diff --git a/docs/configuration/split-ssh.md b/docs/configuration/split-ssh.md
index 9b8f7a3..59c281d 100644
--- a/docs/configuration/split-ssh.md
+++ b/docs/configuration/split-ssh.md
@@ -368,6 +368,13 @@ Depending on your threat model you can:
 * Add an additional security layer by adding a second encryption layer (e.g. VeraCrypt, \*.7z with password)
 * Upload the \*.kdbx to an end-to-end-encrypted email box (e.g. Tutanota, ProtonMail)
 
+## Security Benefits
+
+In the setup described in this guide, even an attacker who manages to gain access to the `ssh-client`  VM will not be able to obtain the user’s private key since it is simply not there. 
+Rather, the private key remains in the `vault` VM, which is extremely unlikely to be compromised, if nothing is ever copied or transferred into it. 
+In order to gain access to the vault VM, the attacker would require the use of, e.g., a general Xen VM escape exploit or a signed, compromised package which is already installed in the TemplateVM upon which the vault VM is based.
+
+
 Want more Qubes split magic?
 Check out [Split-GPG][Split-GPG].