diff --git a/.bingo/Variables.mk b/.bingo/Variables.mk
index 4944836589..28ccf20c61 100644
--- a/.bingo/Variables.mk
+++ b/.bingo/Variables.mk
@@ -47,12 +47,6 @@ $(CRD_REF_DOCS): $(BINGO_DIR)/crd-ref-docs.mod
 	@echo "(re)installing $(GOBIN)/crd-ref-docs-v0.3.0"
 	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=crd-ref-docs.mod -o=$(GOBIN)/crd-ref-docs-v0.3.0 "github.com/elastic/crd-ref-docs"
 
-GOJQ := $(GOBIN)/gojq-v0.12.17
-$(GOJQ): $(BINGO_DIR)/gojq.mod
-	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
-	@echo "(re)installing $(GOBIN)/gojq-v0.12.17"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=gojq.mod -o=$(GOBIN)/gojq-v0.12.17 "github.com/itchyny/gojq/cmd/gojq"
-
 GOLANGCI_LINT := $(GOBIN)/golangci-lint-v2.8.0
 $(GOLANGCI_LINT): $(BINGO_DIR)/golangci-lint.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
diff --git a/.bingo/gojq.mod b/.bingo/gojq.mod
deleted file mode 100644
index 004aae3b13..0000000000
--- a/.bingo/gojq.mod
+++ /dev/null
@@ -1,5 +0,0 @@
-module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
-
-go 1.24.4
-
-require github.com/itchyny/gojq v0.12.17 // cmd/gojq
diff --git a/.bingo/gojq.sum b/.bingo/gojq.sum
deleted file mode 100644
index e87b5b0e34..0000000000
--- a/.bingo/gojq.sum
+++ /dev/null
@@ -1,17 +0,0 @@
-github.com/itchyny/gojq v0.12.17 h1:8av8eGduDb5+rvEdaOO+zQUjA04MS0m3Ps8HiD+fceg=
-github.com/itchyny/gojq v0.12.17/go.mod h1:WBrEMkgAfAGO1LUcGOckBl5O726KPp+OlkKug0I/FEY=
-github.com/itchyny/timefmt-go v0.1.6 h1:ia3s54iciXDdzWzwaVKXZPbiXzxxnv1SPGFfM/myJ5Q=
-github.com/itchyny/timefmt-go v0.1.6/go.mod h1:RRDZYC5s9ErkjQvTvvU7keJjxUYzIISJGxm9/mAERQg=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
-github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/.bingo/variables.env b/.bingo/variables.env
index 783b778af8..58417ccf8d 100644
--- a/.bingo/variables.env
+++ b/.bingo/variables.env
@@ -18,8 +18,6 @@ CRD_DIFF="${GOBIN}/crd-diff-v0.5.1-0.20260309184313-54162f2e3097"
 
 CRD_REF_DOCS="${GOBIN}/crd-ref-docs-v0.3.0"
 
-GOJQ="${GOBIN}/gojq-v0.12.17"
-
 GOLANGCI_LINT="${GOBIN}/golangci-lint-v2.8.0"
 
 GORELEASER="${GOBIN}/goreleaser-v2.11.2"
diff --git a/Makefile b/Makefile
index d43cd96607..55580b4715 100644
--- a/Makefile
+++ b/Makefile
@@ -221,8 +221,8 @@ fmt: $(YAMLFMT) #EXHELP Formats code
 	$(YAMLFMT) -gitignore_excludes testdata
 
 .PHONY: update-tls-profiles
-update-tls-profiles: $(GOJQ) #EXHELP Update TLS profiles from the Mozilla wiki
-	env JQ=$(GOJQ) hack/tools/update-tls-profiles.sh
+update-tls-profiles: #EXHELP Update TLS profiles from the Mozilla wiki
+	hack/tools/update-tls-profiles.sh
 
 .PHONY: update-registryv1-bundle-schema
 update-registryv1-bundle-schema: #EXHELP Update registry+v1 bundle configuration JSON schema
diff --git a/hack/tools/update-tls-profiles.sh b/hack/tools/update-tls-profiles.sh
index 01618a3182..10a3e270c4 100755
--- a/hack/tools/update-tls-profiles.sh
+++ b/hack/tools/update-tls-profiles.sh
@@ -2,131 +2,10 @@
 
 set -e
 
-if [ -z "${JQ}" ]; then
-    echo "JQ not defined"
-    exit 1
-fi
-
-OUTPUT=internal/shared/util/tlsprofiles/mozilla_data.go
+OUTPUT=internal/shared/util/tlsprofiles/mozilla_data.json
 INPUT=https://ssl-config.mozilla.org/guidelines/latest.json
 
-TMPFILE="$(mktemp)"
-trap 'rm -rf "$TMPFILE"' EXIT
-
-if ! curl -L -s -f "${INPUT}" > "${TMPFILE}"; then
+if ! curl -L -s -f "${INPUT}" -o "${OUTPUT}"; then
     echo "ERROR: Failed to download ${INPUT} (HTTP error or connection failure)" >&2
     exit 1
 fi
-
-if ! ${JQ} empty "${TMPFILE}" 2>/dev/null; then
-    echo "ERROR: Downloaded data from ${INPUT} is not valid JSON" >&2
-    exit 1
-fi
-
-# Extract stored version from current output file (may be empty on first run)
-STORED_VERSION=$(grep '^// DATA VERSION:' "${OUTPUT}" 2>/dev/null | awk '{print $4}' || true)
-
-# Extract version from downloaded JSON and fail early if missing
-NEW_VERSION=$(${JQ} -r '.version' "${TMPFILE}")
-if [ -z "${NEW_VERSION}" ] || [ "${NEW_VERSION}" = "null" ]; then
-    echo "ERROR: Could not read .version from ${INPUT}" >&2
-    exit 1
-fi
-
-if [ "${NEW_VERSION}" = "${STORED_VERSION}" ]; then
-    echo "Mozilla TLS data is already at version ${NEW_VERSION}, skipping regeneration."
-    exit 0
-fi
-echo "Updating Mozilla TLS data from version ${STORED_VERSION:-unknown} to ${NEW_VERSION}"
-
-cat > "${OUTPUT}" <<EOF
-package tlsprofiles
-
-// DO NOT EDIT, GENERATED BY ${0}
-// DATA SOURCE: ${INPUT}
-// DATA VERSION: ${NEW_VERSION}
-
-import (
-"crypto/tls"
-)
-EOF
-
-function generate_profile {
-    local profile="${1}"
-
-    # Validate the profile key exists before writing any output
-    local exists
-    exists=$(${JQ} -r ".configurations | has(\"${profile}\")" "${TMPFILE}")
-    if [ "${exists}" != "true" ]; then
-        echo "ERROR: Profile '${profile}' not found in ${INPUT} (version ${NEW_VERSION})" >&2
-        echo "Available profiles: $(${JQ} -r '.configurations | keys | join(", ")' "${TMPFILE}")" >&2
-        exit 1
-    fi
-
-    # Validate tls_versions is a non-empty array with a non-null first entry
-    if ! ${JQ} -e ".configurations.${profile}.tls_versions | type == \"array\" and length > 0 and .[0] != null" "${TMPFILE}" >/dev/null; then
-        echo "ERROR: Missing or empty .configurations.${profile}.tls_versions[0] in ${INPUT}" >&2
-        exit 1
-    fi
-
-    # Validate that at least one cipher is present across ciphersuites and ciphers.iana
-    # (modern has only ciphersuites; intermediate has both; either alone is valid)
-    local cipher_count
-    cipher_count=$(${JQ} -r "
-        [
-            (.configurations.${profile}.ciphersuites // []),
-            (.configurations.${profile}.ciphers.iana // [])
-        ] | add | length" "${TMPFILE}")
-    if [ "${cipher_count}" -eq 0 ] 2>/dev/null; then
-        echo "ERROR: Profile '${profile}' has no ciphers in ciphersuites or ciphers.iana" >&2
-        exit 1
-    fi
-
-    # Validate tls_curves is non-empty
-    local curve_count
-    curve_count=$(${JQ} -r ".configurations.${profile}.tls_curves | length" "${TMPFILE}")
-    if [ "${curve_count}" -eq 0 ] 2>/dev/null; then
-        echo "ERROR: Profile '${profile}' has no entries in tls_curves" >&2
-        exit 1
-    fi
-
-    cat >> "${OUTPUT}" <<EOF
-
-var ${profile}TLSProfile = tlsProfile{
-ciphers: cipherSlice{
-cipherNums: []uint16{
-EOF
-
-    ${JQ} -r "(.configurations.${profile}.ciphersuites // [])[] | . |= \"tls.\" + . + \",\"" "${TMPFILE}" >> "${OUTPUT}"
-    ${JQ} -r "(.configurations.${profile}.ciphers.iana // [])[] | . |= \"tls.\" + . + \",\"" "${TMPFILE}" >> "${OUTPUT}"
-
-    cat >> "${OUTPUT}" <<EOF
-},
-},
-curves: curveSlice{
-curveNums: []tls.CurveID{
-EOF
-
-    ${JQ} -r ".configurations.${profile}.tls_curves[] | . |= . + \",\"" "${TMPFILE}" >> "${OUTPUT}"
-
-    version=$(${JQ} -r ".configurations.${profile}.tls_versions[0]" "${TMPFILE}")
-    version=${version/TLSv1./tls.VersionTLS1}
-    version=${version/TLSv1/tls.VersionTLS10}
-
-    cat >> "${OUTPUT}" <<EOF
-},
-},
-minTLSVersion: ${version},
-}
-EOF
-}
-
-generate_profile "modern"
-generate_profile "intermediate"
-
-# Remove unsupported ciphers from Go's crypto/tls package
-sed -i.bak '/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384/d; /TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/d; /TLS_RSA_WITH_AES_256_CBC_SHA256/d' "${OUTPUT}"
-rm -f "${OUTPUT}.bak"
-
-# Make go happy
-go fmt "${OUTPUT}"
diff --git a/internal/shared/util/tlsprofiles/mozilla_data.go b/internal/shared/util/tlsprofiles/mozilla_data.go
index 43789b7e8e..8b513172b4 100644
--- a/internal/shared/util/tlsprofiles/mozilla_data.go
+++ b/internal/shared/util/tlsprofiles/mozilla_data.go
@@ -1,53 +1,104 @@
 package tlsprofiles
 
-// DO NOT EDIT, GENERATED BY hack/tools/update-tls-profiles.sh
-// DATA SOURCE: https://ssl-config.mozilla.org/guidelines/latest.json
-// DATA VERSION: 6
+// This file embeds the Mozilla SSL/TLS Configuration Guidelines JSON and parses
+// it at init() time to populate the modern and intermediate TLS profiles.
+// Run `make update-tls-profiles` to refresh mozilla_data.json from the upstream spec.
 
 import (
 	"crypto/tls"
+	_ "embed"
+	"encoding/json"
+	"fmt"
 )
 
-var modernTLSProfile = tlsProfile{
-	ciphers: cipherSlice{
-		cipherNums: []uint16{
-			tls.TLS_AES_128_GCM_SHA256,
-			tls.TLS_AES_256_GCM_SHA384,
-			tls.TLS_CHACHA20_POLY1305_SHA256,
-		},
-	},
-	curves: curveSlice{
-		curveNums: []tls.CurveID{
-			X25519MLKEM768,
-			X25519,
-			prime256v1,
-			secp384r1,
-		},
-	},
-	minTLSVersion: tls.VersionTLS13,
+//go:embed mozilla_data.json
+var mozillaDataJSON []byte
+
+// skippedCiphers records cipher names from mozilla_data.json that are not
+// supported by Go's crypto/tls and were omitted from the profiles.
+var skippedCiphers []string
+
+// skippedCurves records curve names from mozilla_data.json that are not
+// supported by Go's crypto/tls and were omitted from the profiles.
+var skippedCurves []string
+
+var (
+	modernTLSProfile       tlsProfile
+	intermediateTLSProfile tlsProfile
+)
+
+type mozillaConfiguration struct {
+	Ciphersuites []string `json:"ciphersuites"`
+	Ciphers      struct {
+		IANA []string `json:"iana"`
+	} `json:"ciphers"`
+	TLSCurves   []string `json:"tls_curves"`
+	TLSVersions []string `json:"tls_versions"`
+}
+
+type mozillaSpec struct {
+	Configurations map[string]mozillaConfiguration `json:"configurations"`
+}
+
+func init() {
+	var spec mozillaSpec
+	if err := json.Unmarshal(mozillaDataJSON, &spec); err != nil {
+		panic(fmt.Sprintf("tlsprofiles: failed to parse embedded mozilla_data.json: %v", err))
+	}
+
+	for _, name := range []string{"modern", "intermediate"} {
+		cfg, ok := spec.Configurations[name]
+		if !ok {
+			panic(fmt.Sprintf("tlsprofiles: profile %q not found in embedded mozilla_data.json", name))
+		}
+
+		p, ciphers, curves := parseProfile(name, cfg)
+		skippedCiphers = append(skippedCiphers, ciphers...)
+		skippedCurves = append(skippedCurves, curves...)
+
+		switch name {
+		case "modern":
+			modernTLSProfile = p
+		case "intermediate":
+			intermediateTLSProfile = p
+		}
+	}
 }
 
-var intermediateTLSProfile = tlsProfile{
-	ciphers: cipherSlice{
-		cipherNums: []uint16{
-			tls.TLS_AES_128_GCM_SHA256,
-			tls.TLS_AES_256_GCM_SHA384,
-			tls.TLS_CHACHA20_POLY1305_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-		},
-	},
-	curves: curveSlice{
-		curveNums: []tls.CurveID{
-			X25519MLKEM768,
-			X25519,
-			prime256v1,
-			secp384r1,
-		},
-	},
-	minTLSVersion: tls.VersionTLS12,
+func parseProfile(name string, cfg mozillaConfiguration) (tlsProfile, []string, []string) {
+	var skippedC, skippedK []string
+	var cipherNums []uint16
+	for _, c := range append(cfg.Ciphersuites, cfg.Ciphers.IANA...) {
+		id := cipherSuiteId(c)
+		if id == 0 {
+			skippedC = append(skippedC, c)
+			continue
+		}
+		cipherNums = append(cipherNums, id)
+	}
+
+	var curveNums []tls.CurveID
+	for _, c := range cfg.TLSCurves {
+		id := curveId(c)
+		if id == 0 {
+			skippedK = append(skippedK, c)
+			continue
+		}
+		curveNums = append(curveNums, id)
+	}
+
+	if len(cfg.TLSVersions) == 0 {
+		panic(fmt.Sprintf("tlsprofiles: profile %q has no tls_versions in embedded mozilla_data.json", name))
+	}
+
+	var version tlsVersion
+	if err := version.Set(cfg.TLSVersions[0]); err != nil {
+		panic(fmt.Sprintf("tlsprofiles: profile %q has unrecognized tls_versions[0] %q: %v", name, cfg.TLSVersions[0], err))
+	}
+
+	return tlsProfile{
+		ciphers:       cipherSlice{cipherNums: cipherNums},
+		curves:        curveSlice{curveNums: curveNums},
+		minTLSVersion: version,
+	}, skippedC, skippedK
 }
diff --git a/internal/shared/util/tlsprofiles/mozilla_data.json b/internal/shared/util/tlsprofiles/mozilla_data.json
new file mode 100644
index 0000000000..eee17a0c57
--- /dev/null
+++ b/internal/shared/util/tlsprofiles/mozilla_data.json
@@ -0,0 +1,70 @@
+{
+    "version": 6.0,
+    "href": "https://ssl-config.mozilla.org/guidelines/6.0.json",
+    "configurations": {
+        "modern": {
+            "certificate_curves": ["prime256v1", "secp384r1"],
+            "certificate_signatures": ["ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"],
+            "certificate_types": ["ecdsa"],
+            "ciphers": {
+                "iana": [],
+                "openssl": []
+            },
+            "ciphersuites": [
+                "TLS_AES_128_GCM_SHA256",
+                "TLS_AES_256_GCM_SHA384",
+                "TLS_CHACHA20_POLY1305_SHA256"
+            ],
+            "dh_param_size": null,
+            "ecdh_param_size": 256,
+            "hsts_min_age": 63072000,
+            "maximum_certificate_lifespan": 90,
+            "ocsp_staple": true,
+            "oldest_clients": ["Firefox 63", "Android 10.0", "Chrome 70", "Edge 75", "Java 11", "OpenSSL 1.1.1", "Opera 57", "Safari 12.1"],
+            "recommended_certificate_lifespan": 90,
+            "rsa_key_size": null,
+            "server_preferred_order": false,
+            "tls_curves": ["X25519MLKEM768", "X25519", "prime256v1", "secp384r1"],
+            "tls_versions": ["TLSv1.3"]
+        },
+        "intermediate": {
+            "certificate_curves": ["prime256v1", "secp384r1"],
+            "certificate_signatures": ["sha256WithRSAEncryption", "ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512"],
+            "certificate_types": ["ecdsa", "rsa"],
+            "ciphers": {
+                "iana": [
+                    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+                    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+                    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+                    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+                    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+                    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+                ],
+                "openssl": [
+                    "ECDHE-ECDSA-AES128-GCM-SHA256",
+                    "ECDHE-RSA-AES128-GCM-SHA256",
+                    "ECDHE-ECDSA-AES256-GCM-SHA384",
+                    "ECDHE-RSA-AES256-GCM-SHA384",
+                    "ECDHE-ECDSA-CHACHA20-POLY1305",
+                    "ECDHE-RSA-CHACHA20-POLY1305"
+                ]
+            },
+            "ciphersuites": [
+                "TLS_AES_128_GCM_SHA256",
+                "TLS_AES_256_GCM_SHA384",
+                "TLS_CHACHA20_POLY1305_SHA256"
+            ],
+            "dh_param_size": 2048,
+            "ecdh_param_size": 256,
+            "hsts_min_age": 63072000,
+            "maximum_certificate_lifespan": 366,
+            "ocsp_staple": true,
+            "oldest_clients": ["Firefox 31.3.0", "Android 4.4.2", "Chrome 49", "Edge 15 on Windows 10", "IE 11 on Windows 10", "Java 8u161", "OpenSSL 1.0.1l", "Opera 20", "Safari 9"],
+            "recommended_certificate_lifespan": 90,
+            "rsa_key_size": 2048,
+            "server_preferred_order": false,
+            "tls_curves": ["X25519MLKEM768", "X25519", "prime256v1", "secp384r1"],
+            "tls_versions": ["TLSv1.2", "TLSv1.3"]
+        }
+    }
+}
diff --git a/internal/shared/util/tlsprofiles/tlsprofiles_test.go b/internal/shared/util/tlsprofiles/tlsprofiles_test.go
index e779842834..9c8075f4b0 100644
--- a/internal/shared/util/tlsprofiles/tlsprofiles_test.go
+++ b/internal/shared/util/tlsprofiles/tlsprofiles_test.go
@@ -166,3 +166,21 @@ func TestProfilesMapCompleteness(t *testing.T) {
 	_, err := findTLSProfile(tlsProfileName("does-not-exist"))
 	require.Error(t, err, "looking up a non-existent profile must return an error")
 }
+
+// TestNoSkippedCiphers verifies that all ciphers in mozilla_data.json are
+// supported by Go's crypto/tls. If this fails, the JSON contains a cipher that
+// needs to be handled — either it has been added to Go's crypto/tls, or it must
+// be explicitly excluded from the profiles.
+func TestNoSkippedCiphers(t *testing.T) {
+	require.Empty(t, skippedCiphers,
+		"cipher(s) in mozilla_data.json are not supported by Go's crypto/tls and were omitted: %v", skippedCiphers)
+}
+
+// TestNoSkippedCurves verifies that all curves in mozilla_data.json are
+// supported by Go's crypto/tls. If this fails, the JSON contains a curve that
+// needs to be handled — either it has been added to Go's crypto/tls, or it must
+// be explicitly excluded from the profiles.
+func TestNoSkippedCurves(t *testing.T) {
+	require.Empty(t, skippedCurves,
+		"curve(s) in mozilla_data.json are not supported by Go's crypto/tls and were omitted: %v", skippedCurves)
+}