diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 72c04c1..eea49f5 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2619,14 +2619,22 @@ monitor_network_attacks() {
                         # Minimum threshold of 3 to prevent false positives on busy web servers
                         [ "$threshold" -lt 3 ] && threshold=3
 
-                        # CRITICAL FIX: Adaptive threshold based on detection history
-                        # An IP detected multiple times with SYN activity is more likely an attacker
-                        # Lower threshold for repeat offenders to catch persistent attacks
-                        if [ "${hits:-0}" -ge 3 ]; then
-                            threshold=$((threshold - 2))  # Seen 3+ times: lower threshold significantly
+                        # CRITICAL FIX: Adaptive threshold based on LIFETIME detection history
+                        # Use persistent historical tracking (total_lifetime_hits) to catch repeat attackers
+                        # An IP that attacks 5-10 times over days should be detected at lower threshold
+                        # This catches distributed/low-level probes that space out attempts
+                        local effective_hits="${total_lifetime_hits:-0}"
+                        if [ "$effective_hits" -ge 10 ]; then
+                            threshold=1  # Seen 10+ times across ALL TIME: auto-block even 1 connection
                             [ "$threshold" -lt 1 ] && threshold=1
-                        elif [ "${hits:-0}" -ge 2 ]; then
-                            threshold=$((threshold - 1))  # Seen 2 times: lower threshold slightly
+                        elif [ "$effective_hits" -ge 5 ]; then
+                            threshold=$((threshold - 2))  # 5-9 times: lower threshold by 2 (from 3 to 1)
+                            [ "$threshold" -lt 1 ] && threshold=1
+                        elif [ "$effective_hits" -ge 3 ]; then
+                            threshold=$((threshold - 1))  # 3-4 times: lower threshold by 1
+                            [ "$threshold" -lt 2 ] && threshold=2
+                        elif [ "$effective_hits" -ge 2 ]; then
+                            threshold=$((threshold - 1))  # 2 times: lower threshold slightly
                             [ "$threshold" -lt 2 ] && threshold=2
                         fi
 
@@ -2643,9 +2651,20 @@ monitor_network_attacks() {
                                 fi
                                 IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data"
 
-                                # Increment hits
+                                # Increment hits (this session)
                                 hits=$((hits + 1))
 
+                                # CRITICAL FIX: Persistent historical tracking across monitor restarts
+                                # Track total lifetime detections of each IP (not just current session)
+                                # This allows catching repeat attackers even if they space out attacks over time
+                                local history_file="$TEMP_DIR/ip_history_${ip//\./_}"
+                                local total_lifetime_hits=0
+                                if [ -f "$history_file" ]; then
+                                    total_lifetime_hits=$(cat "$history_file" 2>/dev/null || echo 0)
+                                fi
+                                total_lifetime_hits=$((total_lifetime_hits + 1))
+                                echo "$total_lifetime_hits" > "$history_file" 2>/dev/null
+
                                 # Smart whitelisting: Skip IPs with MANY successful established connections
                                 # Only whitelist if IP has 20+ established connections (highly unlikely for attacker)
                                 # CRITICAL FIX: Use -w flag to match whole word (prevent partial IP matches)