diff --git a/envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto b/envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto
index 8e5350cc..db2d07c8 100644
--- a/envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto
+++ b/envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto
@@ -6,6 +6,7 @@ import "google/protobuf/wrappers.proto";
 
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.filters.listener.tls_inspector.v3";
 option java_outer_classname = "TlsInspectorProto";
@@ -23,4 +24,12 @@ message TlsInspector {
 
   // Populate ``JA3`` fingerprint hash using data from the TLS Client Hello packet. Default is false.
   google.protobuf.BoolValue enable_ja3_fingerprinting = 1;
+
+  // The size in bytes of the initial buffer requested by the tls_inspector.
+  // If the filter needs to read additional bytes from the socket, the
+  // filter will double the buffer up to it's default maximum of 64KiB.
+  // If this size is not defined, defaults to maximum 64KiB that the
+  // tls inspector will consume.
+  google.protobuf.UInt32Value initial_read_buffer_size = 2
+      [(validate.rules).uint32 = {lt: 65537 gt: 255}];
 }