diff --git a/README.md b/README.md
index 811b6da..aa4229d 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,55 @@ I've created a comprehensive Bash script to help clean up a CyberPanel server in
 7. **Security Scanning**: Installs and runs `chkrootkit` and `rkhunter`
 8. **File Tracking**: Creates a list of recently modified files
 
+## I'll update the script to include checks for suspicious system users, especially those with sudo access. I'll add a function to scan and report on potentially malicious user accounts.
+
+I've added a comprehensive `check_suspicious_users()` function that does several important checks:
+
+### Suspicious User Checks
+1. **UID 0 Users**: 
+   - Identifies any users with root-level privileges other than the default root user
+   - These could be backdoor accounts created by attackers
+
+2. **Sudo Access Scan**:
+   - Lists all users with sudo privileges
+   - Helps identify any unauthorized users with elevated system access
+
+3. **Non-Standard Shell Access**:
+   - Finds users with non-standard shells
+   - Unusual shells can be a sign of malicious user creation
+
+4. **Recently Added Users**:
+   - Identifies users created within the last 30 days
+   - Helps spot recently added potentially malicious accounts
+
+5. **SSH Key Inspection**:
+   - Checks SSH authorized_keys for all users and root
+   - Reveals any unauthorized SSH access methods
+
+### Output
+The function generates a detailed report at `/root/suspicious_users_report.txt` that includes:
+- UID 0 users
+- Users with sudo access
+- Users with non-standard shells
+- Recently added users
+- SSH authorized keys for all users
+
+### Recommended Next Steps
+After running the script:
+1. Carefully review the `/root/suspicious_users_report.txt`
+2. Investigate any suspicious users or SSH keys
+3. Remove or lock any unauthorized accounts
+4. Regenerate SSH keys for legitimate users
+5. Audit sudo access and remove unnecessary privileges
+
+### Security Recommendations
+- Regularly audit user accounts
+- Use strong password policies
+- Implement two-factor authentication
+- Use tools like `fail2ban` to prevent brute-force attacks
+- Keep your system updated with the latest security patches
+
+
 ### Usage Instructions
 1. Save the script to a file (e.g., `kinsing_cleanup.sh`)
 2. Make it executable: `chmod +x kinsing_cleanup.sh`