diff --git a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepSSHKeysByFileExtension.toml b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepSSHKeysByFileExtension.toml
index e706fa98..013cd1ad 100644
--- a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepSSHKeysByFileExtension.toml
+++ b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepSSHKeysByFileExtension.toml
@@ -1,10 +1,11 @@
 [[ClassifierRules]]
 EnumerationScope = "FileEnumeration"
-RuleName = "KeepSSHKeysByFileExtension"
-MatchAction = "Snaffle"
-Description = "SSHKeys"
+RuleName = "RelayPPKForContentScan"
+MatchAction = "Relay"
+RelayTargets = ["KeepUnencryptedPPK"]
+Description = "PPK files are relayed to content scanning for unencrypted detection"
 MatchLocation = "FileExtension"
 WordListType = "Exact"
 MatchLength = 0
 WordList = ["\\.ppk"]
-Triage = "Black"
+Triage = "Green"
diff --git a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepUnencryptedPPK.toml b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepUnencryptedPPK.toml
new file mode 100644
index 00000000..53339345
--- /dev/null
+++ b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/UserFiles/SSH/KeepUnencryptedPPK.toml
@@ -0,0 +1,11 @@
+[[ClassifierRules]]
+EnumerationScope = "ContentsEnumeration"
+RuleName = "KeepUnencryptedPPK"
+MatchAction = "Snaffle"
+Description = "Unencrypted PPK files (contains 'Encryption: none')"
+MatchLocation = "FileContentAsString"
+WordListType = "Regex"
+MatchLength = 0
+WordList = ["Encryption:\\s*none"]
+Triage = "Black"
+