diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 0f80019..e733bf1 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -2256,29 +2256,31 @@ auto_mitigation_engine
     done
 ) &
 
-# Blocked IPs cache updater (runs every 10 seconds for performance)
-(
-    while true; do
-        {
-            # Get CSF temporary blocks - extract just the IP address
-            if command -v csf &>/dev/null; then
-                csf -t 2>/dev/null | awk '{print $1}' | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'
-            fi
+# Blocked IPs cache updater (only needed in CSF mode - IPset mode appends to cache on each block)
+if [ "$IPSET_AVAILABLE" -eq 0 ]; then
+    (
+        while true; do
+            {
+                # Get CSF temporary blocks - extract just the IP address
+                if command -v csf &>/dev/null; then
+                    csf -t 2>/dev/null | awk '{print $1}' | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'
+                fi
 
-            # Get CSF permanent denies
-            if [ -f /etc/csf/csf.deny ]; then
-                awk '{print $1}' /etc/csf/csf.deny 2>/dev/null | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'
-            fi
+                # Get CSF permanent denies
+                if [ -f /etc/csf/csf.deny ]; then
+                    awk '{print $1}' /etc/csf/csf.deny 2>/dev/null | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'
+                fi
 
-            # Get iptables DROP rules
-            if command -v iptables &>/dev/null; then
-                iptables -L INPUT -n -v 2>/dev/null | grep DROP | awk '{print $8}' | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'
-            fi
-        } | sort -u > "$TEMP_DIR/blocked_ips_cache.tmp" 2>/dev/null
-        mv "$TEMP_DIR/blocked_ips_cache.tmp" "$TEMP_DIR/blocked_ips_cache" 2>/dev/null
-        sleep 10
-    done
-) &
+                # Get iptables DROP rules
+                if command -v iptables &>/dev/null; then
+                    iptables -L INPUT -n -v 2>/dev/null | grep DROP | awk '{print $8}' | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'
+                fi
+            } | sort -u > "$TEMP_DIR/blocked_ips_cache.tmp" 2>/dev/null
+            mv "$TEMP_DIR/blocked_ips_cache.tmp" "$TEMP_DIR/blocked_ips_cache" 2>/dev/null
+            sleep 10
+        done
+    ) &
+fi
 
 # Periodic snapshot saving in background
 (
@@ -2304,16 +2306,20 @@ while true; do
         esac
 
         # Validate it's an IP file (should match pattern ip_N_N_N_N)
-        if ! echo "$basename_file" | grep -qE '^ip_[0-9]{1,3}_[0-9]{1,3}_[0-9]{1,3}_[0-9]{1,3}$'; then
+        # Using bash pattern matching instead of grep for performance
+        if [[ ! "$basename_file" =~ ^ip_[0-9]{1,3}_[0-9]{1,3}_[0-9]{1,3}_[0-9]{1,3}$ ]]; then
             continue
         fi
 
         # Extract IP from filename (ip_1_2_3_4 -> 1.2.3.4)
-        ip=$(echo "$basename_file" | sed 's/^ip_//' | tr '_' '.')
+        # Using bash string manipulation for performance
+        ip="${basename_file#ip_}"  # Remove 'ip_' prefix
+        ip="${ip//_/.}"            # Replace all underscores with dots
         data=$(cat "$ip_file" 2>/dev/null)
 
         # Validate data format (should be score|hits|bot_type|attacks|ban_count|rep_score)
-        if [ -n "$data" ] && echo "$data" | grep -q '|'; then
+        # Using bash pattern matching instead of grep for performance
+        if [ -n "$data" ] && [[ "$data" == *"|"* ]]; then
             # Update IP_DATA array with data from file
             IP_DATA[$ip]="$data"
         fi