Container technologies, as popularized first by Docker, already offer a lot of security benefits out of the box the developers and DevOps professionals have come to rely upon. While this has proven to be valuable for increasing the security of many application deployments, it still leaves some room for improvement. Firstly, a lack of deep understanding of what protections Docker is offering out of the box can be observed commonly, leading to a dangerous overreliance on the container engine. Secondly, the attack surface of your application can be significantly reduced by leveraging the capabilities functionality of the Linux kernel. Using it, one can greatly reduce the system function a running container has access to, thus limiting the exploitation consequences of a vulnerability in an application. This talk explains the possibilities of limiting capabilities in a container runtime.