diff --git a/go.mod b/go.mod
index c74fe99f0..37605d194 100644
--- a/go.mod
+++ b/go.mod
@@ -507,4 +507,4 @@ replace github.com/inspektor-gadget/inspektor-gadget => github.com/matthyx/inspe
 
 replace github.com/cilium/ebpf => github.com/matthyx/ebpf v0.0.0-20260421101317-8a32d06def6c
 
-replace github.com/kubescape/storage => github.com/k8sstormcenter/storage v0.0.240-0.20260429052903-0e0366026f05
+replace github.com/kubescape/storage => github.com/k8sstormcenter/storage v0.0.240-0.20260503184242-43795bb4f0b6
diff --git a/go.sum b/go.sum
index bbfd3daaf..0d4fa4b53 100644
--- a/go.sum
+++ b/go.sum
@@ -981,8 +981,8 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/k8sstormcenter/storage v0.0.240-0.20260429052903-0e0366026f05 h1:RCEcduxCntYAuo8BleZu84Kk//X0gvsGrutQtdcLMn0=
-github.com/k8sstormcenter/storage v0.0.240-0.20260429052903-0e0366026f05/go.mod h1:amdg/Qok9bqPzs1vZH5FW9/3MbCawc5wVsz9u3uIfu4=
+github.com/k8sstormcenter/storage v0.0.240-0.20260503184242-43795bb4f0b6 h1:pzIvtCkXBC6t4v7EIIekbltfBnWfvWKjB6ZsgdhkWr0=
+github.com/k8sstormcenter/storage v0.0.240-0.20260503184242-43795bb4f0b6/go.mod h1:amdg/Qok9bqPzs1vZH5FW9/3MbCawc5wVsz9u3uIfu4=
 github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953 h1:WdAeg/imY2JFPc/9CST4bZ80nNJbiBFCAdSZCSgrS5Y=
 github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953/go.mod h1:6o+UrvuZWc4UTyBhQf0LGjW9Ld7qJxLz/OqvSOWWlEc=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
diff --git a/pkg/rulemanager/cel/libraries/applicationprofile/exec.go b/pkg/rulemanager/cel/libraries/applicationprofile/exec.go
index 25b92f236..e02e1524c 100644
--- a/pkg/rulemanager/cel/libraries/applicationprofile/exec.go
+++ b/pkg/rulemanager/cel/libraries/applicationprofile/exec.go
@@ -1,8 +1,6 @@
 package applicationprofile
 
 import (
-	"slices"
-
 	"github.com/google/cel-go/common/types"
 
 	"github.com/google/cel-go/common/types/ref"
@@ -11,6 +9,7 @@ import (
 	"github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/cache"
 	"github.com/kubescape/node-agent/pkg/rulemanager/cel/libraries/celparse"
 	"github.com/kubescape/node-agent/pkg/rulemanager/profilehelper"
+	"github.com/kubescape/storage/pkg/registry/file/dynamicpathdetector"
 )
 
 func (l *apLibrary) wasExecuted(containerID, path ref.Val) ref.Val {
@@ -85,10 +84,8 @@ func (l *apLibrary) wasExecutedWithArgs(containerID, path, args ref.Val) ref.Val
 	}
 
 	for _, exec := range cp.Spec.Execs {
-		if exec.Path == pathStr {
-			if slices.Compare(exec.Args, celArgs) == 0 {
-				return types.Bool(true)
-			}
+		if exec.Path == pathStr && dynamicpathdetector.CompareExecArgs(exec.Args, celArgs) {
+			return types.Bool(true)
 		}
 	}
 
diff --git a/pkg/rulemanager/cel/libraries/applicationprofile/exec_test.go b/pkg/rulemanager/cel/libraries/applicationprofile/exec_test.go
index 8821e7bdf..289d86931 100644
--- a/pkg/rulemanager/cel/libraries/applicationprofile/exec_test.go
+++ b/pkg/rulemanager/cel/libraries/applicationprofile/exec_test.go
@@ -299,6 +299,136 @@ func TestExecWithArgsNoProfile(t *testing.T) {
 	assert.False(t, actualResult, "ap.was_executed_with_args should return false when no profile is available")
 }
 
+// TestExecWithArgsWildcardInProfile exercises wildcard tokens inside a
+// user-defined ApplicationProfile's exec arg vector:
+//
+//	"⋯" (DynamicIdentifier)  — matches exactly one argument position.
+//	"*" (WildcardIdentifier) — matches zero or more consecutive args.
+//
+// The runtime exec arg vector is matched against the profile via
+// dynamicpathdetector.CompareExecArgs.
+func TestExecWithArgsWildcardInProfile(t *testing.T) {
+	objCache := objectcachev1.RuleObjectCacheMock{
+		ContainerIDToSharedData: maps.NewSafeMap[string, *objectcache.WatchedContainerData](),
+	}
+
+	objCache.SetSharedContainerData("test-container-id", &objectcache.WatchedContainerData{
+		ContainerType: objectcache.Container,
+		ContainerInfos: map[objectcache.ContainerType][]objectcache.ContainerInfo{
+			objectcache.Container: {
+				{
+					Name: "test-container",
+				},
+			},
+		},
+	})
+
+	profile := &v1beta1.ApplicationProfile{}
+	profile.Spec.Containers = append(profile.Spec.Containers, v1beta1.ApplicationProfileContainer{
+		Name: "test-container",
+		Execs: []v1beta1.ExecCalls{
+			// curl any URL: --user must be literal, value is one position.
+			{
+				Path: "/usr/bin/curl",
+				Args: []string{"--user", "⋯"},
+			},
+			// sh -c with any trailing payload (zero or more args).
+			{
+				Path: "/bin/sh",
+				Args: []string{"-c", "*"},
+			},
+			// ls -l in any directory — single trailing position.
+			{
+				Path: "/bin/ls",
+				Args: []string{"-l", "⋯"},
+			},
+			// echo with any number of greeting words after a literal anchor.
+			{
+				Path: "/bin/echo",
+				Args: []string{"hello", "*"},
+			},
+		},
+	})
+	objCache.SetApplicationProfile(profile)
+
+	env, err := cel.NewEnv(
+		cel.Variable("containerID", cel.StringType),
+		cel.Variable("path", cel.StringType),
+		cel.Variable("args", cel.ListType(cel.StringType)),
+		AP(&objCache, config.Config{}),
+	)
+	if err != nil {
+		t.Fatalf("failed to create env: %v", err)
+	}
+
+	testCases := []struct {
+		name           string
+		path           string
+		args           []string
+		expectedResult bool
+	}{
+		// curl with --user, dynamic value
+		{"curl --user alice — ⋯ matches one arg", "/usr/bin/curl", []string{"--user", "alice"}, true},
+		{"curl --user alice bob — extra arg, ⋯ rejects", "/usr/bin/curl", []string{"--user", "alice", "bob"}, false},
+		{"curl --user — missing value, ⋯ requires one arg", "/usr/bin/curl", []string{"--user"}, false},
+		{"curl --pass alice — literal mismatch", "/usr/bin/curl", []string{"--pass", "alice"}, false},
+
+		// sh -c with arbitrary trailing payload
+		{"sh -c with single command", "/bin/sh", []string{"-c", "echo hi"}, true},
+		{"sh -c with multi-token command", "/bin/sh", []string{"-c", "while", "true;", "do", "sleep", "1;", "done"}, true},
+		{"sh -c with no trailing args (* matches zero)", "/bin/sh", []string{"-c"}, true},
+		{"sh -x — wrong flag", "/bin/sh", []string{"-x", "echo hi"}, false},
+
+		// ls -l in any directory
+		{"ls -l /var/log", "/bin/ls", []string{"-l", "/var/log"}, true},
+		{"ls -l with no directory (⋯ requires one)", "/bin/ls", []string{"-l"}, false},
+
+		// echo hello *
+		{"echo hello world from test", "/bin/echo", []string{"hello", "world", "from", "test"}, true},
+		{"echo hello (no trailing args)", "/bin/echo", []string{"hello"}, true},
+		{"echo goodbye world — wrong literal anchor", "/bin/echo", []string{"goodbye", "world"}, false},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ast, issues := env.Compile(`ap.was_executed_with_args(containerID, path, args)`)
+			if issues != nil {
+				t.Fatalf("failed to compile expression: %v", issues.Err())
+			}
+
+			program, err := env.Program(ast)
+			if err != nil {
+				t.Fatalf("failed to create program: %v", err)
+			}
+
+			result, _, err := program.Eval(map[string]interface{}{
+				"containerID": "test-container-id",
+				"path":        tc.path,
+				"args":        tc.args,
+			})
+			if err != nil {
+				t.Fatalf("failed to eval program: %v", err)
+			}
+
+			actualResult := result.Value().(bool)
+			assert.Equal(t, tc.expectedResult, actualResult,
+				"profile %v vs runtime args %v: got %v, want %v",
+				profileArgsForPath(profile, tc.path), tc.args, actualResult, tc.expectedResult)
+		})
+	}
+}
+
+func profileArgsForPath(p *v1beta1.ApplicationProfile, path string) []string {
+	for _, c := range p.Spec.Containers {
+		for _, e := range c.Execs {
+			if e.Path == path {
+				return e.Args
+			}
+		}
+	}
+	return nil
+}
+
 func TestExecWithArgsCompilation(t *testing.T) {
 	objCache := objectcachev1.RuleObjectCacheMock{}