diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 9c0cc49..699ed37 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2587,17 +2587,16 @@ monitor_network_attacks() {
                         CONNECTION_COUNT[$ip]=$count
 
                         # Dynamic threshold based on attack severity + momentum:
-                        # CRITICAL FIX: Changed Tier 0 threshold from 20 to 5
+                        # CRITICAL FIX: Changed Tier 0 threshold from 20 to 3
                         # Bug: Tier 0 (< 75 total SYN) had threshold=20, preventing detection of distributed attacks
                         # With 8-41 total connections spread across IPs, no single IP reaches 20, so ZERO detection
-                        # Fix: Lower Tier 0 to 5 to detect suspicious activity even in small-scale attacks
-                        # This matches Tier 4 minimum of 3 connections for true attacks
-                        # Tier 0: >5 connections (low-level activity, may be distributed)
+                        # Fix: Lower Tier 0 to 3 to detect any suspicious SYN activity
+                        # Tier 0: >3 connections (low-level activity, may be distributed)
                         # Tier 1: >10 connections (75-150 total, moderate DDoS)
                         # Tier 2: >6 connections (150-300 total, major DDoS)
                         # Tier 3: >4 connections (300-500 total, severe DDoS)
                         # Tier 4: >3 connections (500+ total, CRITICAL DDoS)
-                        local threshold=5
+                        local threshold=3
                         case "$attack_severity" in
                             4) threshold=3 ;;  # Critical: Very aggressive (safe for production)
                             3) threshold=4 ;;  # Severe: Aggressive