diff --git a/services/detect-decay/.dockerignore b/services/detect-decay/.dockerignore
index 4416d432c..be4dfaf02 100644
--- a/services/detect-decay/.dockerignore
+++ b/services/detect-decay/.dockerignore
@@ -1,5 +1,4 @@
 **/*.env
 Dockerfile
 .venv
-tests
-cloudbuild.yaml
\ No newline at end of file
+cloudbuild.yaml
diff --git a/services/detect-decay/Dockerfile b/services/detect-decay/Dockerfile
index a34111237..49eb32fbe 100644
--- a/services/detect-decay/Dockerfile
+++ b/services/detect-decay/Dockerfile
@@ -1,8 +1,12 @@
-FROM python:3.14.2-alpine AS python-builder
-
+FROM python:3.14.2-alpine AS base
 ENV PYTHONUNBUFFERED 1
 ENV PYTHONDONTWRITEBYTECODE 1
 ENV DEBIAN_FRONTEND noninteractive
+
+#===============================================================================================
+
+FROM base AS python-builder
+
 WORKDIR /working/install
 
 RUN apk add --no-cache \
@@ -13,27 +17,35 @@ RUN apk add --no-cache \
   build-base \
   python3-dev
 
-COPY requirements.txt /requirements.txt
+COPY requirements.txt ./requirements.txt
 # Install python requirements to /working/install directory for cleaner copy
-RUN pip3 install --prefix=/working/install -r /requirements.txt
+RUN pip3 install --prefix=/working/install -r ./requirements.txt
 
-#===============================================================================================
 #===============================================================================================
 
-FROM python:3.14.2-alpine
+FROM base AS production
 
-ENV PYTHONUNBUFFERED 1
-ENV PYTHONDONTWRITEBYTECODE 1
-ENV DEBIAN_FRONTEND noninteractive
 WORKDIR /decay
 
+# Copy installed python modules
 COPY --from=python-builder /working/install/lib /usr/local/lib
 # Copy local source code
-COPY detect_decay.py ./
-COPY config.py ./
+COPY detect_decay.py config.py ./
 COPY notify /decay/notify
 
 RUN adduser -D decay
 USER decay
 
 CMD ["python3", "detect_decay.py"]
+
+#===============================================================================================
+
+FROM production AS test
+
+# Copy test files (which were excluded from production)
+COPY . .
+USER decay
+
+#===============================================================================================
+
+FROM production AS final
diff --git a/services/detect-decay/cloudbuild.yaml b/services/detect-decay/cloudbuild.yaml
index 51a46df3a..23c402fa3 100644
--- a/services/detect-decay/cloudbuild.yaml
+++ b/services/detect-decay/cloudbuild.yaml
@@ -1,61 +1,66 @@
 steps:
-  - name: "gcr.io/cloud-builders/docker"
+  - name: 'docker:29'
     id: start_testdb
-    entrypoint: /bin/sh
+    entrypoint: 'ash'
     args:
       [
-        "-c",
-        "docker run --net cloudbuild --name arangodb -e ARANGO_NO_AUTH=1 -d -p 127.0.0.1:8529:8529 arangodb/arangodb:3.12.1",
+        '-c',
+        'docker run --net cloudbuild --name arangodb -e ARANGO_NO_AUTH=1 -d -p 127.0.0.1:8529:8529 arangodb/arangodb:3.12.1',
       ]
-  
+
   - name: mikewilliamson/wait-for
     id: wait_testdb
-    args: ["arangodb:8529"]
+    args: ['arangodb:8529']
+
+  - name: 'docker:29'
+    id: build-test-image
+    dir: services/detect-decay
+    args: ['build', '--target=test', '-t', 'test-image', '.']
 
-  - name: "northamerica-northeast1-docker.pkg.dev/track-compliance/tracker/ci"
-    id: test-results
+  - name: 'test-image'
+    id: run-tests
     dir: services/detect-decay
-    entrypoint: /bin/sh
-    args: ["-c", "pip3 install -r requirements.txt && python3 -m pytest"]
+    entrypoint: 'python3'
+    args: [ '-m', 'pytest', '-v' ]
     env:
-      - DB_URL=http://arangodb:8529
-      - DB_USER=root
-      - DB_PASS=test
-      - DB_NAME=track_dmarc
-      - DETECT_DECAY_START_HOUR=$_DETECT_DECAY_START_HOUR
-      - DETECT_DECAY_START_MINUTE=$_DETECT_DECAY_START_MINUTE
-      - DETECT_DECAY_MINIMUM_SCANS=$_DETECT_DECAY_MINIMUM_SCANS
-      - NOTIFICATION_API_KEY=$_NOTIFICATION_API_KEY
-      - NOTIFICATION_API_URL=$_NOTIFICATION_API_URL
-      - DETECT_DECAY_EMAIL_TEMPLATE_ID=$_DETECT_DECAY_EMAIL_TEMPLATE_ID
-  
-  - name: "gcr.io/cloud-builders/docker"
+      - 'DB_URL=http://arangodb:8529'
+      - 'DB_USER=root'
+      - 'DB_PASS=test'
+      - 'DB_NAME=track_dmarc'
+      - 'DETECT_DECAY_START_HOUR=$_DETECT_DECAY_START_HOUR'
+      - 'DETECT_DECAY_START_MINUTE=$_DETECT_DECAY_START_MINUTE'
+      - 'DETECT_DECAY_MINIMUM_SCANS=$_DETECT_DECAY_MINIMUM_SCANS'
+      - 'NOTIFICATION_API_KEY=$_NOTIFICATION_API_KEY'
+      - 'NOTIFICATION_API_URL=$_NOTIFICATION_API_URL'
+      - 'DETECT_DECAY_EMAIL_TEMPLATE_ID=$_DETECT_DECAY_EMAIL_TEMPLATE_ID'
+
+  - name: 'docker:29'
     id: generate-image-name
-    entrypoint: "bash"
+    entrypoint: 'ash'
     dir: services/detect-decay
     args:
-      - "-c"
+      - '-c'
       - |
-        echo "northamerica-northeast1-docker.pkg.dev/track-compliance/tracker/services/detect-decay:$(echo $BRANCH_NAME | sed 's/[^a-zA-Z0-9]/-/g')-$SHORT_SHA-$(date +%s)" > /workspace/imagename
-  
-  - name: "gcr.io/cloud-builders/docker"
-    id: build-results
-    entrypoint: "bash"
+        echo 'northamerica-northeast1-docker.pkg.dev/track-compliance/tracker/services/detect-decay:'"$(echo $BRANCH_NAME | sed 's/[^a-zA-Z0-9]/-/g')-$SHORT_SHA-$(date +%s)" > /workspace/imagename
+
+  - name: 'docker:29'
+    id: build-production-image
+    entrypoint: 'ash'
     dir: services/detect-decay
     args:
-      - "-c"
+      - '-c'
       - |
         image=$(cat /workspace/imagename)
         docker build -t $image .
 
-  - name: "gcr.io/cloud-builders/docker"
+  - name: 'docker:29'
     id: push-results-if-master
-    entrypoint: "bash"
+    entrypoint: 'ash'
     dir: services/detect-decay
     args:
-      - "-c"
+      - '-c'
       - |
-        if [[ "$BRANCH_NAME" == "master" ]]
+        if [[ '$BRANCH_NAME' == 'master' ]]
         then
           image=$(cat /workspace/imagename)
           docker push $image