diff --git a/.ssh/config b/.ssh/config
new file mode 100644
index 0000000..51ec533
--- /dev/null
+++ b/.ssh/config
@@ -0,0 +1 @@
+Include ~/.ssh/config.d/*.conf
diff --git a/.ssh/config.d/90-hardened-security.conf b/.ssh/config.d/90-hardened-security.conf
new file mode 100644
index 0000000..47856a4
--- /dev/null
+++ b/.ssh/config.d/90-hardened-security.conf
@@ -0,0 +1,14 @@
+# SSH client algorithm hardening.
+#
+# Require PQ-hybrid KEX, AEAD ciphers, Ed25519 keys.
+# Applied to all outgoing SSH connections from this machine.
+#
+# Requires OpenSSH 9.9+ for mlkem768x25519-sha256.
+
+Host *
+    KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com
+    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+    HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
+    PubkeyAcceptedAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
+    RekeyLimit 1G 1h