diff --git a/README.md b/README.md
index eeb9cdc3..575ddd7f 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,8 @@
 # Kinvolk Seccomp Agent
 
 The Kinvolk Seccomp Agent is receiving seccomp file descriptors from container runtimes and handling system calls on behalf of the containers.
-Its goal is to support different use cases:
-- unprivileged container builds (procfs mounts with masked entries)
-- support of safe mknod (e.g. /dev/null)
+
+See the [different use cases](docs/usecases.md)
 
 It is possible to write your own seccomp agent with a different behaviour by reusing the packages in the `pkg/` directory.
 The Kinvolk Seccomp Agent is only about 100 lines of code. It relies on different packages:
diff --git a/docs/usecases.md b/docs/usecases.md
new file mode 100644
index 00000000..0cad89e9
--- /dev/null
+++ b/docs/usecases.md
@@ -0,0 +1,44 @@
+---
+title: Use cases
+weight: 10
+description: >
+  Use cases for the Seccomp Agent.
+---
+
+There are several possible use cases for the Seccomp Agent. Not all of them are
+implemented.
+
+## Mounting procfs in unprivileged containers
+
+- unprivileged container builds (procfs mounts with masked entries)
+
+## Support for a subset of device mknod
+
+A VPN container might need `/dev/net/tun` but cannot create the device without
+`CAP_MKNOD`. Giving this capability to the container could be risky: the
+container would be able to abuse the mknod call to get access to disks such as
+`/dev/sda`.
+
+The alternative could be to keep the container without `CAP_MKNOD` and add a
+seccomp filter on `mknod` to let the Seccomp Agent run `mknod()` on behalf of
+the container,
+
+## Userspace emulation of idmapped mounts
+
+When running containers in a user namespace, the files in volumes could appear
+to have wrong ownership. This could be fixed with shiftfs or the idmapped mount
+patch set. But without that
+
+See:
+https://github.com/rootless-containers/subuidless
+
+## Accelerator for slirp4netns
+
+When using slirp4netns as a networking solution for rootless containers, the
+performance impact can be big. However, by capturing the `connect` call and
+handling it in the seccomp agent, we avoid the performance impact: the network
+traffic is no longer routed through a userspace process.
+
+See:
+https://github.com/rootless-containers/bypass4netns
+