diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index cb12c3b..676acb0 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -3532,11 +3532,35 @@ while true; do
     draw_quick_actions
 
     # Write IP_DATA to ip_data file for auto-mitigation engine
+    # NOTE: Subprocesses use write_ip_data_to_file() for real-time updates
+    # This merges parent process data without overwriting subprocess updates
     {
+        flock -w 2 200 || exit 1
+
+        # Read existing file (contains subprocess updates)
+        declare -A existing_ips
+        if [ -f "$TEMP_DIR/ip_data" ]; then
+            while IFS='=' read -r ip data; do
+                [ -n "$ip" ] && existing_ips[$ip]="$data"
+            done < "$TEMP_DIR/ip_data"
+        fi
+
+        # Merge parent's IP_DATA with existing (subprocess updates take priority)
         for ip in "${!IP_DATA[@]}"; do
-            echo "$ip=${IP_DATA[$ip]}"
+            # Only write if not already in file (subprocess updates are fresher)
+            if [ -z "${existing_ips[$ip]}" ]; then
+                echo "$ip=${IP_DATA[$ip]}"
+            fi
         done
-    } > "$TEMP_DIR/ip_data" 2>/dev/null
+
+        # Write back existing entries (from subprocesses)
+        for ip in "${!existing_ips[@]}"; do
+            echo "$ip=${existing_ips[$ip]}"
+        done
+
+    } > "$TEMP_DIR/ip_data.new" 2>/dev/null 200>"$TEMP_DIR/ip_data.lock"
+
+    mv "$TEMP_DIR/ip_data.new" "$TEMP_DIR/ip_data" 2>/dev/null
 
     # Update total blocks from file
     if [ -f "$TEMP_DIR/total_blocks" ]; then