diff --git a/docs/quick-tutorials/k8s-network-policies.mdx b/docs/quick-tutorials/k8s-network-policies.mdx
index 142dfcb73..926c7605a 100644
--- a/docs/quick-tutorials/k8s-network-policies.mdx
+++ b/docs/quick-tutorials/k8s-network-policies.mdx
@@ -236,9 +236,8 @@ If you've attached Otterize OSS to Otterize Cloud, go back to see the [access gr
 
 It's now clear what happened:
 1. The server is now protected, and is also blocking some of its clients. Click on it to see what to do about it.
-2. Calls from **[client]** are declared and therefore allowed (solid green line).
-3. Calls from **[client-other]** are not declared and therefore blocked (dashed red line). Click on the line to see what to do about it.
-4. By the way, the two clients themselves are unprotected -- though we don't detect any traffic to them, we cannot be certain they don't expose addressable endpoints.
+2. Calls from **[client]** are declared and therefore allowed (green line).
+3. Calls from **[client-other]** are not declared and therefore blocked (red line). Click on the line to see what to do about it.
 
 :::tip Done!
 Otterize did its job of both protecting the server *and* allowing intended access.
diff --git a/static/img/quick-tutorials/network-policies/base.png b/static/img/quick-tutorials/network-policies/base.png
index 80c6ec316..032341f3f 100644
Binary files a/static/img/quick-tutorials/network-policies/base.png and b/static/img/quick-tutorials/network-policies/base.png differ
diff --git a/static/img/quick-tutorials/network-policies/protected.png b/static/img/quick-tutorials/network-policies/protected.png
index 456085c89..1bd8bbf6e 100644
Binary files a/static/img/quick-tutorials/network-policies/protected.png and b/static/img/quick-tutorials/network-policies/protected.png differ