diff --git a/pkg/pss/evaluate.go b/pkg/pss/evaluate.go
index 95efec0247..5c06c1b60a 100644
--- a/pkg/pss/evaluate.go
+++ b/pkg/pss/evaluate.go
@@ -23,47 +23,26 @@ var (
 // Evaluate Pod's specified containers only and get PSSCheckResults
 func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PSSCheckResult) {
 	checks := policy.DefaultChecks()
-	var latestVersionCheck policy.VersionedCheck
 	for _, check := range checks {
 		if level.Level == api.LevelBaseline && check.Level != level.Level {
 			continue
 		}
 
-		latestVersionCheck = check.Versions[0]
+		selectedCheck := check.Versions[0]
 		for i := 1; i < len(check.Versions); i++ {
-			vc := check.Versions[i]
-			if !vc.MinimumVersion.Older(latestVersionCheck.MinimumVersion) {
-				latestVersionCheck = vc
+			nextCheck := check.Versions[i]
+			if !level.Version.Older(nextCheck.MinimumVersion) && selectedCheck.MinimumVersion.Older(nextCheck.MinimumVersion) {
+				selectedCheck = nextCheck
 			}
 		}
 
-		if level.Version == api.LatestVersion() {
-			checkResult := latestVersionCheck.CheckPod(&pod.ObjectMeta, &pod.Spec, policy.WithFieldErrors())
-			if !checkResult.Allowed {
-				results = append(results, pssutils.PSSCheckResult{
-					ID:               string(check.ID),
-					CheckResult:      checkResult,
-					RestrictedFields: GetRestrictedFields(check),
-				})
-			}
-		}
-
-		for _, versionCheck := range check.Versions {
-			// the latest check returned twice, skip duplicate application
-			if level.Version == api.LatestVersion() {
-				continue
-			} else if level.Version != api.LatestVersion() && level.Version.Older(versionCheck.MinimumVersion) {
-				continue
-			}
-			checkResult := versionCheck.CheckPod(&pod.ObjectMeta, &pod.Spec, policy.WithFieldErrors())
-			// Append only if the checkResult is not already in pssCheckResult
-			if !checkResult.Allowed {
-				results = append(results, pssutils.PSSCheckResult{
-					ID:               string(check.ID),
-					CheckResult:      checkResult,
-					RestrictedFields: GetRestrictedFields(check),
-				})
-			}
+		checkResult := selectedCheck.CheckPod(&pod.ObjectMeta, &pod.Spec, policy.WithFieldErrors())
+		if !checkResult.Allowed {
+			results = append(results, pssutils.PSSCheckResult{
+				ID:               string(check.ID),
+				CheckResult:      checkResult,
+				RestrictedFields: GetRestrictedFields(check),
+			})
 		}
 	}
 	return results
diff --git a/pkg/pss/evaluate_test.go b/pkg/pss/evaluate_test.go
index f2d2660810..bc02d28400 100644
--- a/pkg/pss/evaluate_test.go
+++ b/pkg/pss/evaluate_test.go
@@ -55,7 +55,7 @@ func Test_EvaluatePod(t *testing.T) {
 				fmt.Printf("failed check result: %v\n", result)
 			}
 		}
-		assert.Assert(t, allowed == test.allowed, fmt.Sprintf("test \"%s\" fails", test.name))
+		assert.Check(t, allowed == test.allowed, fmt.Sprintf("test \"%s\" fails", test.name))
 	}
 }
 
@@ -5480,6 +5480,161 @@ var baseline_sysctls = []testCase{
 		}`),
 		allowed: true,
 	},
+	{
+		name: "baseline_sysctls_new_v1.27_policy_v1.0_allowed_negative",
+		rawRule: []byte(`
+		{
+			"level": "baseline",
+			"version": "v1.0"
+		}`),
+		rawPod: []byte(`
+		{
+			"kind": "Pod",
+			"metadata": {
+				"name": "test"
+			},
+			"spec": {
+				"securityContext": {
+					"sysctls": [
+						{
+							"name": "net.ipv4.ip_local_reserved_ports"
+						}
+					]
+				},
+				"containers": [
+					{
+						"name": "nginx",
+						"image": "nginx"
+					}
+				]
+			}
+		}`),
+		allowed: false,
+	},
+	{
+		name: "baseline_sysctls_new_v1.27_policy_v1.27_allowed_positive",
+		rawRule: []byte(`
+		{
+			"level": "baseline",
+			"version": "v1.27"
+		}`),
+		rawPod: []byte(`
+		{
+			"kind": "Pod",
+			"metadata": {
+				"name": "test"
+			},
+			"spec": {
+				"securityContext": {
+					"sysctls": [
+						{
+							"name": "net.ipv4.ip_local_reserved_ports"
+						}
+					]
+				},
+				"containers": [
+					{
+						"name": "nginx",
+						"image": "nginx"
+					}
+				]
+			}
+		}`),
+		allowed: true,
+	},
+	{
+		name: "baseline_sysctls_new_v1.29_policy_v1.27_allowed_negative",
+		rawRule: []byte(`
+		{
+			"level": "baseline",
+			"version": "v1.27"
+		}`),
+		rawPod: []byte(`
+		{
+			"kind": "Pod",
+			"metadata": {
+				"name": "test"
+			},
+			"spec": {
+				"securityContext": {
+					"sysctls": [
+						{
+							"name": "net.ipv4.tcp_keepalive_time"
+						}
+					]
+				},
+				"containers": [
+					{
+						"name": "nginx",
+						"image": "nginx"
+					}
+				]
+			}
+		}`),
+		allowed: false,
+	},
+	{
+		name: "baseline_sysctls_new_v1.29_policy_v1.29_allowed_positive",
+		rawRule: []byte(`
+		{
+			"level": "baseline",
+			"version": "v1.29"
+		}`),
+		rawPod: []byte(`
+		{
+			"kind": "Pod",
+			"metadata": {
+				"name": "test"
+			},
+			"spec": {
+				"securityContext": {
+					"sysctls": [
+						{
+							"name": "net.ipv4.tcp_keepalive_time"
+						}
+					]
+				},
+				"containers": [
+					{
+						"name": "nginx",
+						"image": "nginx"
+					}
+				]
+			}
+		}`),
+		allowed: true,
+	},
+	{
+		name: "baseline_sysctls_new_v1.29_policy_latest_allowed_positive",
+		rawRule: []byte(`
+		{
+			"level": "baseline",
+			"version": "latest"
+		}`),
+		rawPod: []byte(`
+		{
+			"kind": "Pod",
+			"metadata": {
+				"name": "test"
+			},
+			"spec": {
+				"securityContext": {
+					"sysctls": [
+						{
+							"name": "net.ipv4.tcp_keepalive_time"
+						}
+					]
+				},
+				"containers": [
+					{
+						"name": "nginx",
+						"image": "nginx"
+					}
+				]
+			}
+		}`),
+		allowed: true,
+	},
 	{
 		name: "baseline_sysctls_multiple_sysctls_pass_v1.24",
 		rawRule: []byte(`