diff --git a/controller/build.go b/controller/build.go
index 67a4a7cc..7680fe10 100644
--- a/controller/build.go
+++ b/controller/build.go
@@ -264,9 +264,10 @@ func PostBuild(c *gin.Context) {
 		Config:    string(raw),
 		Secret:    string(sec),
 		System: &model.System{
-			Link:    httputil.GetURL(c.Request),
-			Plugins: strings.Split(os.Getenv("PLUGIN_FILTER"), " "),
-			Globals: strings.Split(os.Getenv("PLUGIN_PARAMS"), " "),
+			Link:      httputil.GetURL(c.Request),
+			Plugins:   strings.Split(os.Getenv("PLUGIN_FILTER"), " "),
+			Globals:   strings.Split(os.Getenv("PLUGIN_PARAMS"), " "),
+			Escalates: strings.Split(os.Getenv("ESCALATE_FILTER"), " "),
 		},
 	})
 
diff --git a/controller/hook.go b/controller/hook.go
index f435c326..58bc83fd 100644
--- a/controller/hook.go
+++ b/controller/hook.go
@@ -2,11 +2,12 @@ package controller
 
 import (
 	"fmt"
-	"github.com/gin-gonic/gin"
 	"os"
 	"path/filepath"
-	"strings"
 	"regexp"
+	"strings"
+
+	"github.com/gin-gonic/gin"
 
 	log "github.com/Sirupsen/logrus"
 	"github.com/drone/drone/engine"
@@ -214,9 +215,10 @@ func PostHook(c *gin.Context) {
 		Config:    string(raw),
 		Secret:    string(sec),
 		System: &model.System{
-			Link:    httputil.GetURL(c.Request),
-			Plugins: strings.Split(os.Getenv("PLUGIN_FILTER"), " "),
-			Globals: strings.Split(os.Getenv("PLUGIN_PARAMS"), " "),
+			Link:      httputil.GetURL(c.Request),
+			Plugins:   strings.Split(os.Getenv("PLUGIN_FILTER"), " "),
+			Globals:   strings.Split(os.Getenv("PLUGIN_PARAMS"), " "),
+			Escalates: strings.Split(os.Getenv("ESCALATE_FILTER"), " "),
 		},
 	})
 
diff --git a/docs/setup/plugins.md b/docs/setup/plugins.md
index 0a8d9e49..971f97bc 100644
--- a/docs/setup/plugins.md
+++ b/docs/setup/plugins.md
@@ -19,3 +19,13 @@ Whitelist official Drone plugins and registry user `octocat`
 ```
 PLUGIN_FILTER=plugins/* octocat/*
 ```
+
+Additionally, some plugins may require to be execute as a "privileged" container.
+This mode is most common for plugins that are attempting to run docker in docker type behaviors (for example the plugins/docker requires this mode).
+Drone will ship will a default pattern that will allow selected official Drone plugins to run in an privileged mode.
+This whitelist can be customized by setting the `ESCALATE_FILTER` environment variable.
+This is a space-separated list and includes glob matching capabilities.
+
+```
+ESCALATE_FILTER=plugins/drone-docker plugins/drone-ecr plugins/drone-gcr
+```
diff --git a/model/sys.go b/model/sys.go
index ce515f1c..d66cc6ed 100644
--- a/model/sys.go
+++ b/model/sys.go
@@ -1,8 +1,9 @@
 package model
 
 type System struct {
-	Version string   `json:"version"`
-	Link    string   `json:"link_url"`
-	Plugins []string `json:"plugins"`
-	Globals []string `json:"globals"`
+	Version   string   `json:"version"`
+	Link      string   `json:"link_url"`
+	Plugins   []string `json:"plugins"`
+	Globals   []string `json:"globals"`
+	Escalates []string `json:"privileged_plugins"`
 }