diff --git a/.safety-policy.yml b/.safety-policy.yml
deleted file mode 100644
index dcba87b21..000000000
--- a/.safety-policy.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-# Safety policy file for `safety check`.
-# Required by safety 3.x — the CLI looks for this file in cwd even when
-# --ignore is passed inline. Ignores are kept on the tox command line
-# (see tox.ini [testenv:safety]) so they stay visible in CI output.
-security:
-    ignore-vulnerabilities: {}
diff --git a/tox.ini b/tox.ini
index 06d7cc727..14311551a 100644
--- a/tox.ini
+++ b/tox.ini
@@ -54,16 +54,23 @@ commands =
     coverage report
 
 [testenv:safety]
-# Safety ignore list:
-# 39642: reportlab vuln resolved in https://github.com/mitre/debrief/pull/39
-# 39659: aiohttp cannot be upgraded to 3.7.4: https://github.com/mitre/caldera/pull/2062
+# Dependency vulnerability scan. Env name kept as "safety" so branch
+# protection contexts (`build (3.13, safety)`) don't need a coordinated
+# update; underlying tool is pip-audit (PyPA, no API key, free).
+#
+# `safety check` was deprecated 2024-06; the pyup.io account/scan
+# replacement was not worth the new secret + auth integration when
+# Dependabot, GitGuardian, and SonarCloud already cover supply chain.
+#
+# Legacy pyup ignores (39642 reportlab, 39659 aiohttp) are obsolete
+# now that aiohttp>=3.13 and reportlab>=4.0 are pinned. Add
+# `--ignore-vuln GHSA-...` here if a real exemption is needed later.
 deps =
-    safety
+    pip-audit
 skip_install = true
-whitelist_externals=find
 commands =
-    safety check -r requirements.txt --policy-file .safety-policy.yml --ignore 39642 --ignore 39659
-    safety check -r requirements-dev.txt --policy-file .safety-policy.yml
+    pip-audit -r requirements.txt
+    pip-audit -r requirements-dev.txt
 
 [testenv:bandit]
 deps =