x --set installer.clusterName=my-cluster --set installer.calicoCloudVersion=v19.1.0 \
    --set installer.components.imageAssurance.state=Enabled \
    --set installer.components.runtimeSecurity.state=Enabled \
    ```
-   In this example, this command connects the cluster to Calico Cloud with Image Assurance and Runtime Security  features enabled.
+   In this example, the command connects the cluster to Calico Cloud with Image Assurance and Container Threat Detection features enabled.
+
+   </details>
 
 1. From a terminal, paste and run the command.
 1. On the **Managed Clusters** page, you should immediately see your cluster in the list of managed clusters.