diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh
index 05000d8..388a62c 100644
--- a/lib/attack-patterns.sh
+++ b/lib/attack-patterns.sh
@@ -689,8 +689,8 @@ calculate_attack_score() {
     [[ "$attacks" =~ (^|,)NOSQL_INJECTION(,|$) ]] && score=$((score + 15))
     [[ "$attacks" =~ (^|,)TEMPLATE_INJECTION(,|$) ]] && score=$((score + 20))
     [[ "$attacks" =~ (^|,)ENCODING_BYPASS(,|$) ]] && score=$((score + 12))
-    [[ "$attacks" =~ (^|,)SUSPICIOUS_UA(,|$) ]] && score=$((score + 10))
-    [[ "$attacks" =~ (^|,)BOT_FINGERPRINT(,|$) ]] && score=$((score + 8))
+    [[ "$attacks" =~ (^|,)SUSPICIOUS_UA(,|$) ]] && score=$((score + 15))
+    [[ "$attacks" =~ (^|,)BOT_FINGERPRINT(,|$) ]] && score=$((score + 15))
     [[ "$attacks" =~ (^|,)ANONYMIZER(,|$) ]] && score=$((score + 15))
     [[ "$attacks" =~ (^|,)CREDENTIAL_STUFFING(,|$) ]] && score=$((score + 18))
     [[ "$attacks" =~ (^|,)API_ABUSE(,|$) ]] && score=$((score + 12))
diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 6b9f1a6..cb12c3b 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -450,13 +450,16 @@ update_ip_intelligence() {
     # Adjust score based on bot type
     case "$bot_type" in
         legit|ai|monitor)
-            # Legitimate bots - reduce score
-            score=$((score - 5))
-            [ "${score:-0}" -lt 0 ] && score=0
+            # Legitimate bots - reduce score ONLY if no attacks detected
+            # (prevents spoofed user agents from avoiding blocks)
+            if [ -z "$attacks" ]; then
+                score=$((score - 5))
+                [ "${score:-0}" -lt 0 ] && score=0
+            fi
             ;;
         suspicious)
             # Suspicious bots - increase score
-            score=$((score + 10))
+            score=$((score + 15))
             ;;
     esac