diff --git a/.github/workflows/security-review.yml b/.github/workflows/security-review.yml
index 4e5e710..02cc132 100644
--- a/.github/workflows/security-review.yml
+++ b/.github/workflows/security-review.yml
@@ -1,10 +1,16 @@
 # Claude Security Review
 #
+# Calls the org-wide reusable workflow from radius-workshop/.github.
+#
 # Requires the ANTHROPIC_API_KEY secret:
 #   - Public repos: automatically available via org secret
 #   - Private repos: add as a repo-level secret
 #     (Settings > Secrets and variables > Actions > New repository secret)
 #
+# Quick setup:
+#   mkdir -p .github/workflows && curl -o .github/workflows/security-review.yml \
+#     https://raw.githubusercontent.com/radius-workshop/.github/main/docs/security-review-caller.yml
+#
 # For full setup instructions, see:
 #   https://github.com/radius-workshop/.github/blob/main/docs/security-review-setup.md
 
@@ -14,37 +20,20 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
 jobs:
   security-review:
-    runs-on: ubuntu-latest
+    # Grant the writes the reusable workflow needs to post findings.
+    # Required because a reusable workflow cannot elevate beyond the
+    # caller's permissions, and GitHub's default GITHUB_TOKEN permissions
+    # are read-only on newer orgs/repos. Without this block the job is
+    # rejected before it starts.
     permissions:
       contents: read
       pull-requests: write
       issues: write
       id-token: write
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - uses: actions/checkout@v6
-        with:
-          repository: radius-workshop/.github
-          path: .org-github
-          sparse-checkout: security
-
-      - uses: anthropics/claude-code-security-review@main
-        id: security-review
-        with:
-          claude-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
-          custom-security-scan-instructions: .org-github/security/custom-scan-instructions.txt
-          false-positive-filtering-instructions: .org-github/security/false-positive-filtering.txt
-
-      - name: Fail if vulnerabilities found
-        if: false  # set to: steps.security-review.outputs.findings-count > 0
-        run: |
-          echo "Found ${{ steps.security-review.outputs.findings-count }} security findings"
-          exit 1
+    uses: radius-workshop/.github/.github/workflows/security-review.yml@main
+    with:
+      fail-on-findings: false  # set to true to fail the build on findings
+    secrets:
+      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}