diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 1cadccd..55653bf 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -469,11 +469,14 @@ draw_quick_actions() {
 
     # Check for high connection counts
     if [ -f "$TEMP_DIR/recent_events" ]; then
-        high_conn_count=$(grep -c "HIGH_CONN_COUNT" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0")
+        high_conn_count=$(grep -c "HIGH_CONN_COUNT" "$TEMP_DIR/recent_events" 2>/dev/null)
+    else
+        high_conn_count=0
     fi
 
-    # Ensure it's a valid number
-    high_conn_count=${high_conn_count:-0}
+    # Ensure it's a valid number (strip whitespace and validate)
+    high_conn_count=$(echo "$high_conn_count" | tr -d '[:space:]')
+    [[ ! "$high_conn_count" =~ ^[0-9]+$ ]] && high_conn_count=0
 
     # IP Blocking Recommendations
     if [ "$blockable_count" -gt 0 ]; then
@@ -495,8 +498,12 @@ draw_quick_actions() {
     fi
 
     if [ "$has_ssh_bruteforce" -eq 1 ]; then
-        local ssh_attacks=$(grep -c "SSH_BRUTEFORCE" "$TEMP_DIR/recent_events" 2>/dev/null || echo "0")
-        ssh_attacks=${ssh_attacks:-0}
+        local ssh_attacks=0
+        if [ -f "$TEMP_DIR/recent_events" ]; then
+            ssh_attacks=$(grep -c "SSH_BRUTEFORCE" "$TEMP_DIR/recent_events" 2>/dev/null)
+        fi
+        ssh_attacks=$(echo "$ssh_attacks" | tr -d '[:space:]')
+        [[ ! "$ssh_attacks" =~ ^[0-9]+$ ]] && ssh_attacks=0
         if [ "$ssh_attacks" -gt 5 ]; then
             echo -e "${HIGH_COLOR}  ⚠️  SSH Bruteforce ($ssh_attacks attempts) - Strengthen SSH Security${NC}"
             echo -e "${MEDIUM_COLOR}     → Lower LF_SSHD trigger: ${BOLD}Edit /etc/csf/csf.conf → LF_SSHD=\"3\"${NC}"