diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 462dd8a..7165486 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -1723,15 +1723,21 @@ monitor_apache_logs() {
                         # Update IP intelligence with ET attack info
                         update_ip_intelligence "$ip" "$url|ET:$et_attack_types|$et_signatures" "attack" "HTTP"
 
-                        # Boost IP threat score based on ET detection
+                        # Replace IP threat score with ET detection score
+                        # Note: We use ET score instead of adding it to avoid double-counting
+                        # (update_ip_intelligence already detected the same attack via legacy patterns)
                         local current_intel=$(get_ip_intelligence "$ip")
                         IFS='|' read -r curr_score curr_hits curr_bot curr_attacks curr_ban curr_rep <<< "$current_intel"
 
-                        # Add ET attack score to IP's total score
-                        local new_score=$((curr_score + et_attack_score))
+                        # Use ET score if it's higher than current score
+                        local new_score="$et_attack_score"
+                        if [ "$curr_score" -gt "$et_attack_score" ]; then
+                            # Keep higher score (e.g., from AbuseIPDB reputation boost)
+                            new_score="$curr_score"
+                        fi
                         [ "$new_score" -gt 100 ] && new_score=100
 
-                        # Update IP data with boosted score
+                        # Update IP data with ET-based score
                         IP_DATA[$ip]="$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep"
 
                         # Check rate anomaly