diff --git a/docs/tasks/command-center-security/README.md b/docs/tasks/command-center-security/README.md
new file mode 100644
index 0000000..f94c358
--- /dev/null
+++ b/docs/tasks/command-center-security/README.md
@@ -0,0 +1,34 @@
+# Command Center Security Hardening
+
+**Status:** Ready  
+**Priority:** Tier 1 - Security Foundation  
+**Time:** 1 hour  
+**Last Updated:** 2026-02-16
+
+## Overview
+Defense-in-depth security hardening for Command Center VPS (Dallas hub). Install Fail2Ban, harden SSH, review firewall rules.
+
+## Current State
+- ✅ UFW enabled (default deny incoming)
+- ✅ Ports 22, 80, 443 open
+- ❌ Fail2Ban not installed
+- ❌ SSH allows password auth
+- ❌ No rate limiting on SSH
+
+## Tasks
+1. **Install Fail2Ban** (auto-ban brute force)
+2. **SSH Hardening:**
+   - Disable password auth (key-only)
+   - Optional: Change SSH port
+   - Set MaxAuthTries=3
+3. **Review UFW rules** (close unnecessary ports)
+4. **Document** in deployment-plan.md
+5. **Test SSH** with keys before closing password auth
+
+## Success Criteria
+- ✅ Fail2Ban active and monitoring
+- ✅ SSH key-only authentication
+- ✅ Command Center locked down
+- ✅ Security config documented
+
+**Fire + Frost + Foundation** 💙🔥❄️