diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 1987292..7f8eb03 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2498,13 +2498,15 @@ monitor_network_attacks() {
                     local unique_ips=0
 
                     # Multi-tier distributed DDoS detection with adaptive learning
-                    if [ "$total_syn" -gt 500 ]; then
+                    # CRITICAL FIX: Use >= not > to include boundary values
+                    # Bug: total_syn=500 was severity 0 instead of 4 (off-by-one)
+                    if [ "$total_syn" -ge 500 ]; then
                         attack_severity=4  # Critical DDoS (new tier)
-                    elif [ "$total_syn" -gt 300 ]; then
+                    elif [ "$total_syn" -ge 300 ]; then
                         attack_severity=3  # Severe DDoS
-                    elif [ "$total_syn" -gt 150 ]; then
+                    elif [ "$total_syn" -ge 150 ]; then
                         attack_severity=2  # Major DDoS
-                    elif [ "$total_syn" -gt 75 ]; then
+                    elif [ "$total_syn" -ge 75 ]; then
                         attack_severity=1  # Moderate DDoS
                     fi
                     ATTACK_SEVERITY=$attack_severity  # Store for next iteration