diff --git a/playbooks/docker-security-audit.md b/playbooks/docker-security-audit.md
index 28d0581..5ce152e 100644
--- a/playbooks/docker-security-audit.md
+++ b/playbooks/docker-security-audit.md
@@ -14,7 +14,7 @@ The AI will:
 1. Read `containers.local.txt` to get the list of images to audit
 2. For each image — pull it, run all checks below, and evaluate results
 3. For each finding — report CRITICAL, HIGH, MEDIUM, LOW, or INFO
-4. Generate a timestamped report file in the `reports/` directory
+4. Generate output in `reports/audit-<YYYY-MM-DD>/` — one overview file plus a subfolder per image containing the detail report and SBOM
 5. Remove the image from the local host after scanning **unless** it is currently active (`docker ps`)
 6. At the end, give an overall environment summary
 
@@ -63,17 +63,26 @@ Repeat this entire procedure for **every** `image:tag` entry in `containers.loca
 
 Run: `docker ps --format '{{.Image}}'`
 
-- If the image is in the active list → mark as **ACTIVE**, skip Step 6 (do not remove)
+- If the image is in the active list → mark as **ACTIVE**, skip Step 8 (do not remove)
 - If not active → mark as **NOT ACTIVE**, will be removed after scan
 
-### Step 2 — Pull the Image
+### Step 2 — Create Output Directory
+
+Before scanning, derive the image's output folder and create it:
+
+- `<image-name>` = image name only, no tag, slashes replaced with `-` (e.g. `nginx`, `myrepo-myapp`)
+- Create folder: `reports/audit-<YYYY-MM-DD>/<image-name>/`
+
+All files for this image (detail report, SBOM) go into this folder.
+
+### Step 3 — Pull the Image
 
 Run: `docker pull <image:tag>`
 
 - If pull fails → mark as WARN (image may be private, unavailable, or tag deleted) and skip to next image
 - Note the image digest and creation date
 
-### Step 3 — CVE Scan (Trivy)
+### Step 4 — CVE Scan (Trivy)
 
 Run: `trivy image --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --format json <image:tag>`
 
@@ -91,15 +100,15 @@ Report findings grouped by severity:
 - Summarise MEDIUM/LOW as counts only unless the user asks for detail
 - Flag any CVE with a known public exploit (Trivy marks these with `--ignore-unfixed` info)
 
-### Step 4 — CVE Scan (Grype)
+### Step 5 — CVE Scan (Grype)
 
 Run: `grype <image:tag> --output json`
 
 - Cross-reference with Trivy results — note any findings unique to Grype that Trivy missed
-- Report new findings in the same severity table format as Step 3
+- Report new findings in the same severity table format as Step 4
 - If Grype and Trivy agree, note "Confirmed by both scanners"
 
-### Step 5 — Dockerfile Static Analysis (Hadolint)
+### Step 6 — Dockerfile Static Analysis (Hadolint)
 
 Locate the Dockerfile for this image if available in the current working directory or a subdirectory.
 
@@ -129,8 +138,8 @@ Run each of the following and report all findings:
 - Flag any unknown or restrictive licenses (GPL in a closed deployment, etc.)
 
 **SBOM generation:**
-`trivy image --format cyclonedx --output reports/sbom-<image-name>-<date>.json <image:tag>`
-- Generate and save an SBOM for the image — no pass/fail, this is for records
+`trivy image --format cyclonedx --output reports/audit-<YYYY-MM-DD>/<image-name>/sbom-<image-name>-<tag>.json <image:tag>`
+- Generate and save an SBOM into the image's subfolder — no pass/fail, this is for records
 
 ### Step 8 — Image Cleanup