diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index fcee20f..69521ad 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -690,6 +690,27 @@ calculate_context_bonus() {
     echo "${bonus}|${reasons}"
 }
 
+# Check if IP is currently blocked in CSF/iptables
+is_ip_blocked() {
+    local ip="$1"
+
+    # Check CSF deny list
+    if command -v csf &>/dev/null; then
+        if csf -g "$ip" 2>/dev/null | grep -q "DENY"; then
+            return 0
+        fi
+    fi
+
+    # Check iptables directly
+    if command -v iptables &>/dev/null; then
+        if iptables -L -n 2>/dev/null | grep -q "$ip"; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
 # Get threat level from score
 get_threat_level() {
     local score="$1"