diff --git a/.custom-gcl.yml b/.custom-gcl.yml
index 3b85dff0eb..d6676782c2 100644
--- a/.custom-gcl.yml
+++ b/.custom-gcl.yml
@@ -1,7 +1,7 @@
 # This configures how golangci-lint builds a custom build, wich is necessary to use nilaway as a plugin per https://github.com/uber-go/nilaway?tab=readme-ov-file#golangci-lint--v1570
 
 # This has to be >= v1.57.0 for module plugin system support.
-version: v2.7.1
+version: v2.11.3
 plugins:
   - module: "go.uber.org/nilaway"
     import: "go.uber.org/nilaway/cmd/gclplugin"
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index f3e6b2d3b1..0ccc64abef 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -73,7 +73,7 @@ jobs:
         run: |
           # Don't forget to update
           # docs/Contributing/Testing-and-local-development.md when this version changes
-          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@a4b55ebc3471c9fbb763fd56eefede8050f99887 # v2.7.1
+          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@6008b81b81c690c046ffc3fd5bce896da715d5fd # v2.11.3
           SKIP_INCREMENTAL=1 make lint-go
 
       - name: Run cloner-check tool
@@ -136,7 +136,7 @@ jobs:
         run: |
           # Don't forget to update
           # docs/Contributing/Testing-and-local-development.md when this version changes
-          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@a4b55ebc3471c9fbb763fd56eefede8050f99887 # v2.7.1
+          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@6008b81b81c690c046ffc3fd5bce896da715d5fd # v2.11.3
           # custom build of golangci-lint that incorporates nilaway - see .custom-gcl.yml
           golangci-lint custom
           ./custom-gcl run -c .golangci-incremental.yml --new-from-rev=origin/${{ github.base_ref }} --timeout 15m ./...
diff --git a/.golangci-incremental.yml b/.golangci-incremental.yml
index be027cc707..d7a9ed9267 100644
--- a/.golangci-incremental.yml
+++ b/.golangci-incremental.yml
@@ -10,9 +10,25 @@ issues:
 linters:
   default: none
   enable:
+    - gosec
     - modernize
     - nilaway
   settings:
+    gosec:
+      # Only enable rules that are too noisy on existing code but valuable for new code.
+      # Existing violations were audited during the v2.7.1 -> v2.11.3 upgrade and found
+      # to be false positives or safe patterns, but we want to catch real issues going forward.
+      includes:
+        - G101 # Potential hardcoded credentials.
+        - G115 # Integer overflow conversion.
+        - G117 # Marshaled struct field matches secret pattern.
+        - G118 # Goroutine uses context.Background/TODO while request-scoped context is available.
+        - G122 # Filesystem race in filepath.Walk/WalkDir callback.
+        - G202 # SQL string concatenation.
+        - G602 # Slice index out of range.
+        - G704 # SSRF via taint analysis.
+        - G705 # XSS via taint analysis.
+        - G706 # Log injection via taint analysis.
     custom:
       nilaway:
         type: module
diff --git a/.golangci.yml b/.golangci.yml
index 7023fba2a0..3681ff5bd0 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -177,7 +177,22 @@ linters:
         - G104 # Errors unhandled. We are using errcheck linter instead of this rule.
         - G204 # Subprocess launched with variable. Some consider this rule to be too noisy.
         - G301 # Directory permissions 0750 as opposed to standard 0755. Consider enabling stricter permission in the future.
-        - G304 # File path provided as taint input
+        - G304 # File path provided as taint input.
+        - G702 # Command injection via taint analysis (taint version of excluded G204).
+        - G703 # Path traversal via taint analysis (taint version of excluded G304).
+        # The following rules are excluded from the full lint but enabled in the incremental
+        # linter (.golangci-incremental.yml) so they only apply to new/changed code.
+        # Existing violations were audited during the v2.7.1 -> v2.11.3 upgrade.
+        - G101 # Potential hardcoded credentials.
+        - G115 # Integer overflow conversion.
+        - G117 # Marshaled struct field matches secret pattern.
+        - G118 # Goroutine uses context.Background/TODO while request-scoped context is available.
+        - G122 # Filesystem race in filepath.Walk/WalkDir callback.
+        - G202 # SQL string concatenation.
+        - G602 # Slice index out of range.
+        - G704 # SSRF via taint analysis.
+        - G705 # XSS via taint analysis.
+        - G706 # Log injection via taint analysis.
       config:
         G306: "0644"
 
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index b0726a2f7f..b67760c527 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -8,7 +8,7 @@ repos:
   hooks:
   - id: gitleaks
 - repo: https://github.com/golangci/golangci-lint
-  rev: v2.7.1
+  rev: v2.11.3
   hooks:
   - id: golangci-lint
 - repo: https://github.com/jumanjihouse/pre-commit-hooks
diff --git a/docs/Contributing/getting-started/testing-and-local-development.md b/docs/Contributing/getting-started/testing-and-local-development.md
index 512831e948..debe254aed 100644
--- a/docs/Contributing/getting-started/testing-and-local-development.md
+++ b/docs/Contributing/getting-started/testing-and-local-development.md
@@ -73,7 +73,7 @@ Check out [`/tools/osquery` directory instructions](https://github.com/fleetdm/f
 You must install the [`golangci-lint`](https://golangci-lint.run/) command to run `make test[-go]` or `make lint[-go]`, using:
 
 ```sh
-go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@a4b55ebc3471c9fbb763fd56eefede8050f99887
+go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@6008b81b81c690c046ffc3fd5bce896da715d5fd
 ```
 
 This installs the version of `golangci-lint` used in our CI environment (currently 2.7.1). Make sure it is available in your `PATH`. To execute the basic unit and integration tests, run the following from the root of the repository:
diff --git a/server/service/mdm.go b/server/service/mdm.go
index fa8e3694c7..534dbff0c4 100644
--- a/server/service/mdm.go
+++ b/server/service/mdm.go
@@ -3171,7 +3171,7 @@ func (uploadMDMAppleAPNSCertRequest) DecodeRequest(ctx context.Context, r *http.
 		}
 	}
 
-	if r.MultipartForm.File["certificate"] == nil || len(r.MultipartForm.File["certificate"]) == 0 {
+	if len(r.MultipartForm.File["certificate"]) == 0 {
 		return nil, &fleet.BadRequestError{
 			Message:     "certificate multipart field is required",
 			InternalErr: err,
diff --git a/server/service/software_installers.go b/server/service/software_installers.go
index 8feb6fc7f0..94fc118cef 100644
--- a/server/service/software_installers.go
+++ b/server/service/software_installers.go
@@ -299,7 +299,7 @@ func (uploadSoftwareInstallerRequest) DecodeRequest(ctx context.Context, r *http
 		}
 	}
 
-	if r.MultipartForm.File["software"] == nil || len(r.MultipartForm.File["software"]) == 0 {
+	if len(r.MultipartForm.File["software"]) == 0 {
 		return nil, &fleet.BadRequestError{
 			Message:     "software multipart field is required",
 			InternalErr: err,
diff --git a/server/service/vpp.go b/server/service/vpp.go
index c79cd42120..e7ba558c3a 100644
--- a/server/service/vpp.go
+++ b/server/service/vpp.go
@@ -205,7 +205,7 @@ func (uploadVPPTokenRequest) DecodeRequest(ctx context.Context, r *http.Request)
 		}
 	}
 
-	if r.MultipartForm.File["token"] == nil || len(r.MultipartForm.File["token"]) == 0 {
+	if len(r.MultipartForm.File["token"]) == 0 {
 		return nil, &fleet.BadRequestError{
 			Message:     "token multipart field is required",
 			InternalErr: err,
@@ -272,7 +272,7 @@ func (patchVPPTokenRenewRequest) DecodeRequest(ctx context.Context, r *http.Requ
 		}
 	}
 
-	if r.MultipartForm.File["token"] == nil || len(r.MultipartForm.File["token"]) == 0 {
+	if len(r.MultipartForm.File["token"]) == 0 {
 		return nil, &fleet.BadRequestError{
 			Message:     "token multipart field is required",
 			InternalErr: err,