diff --git a/linux/Dockerfile b/linux/Dockerfile
index 962902a..d720220 100644
--- a/linux/Dockerfile
+++ b/linux/Dockerfile
@@ -16,9 +16,26 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 # Copy source & build
 COPY --link . .
 
+# Build binary:
+# -a: force rebuild
+# -installsuffix cgo: remove cgo support
+# -ldflags="-w -s": omits the DWARF symbol table, symbol table and debug information
+# -trimpath: remove all file system paths from the compiled executable
+# -o /bin/ryuk: output binary to /bin/ryuk
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
-    go build -ldflags '-s' -o /bin/ryuk
+    go build \
+    -a \
+    -installsuffix cgo \
+    -ldflags="-w -s" \
+    -trimpath \
+    -o /bin/ryuk .
+
+# Compress with UPX (trade-off: smaller size vs startup time)
+# Note: UPX is not available for s390x architecture
+RUN if [ "$(uname -m)" != "s390x" ]; then \
+        apk add --no-cache upx && upx --best --lzma /bin/ryuk; \
+    fi
 
 # -----------------
 # Certificates
diff --git a/windows/Dockerfile b/windows/Dockerfile
index 6dde78c..4c9e1c4 100644
--- a/windows/Dockerfile
+++ b/windows/Dockerfile
@@ -21,7 +21,15 @@ USER ContainerUser
 
 # Copy source & build
 COPY . .
-RUN go build -v -ldflags "-s" -o /bin/ryuk
+# Build binary:
+# -a: force rebuild
+# -installsuffix cgo: remove cgo support
+# -ldflags="-w -s": omits the DWARF symbol table, symbol table and debug information
+# -trimpath: remove all file system paths from the compiled executable
+# -o /bin/ryuk: output binary to /bin/ryuk
+RUN go build -a -installsuffix cgo -ldflags="-w -s" -trimpath -o /bin/ryuk .
+
+# Do not optimise with UPX on Windows, as nanoserver does not have PowerShell to install it
 
 # -----------------
 # Distributed Image