diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 699ed37..72c04c1 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2619,6 +2619,17 @@ monitor_network_attacks() {
                         # Minimum threshold of 3 to prevent false positives on busy web servers
                         [ "$threshold" -lt 3 ] && threshold=3
 
+                        # CRITICAL FIX: Adaptive threshold based on detection history
+                        # An IP detected multiple times with SYN activity is more likely an attacker
+                        # Lower threshold for repeat offenders to catch persistent attacks
+                        if [ "${hits:-0}" -ge 3 ]; then
+                            threshold=$((threshold - 2))  # Seen 3+ times: lower threshold significantly
+                            [ "$threshold" -lt 1 ] && threshold=1
+                        elif [ "${hits:-0}" -ge 2 ]; then
+                            threshold=$((threshold - 1))  # Seen 2 times: lower threshold slightly
+                            [ "$threshold" -lt 2 ] && threshold=2
+                        fi
+
                         if [ "$count" -gt "$threshold" ]; then
                             # Only process once per detection window
                             if [ -z "${ALERT_SENT[$ip]}" ]; then