diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
index d19a4496180d6..2f1cb96b136cf 100644
--- a/bpf/bpf_host.c
+++ b/bpf/bpf_host.c
@@ -1061,8 +1061,12 @@ static __always_inline int handle_l2_announcement(struct __ctx_buff *ctx)
 static __always_inline int
 do_netdev(struct __ctx_buff *ctx, __u16 proto, const bool from_host)
 {
-	enum trace_point trace = from_host ? TRACE_FROM_HOST :
+	enum trace_point obs_point = from_host ? TRACE_FROM_HOST :
 					     TRACE_FROM_NETWORK;
+	struct trace_ctx trace = {
+		.reason = TRACE_REASON_UNKNOWN,
+		.monitor = TRACE_PAYLOAD_LEN,
+	};
 	__u32 __maybe_unused identity = 0;
 	__u32 __maybe_unused ipcache_srcid = 0;
 	void __maybe_unused *data, *data_end;
@@ -1102,9 +1106,19 @@ do_netdev(struct __ctx_buff *ctx, __u16 proto, const bool from_host)
 	if (from_host) {
 		__u32 magic;
 
+#ifdef ENABLE_WIREGUARD
+		/* Checking for MARK_MAGIC_WG_DECRYPTED before calling inherit_identity_from_host,
+		 * which resets the ctx->mark.
+		 */
+		if ((ctx->mark & MARK_MAGIC_WG_DECRYPTED) == MARK_MAGIC_WG_DECRYPTED) {
+			trace.reason = TRACE_REASON_ENCRYPTED;
+			obs_point = TRACE_FROM_CRYPTO_DEV;
+		}
+#endif
+
 		magic = inherit_identity_from_host(ctx, &identity);
 		if (magic == MARK_MAGIC_PROXY_INGRESS ||  magic == MARK_MAGIC_PROXY_EGRESS)
-			trace = TRACE_FROM_PROXY;
+			obs_point = TRACE_FROM_PROXY;
 
 #if defined(ENABLE_L7_LB)
 		if (magic == MARK_MAGIC_PROXY_EGRESS_EPID) {
@@ -1132,8 +1146,8 @@ do_netdev(struct __ctx_buff *ctx, __u16 proto, const bool from_host)
 #endif /* ENABLE_IPSEC */
 	}
 
-	send_trace_notify(ctx, trace, identity, UNKNOWN_ID, TRACE_EP_ID_UNKNOWN,
-			  ctx->ingress_ifindex, TRACE_REASON_UNKNOWN, TRACE_PAYLOAD_LEN);
+	send_trace_notify(ctx, obs_point, identity, UNKNOWN_ID, TRACE_EP_ID_UNKNOWN,
+			  ctx->ingress_ifindex, trace.reason, trace.monitor);
 
 	bpf_clear_meta(ctx);
 
@@ -1491,10 +1505,14 @@ int cil_to_netdev(struct __ctx_buff *ctx __maybe_unused)
 	 */
 	if ((ctx->mark & MARK_MAGIC_WG_ENCRYPTED) != MARK_MAGIC_WG_ENCRYPTED) {
 		ret = wg_maybe_redirect_to_encrypt(ctx, proto);
-		if (ret == CTX_ACT_REDIRECT)
+		if (ret == CTX_ACT_REDIRECT) {
+			send_trace_notify(ctx, TRACE_TO_CRYPTO_DEV, src_sec_identity,
+					  dst_sec_identity, TRACE_EP_ID_UNKNOWN, WG_IFINDEX,
+					  TRACE_REASON_ENCRYPTED, 0);
 			return ret;
-		else if (IS_ERR(ret))
+		} else if (IS_ERR(ret)) {
 			goto drop_err;
+		}
 	}
 
 #if defined(ENCRYPTION_STRICT_MODE)
diff --git a/bpf/bpf_overlay.c b/bpf/bpf_overlay.c
index d73c8fc66a172..660dbe265c4c3 100644
--- a/bpf/bpf_overlay.c
+++ b/bpf/bpf_overlay.c
@@ -659,6 +659,12 @@ int cil_from_overlay(struct __ctx_buff *ctx)
 		break;
 	}
 
+#ifdef ENABLE_WIREGUARD
+	if ((ctx->mark & MARK_MAGIC_WG_DECRYPTED) == MARK_MAGIC_WG_DECRYPTED)
+		send_trace_notify(ctx, TRACE_FROM_CRYPTO_DEV, src_sec_identity, UNKNOWN_ID,
+				  TRACE_EP_ID_UNKNOWN, WG_IFINDEX, TRACE_REASON_ENCRYPTED, 0);
+#endif
+
 #ifdef ENABLE_IPSEC
 	if (is_esp(ctx, proto))
 		send_trace_notify(ctx, TRACE_FROM_OVERLAY, src_sec_identity, UNKNOWN_ID,