diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh
index 8e8911a..0d63c57 100644
--- a/lib/attack-patterns.sh
+++ b/lib/attack-patterns.sh
@@ -7,6 +7,9 @@
 # Features: SQL injection, XSS, Path traversal, RCE, Info disclosure, Bruteforce
 ################################################################################
 
+# Cache hostname to avoid subprocess on every open redirect check
+CACHED_HOSTNAME="${HOSTNAME:-$(hostname 2>/dev/null || echo "unknown")}"
+
 # SQL Injection Detection
 # Returns: 0 (true) if SQL injection detected, 1 (false) if not
 detect_sql_injection() {
@@ -475,7 +478,7 @@ detect_open_redirect() {
        [[ "$url_lower" =~ (continue=http|view=http|return_to=http|redirect_uri=http) ]]; then
 
         # Exclude same-domain redirects (basic check)
-        if [[ ! "$url_lower" =~ (redirect=https?://(www\.)?$(hostname)|localhost) ]]; then
+        if [[ ! "$url_lower" =~ (redirect=https?://(www\.)?${CACHED_HOSTNAME}|localhost) ]]; then
             return 0
         fi
     fi