diff --git a/README.md b/README.md
index 7ddc15b..9332d71 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,13 @@ You can watch the video **PentAGI overview**:
 - API Token Authentication. Secure Bearer token system for programmatic access to REST and GraphQL APIs.
 - Quick Deployment. Easy setup through [Docker Compose](https://docs.docker.com/compose/) with comprehensive environment configuration.
 
+### Current Capability Boundaries
+
+- PentAGI today is an autonomous and assistant-guided penetration testing platform, not a CALDERA-style Breach and Attack Simulation (BAS) or adversary emulation product with predefined campaigns or attack plans.
+- BAS-like agent-authored attack scripts should be treated as conceptual or future work, not as a feature that is implemented today.
+- The current flow report UI supports web view, copy to clipboard, Markdown download, and PDF download. JSON flow-report export is not documented as a supported output format today.
+- Provider flexibility is available today through built-in providers and custom/OpenAI-compatible endpoints. See [Custom LLM Provider Configuration](#custom-llm-provider-configuration) and the [vLLM + Qwen3.5-27B-FP8 guide](examples/guides/vllm-qwen35-27b-fp8.md).
+
 ## Architecture
 
 ### System Context