diff --git a/modules/security/bot-analyzer.sh b/modules/security/bot-analyzer.sh
index c7fa79d..82f6f43 100755
--- a/modules/security/bot-analyzer.sh
+++ b/modules/security/bot-analyzer.sh
@@ -27,6 +27,7 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 source "$SCRIPT_DIR/lib/user-manager.sh"
+source "$SCRIPT_DIR/lib/ip-reputation.sh"
 
 # Default configuration (auto-detected from system)
 LOG_DIR="${SYS_LOG_DIR:-/var/log/apache2/domlogs}"
@@ -925,9 +926,29 @@ calculate_threat_scores() {
 
         # Only output IPs with score > 0
         [ $score -gt 0 ] && echo "$score|$ip|$req_count"
+
+        # Track in centralized IP reputation database (background process)
+        if [ $score -gt 0 ]; then
+            (
+                # Update IP with hit count
+                increment_ip_hits "$ip" "$req_count" >/dev/null 2>&1
+
+                # Tag with specific attack types found
+                [ -n "${threat_ips_sqli[$ip]}" ] && flag_ip_attack "$ip" "SQL_INJECTION" 0 "Bot analyzer: SQL injection attempts" >/dev/null 2>&1
+                [ -n "${threat_ips_xss[$ip]}" ] && flag_ip_attack "$ip" "XSS" 0 "Bot analyzer: XSS attempts" >/dev/null 2>&1
+                [ -n "${threat_ips_path[$ip]}" ] && flag_ip_attack "$ip" "PATH_TRAVERSAL" 0 "Bot analyzer: Path traversal" >/dev/null 2>&1
+                [ -n "${threat_ips_rce[$ip]}" ] && flag_ip_attack "$ip" "RCE" 0 "Bot analyzer: RCE/shell upload attempts" >/dev/null 2>&1
+                [ -n "${threat_ips_login[$ip]}" ] && flag_ip_attack "$ip" "BRUTEFORCE" 0 "Bot analyzer: Login bruteforce" >/dev/null 2>&1
+                [ -n "${threat_ips_ddos[$ip]}" ] && flag_ip_attack "$ip" "DDOS" 0 "Bot analyzer: Rapid-fire requests" >/dev/null 2>&1
+                [ -n "${threat_ips_suspicious[$ip]}" ] && flag_ip_attack "$ip" "SCANNER" 0 "Bot analyzer: Suspicious user-agent" >/dev/null 2>&1
+            ) &
+        fi
     done | sort -t'|' -k1 -rn > "$TEMP_DIR/threat_scores.txt"
 
-    print_success "Threat scores calculated"
+    # Wait for background IP reputation updates to complete
+    wait
+
+    print_success "Threat scores calculated and IP reputation updated"
 }
 
 #############################################################################