diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6350f0f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+test-data/
diff --git a/Dockerfile b/Dockerfile
index c6014e1..7c09acb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -44,7 +44,9 @@ RUN rm -rf /opt/hayabusa/rules
 RUN git clone --depth=1 https://github.com/Yamato-Security/hayabusa-rules.git /opt/hayabusa/rules
 
 # Stage 2: Final Image
-FROM ubuntu
+# Pin major.minor; bare 'ubuntu' floats and recent rollovers dropped libpcre3
+# in favour of libpcre2 which broke this build.
+FROM ubuntu:24.04
 
 # Copy only the necessary files from the builder stage
 COPY --from=builder /opt/hayabusa /opt/hayabusa
diff --git a/fetch-test-data.sh b/fetch-test-data.sh
new file mode 100755
index 0000000..70876c1
--- /dev/null
+++ b/fetch-test-data.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Pull the upstream EVTX sample bundle (all from Yamato-Security's curated
+# repo, which itself wraps several public sample sets — see test-data/sample-evtx/README.md).
+set -e
+cd "$(dirname "$0")"
+mkdir -p test-data
+[ -d test-data/sample-evtx ] || \
+  git clone --depth=1 https://github.com/Yamato-Security/hayabusa-sample-evtx.git test-data/sample-evtx
+echo "ready: test-data/sample-evtx"