diff --git a/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx b/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx
index 9c3c6423f090a..5f4ccef84c109 100644
--- a/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx
+++ b/docs/pages/enroll-resources/workload-identity/workload-attestation.mdx
@@ -37,11 +37,25 @@ available to be used when configuring rules for `tbot`'s Workload API service:
 
 | Field             | Description                                                                  |
 |-------------------|------------------------------------------------------------------------------|
-| `unix.attested` | Indicates that the workload has been attested by the Unix Workload Attestor. |
+| `unix.attested`   | Indicates that the workload has been attested by the Unix Workload Attestor. |
 | `unix.pid`        | The process ID of the attested workload.                                     |
 | `unix.uid`        | The effective user ID of the attested workload.                              |
 | `unix.gid`        | The effective primary group ID of the attested workload.                     |
 
+### Support for non-standard /proc mounting
+
+To resolve information about a process from the PID, the Unix Workload Attestor
+reads information from the `/proc` filesystem.
+
+In some cases, the `/proc` filesystem may not be mounted at the default
+location. If this is the case, you can configure the Unix Workload Attestor to
+read from a different location by setting the `HOST_PROC` environment variable.
+
+This is a sensitive configuration option, and you should ensure that it is
+set correctly or not set at all. If misconfigured, an attacker could provide
+falsified information about processes, and this could lead to the issuance of
+SVIDs to unauthorized workloads.
+
 ## Kubernetes
 
 The Kubernetes Workload Attestor allows you to restrict the issuance of SVIDs