diff --git a/release/start-secured-cluster/action.yml b/release/start-secured-cluster/action.yml
index 74c88b3..5ef433d 100644
--- a/release/start-secured-cluster/action.yml
+++ b/release/start-secured-cluster/action.yml
@@ -60,6 +60,9 @@ runs:
         STACKROX_DIR: ${{ github.workspace }}
         COMMON_DIR: ${{ github.workspace }}/deploy/common
         SECURED_CLUSTER_AUTO_LOCK_PROCESS_BASELINES: "true"
+        SFA_AGENT: "true"
+        SENSOR_HELM_DEPLOY: "true"
+        ROX_DEPLOY_SENSOR_WITH_CRS: "false"
         ROX_NETFLOW_BATCHING: "true"
         ROX_NETFLOW_CACHE_LIMITING: "true"
       run: |
diff --git a/release/start-secured-cluster/start-secured-cluster.sh b/release/start-secured-cluster/start-secured-cluster.sh
index 3b1ca76..9fa467a 100755
--- a/release/start-secured-cluster/start-secured-cluster.sh
+++ b/release/start-secured-cluster/start-secured-cluster.sh
@@ -19,7 +19,26 @@ else
   echo "Using ACS pre-4.11 secured cluster setup (version: ${version_major_minor})"
 fi
 
+# Create namespace and image pull secrets BEFORE running sensor.sh
+kubectl create namespace stackrox || true
+
+kubectl -n stackrox create secret docker-registry stackrox \
+  --docker-server=quay.io \
+  --docker-username="${REGISTRY_USERNAME}" \
+  --docker-password="${REGISTRY_PASSWORD}" || true
+
+kubectl -n stackrox create secret docker-registry secured-cluster-services-main \
+  --docker-server=quay.io \
+  --docker-username="${REGISTRY_USERNAME}" \
+  --docker-password="${REGISTRY_PASSWORD}" || true
+
+kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \
+  --docker-server=quay.io \
+  --docker-username="${REGISTRY_USERNAME}" \
+  --docker-password="${REGISTRY_PASSWORD}" || true
+
 "${STACKROX_DIR}/deploy/k8s/sensor.sh"
+
 kubectl -n stackrox create secret generic access-rhacs \
   --from-literal="username=${ROX_ADMIN_USERNAME}" \
   --from-literal="password=${ROX_ADMIN_PASSWORD}" \
@@ -28,6 +47,9 @@ kubectl -n stackrox create secret generic access-rhacs \
 # Create the collector-config ConfigMap in order to enable external IPs
 kubectl create -f "${SCRIPT_DIR}/collector-config.yaml"
 
+# Patch the collector DaemonSet to configure fact container
+kubectl -n stackrox set env daemonset/collector FACT_PATHS="/tmp/data/**/*" FACT_LOGLEVEL="info" -c fact
+
 echo "Deploying Monitoring..."
 monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml"