diff --git a/tools/run_real_vm_demo.py b/tools/run_real_vm_demo.py
index 0a6904f..8c10dab 100644
--- a/tools/run_real_vm_demo.py
+++ b/tools/run_real_vm_demo.py
@@ -217,6 +217,17 @@ def main() -> int:
             qmp_socket=qmp_sock if qmp_sock.exists() else None,
             guest_agent_socket=agent_sock if agent_sock.exists() else None,
             bridge_iface=os.environ.get("BRIDGE") or None,
+            # Source 3 (oracle): perf-stat sampling of the qemu PID.
+            # Now that the stdout/stderr + event-name parser bugs are
+            # fixed, perf produces real rows. Per PIPELINE.md §4.4
+            # collectors that emit zero rows shouldn't be in the active
+            # set silently — keeping it default-off was effectively
+            # silencing the source. On x86_64 lab hosts with
+            # perf_event_paranoid <= 2 (cis490 user owns qemu PID), the
+            # collector reads cycles/instructions/page-faults; on hosts
+            # without perf the collector logs a warning and returns 0
+            # rows (visible, not silent).
+            enable_perf=True,
             sample=sample,
         )
 
diff --git a/tools/run_tier3_demo.py b/tools/run_tier3_demo.py
index 1747705..cc2f51a 100644
--- a/tools/run_tier3_demo.py
+++ b/tools/run_tier3_demo.py
@@ -308,6 +308,10 @@ def main() -> int:
             qmp_socket=qmp_sock if qmp_sock.exists() else None,
             guest_agent_socket=agent_sock if agent_sock.exists() else None,
             bridge_iface=os.environ.get("BRIDGE") or None,
+            # Source 3 (oracle): see equivalent in run_real_vm_demo.py.
+            # Now that the perf collector parser is fixed, turn it on
+            # in production rather than leave it silently disabled.
+            enable_perf=True,
             sample=sample,
             exploit_meta={
                 "framework": "metasploit",