diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 7fcb065..c23ac9d 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -135,6 +135,29 @@ cleanup() {
 
 trap cleanup EXIT INT TERM
 
+# Save current monitoring state to temp files (for persistence across sessions)
+save_snapshot() {
+    # Save IP_DATA associative array to file
+    local snapshot_file="$TEMP_DIR/snapshot.dat"
+
+    # Write IP data
+    {
+        for ip in "${!IP_DATA[@]}"; do
+            echo "IP_DATA[$ip]=${IP_DATA[$ip]}"
+        done
+
+        # Write attack type counters
+        for attack in "${!ATTACK_TYPE_COUNTER[@]}"; do
+            echo "ATTACK_TYPE_COUNTER[$attack]=${ATTACK_TYPE_COUNTER[$attack]}"
+        done
+
+        # Write totals
+        echo "TOTAL_THREATS=$TOTAL_THREATS"
+        echo "TOTAL_BLOCKS=$TOTAL_BLOCKS"
+        echo "START_TIME=$START_TIME"
+    } > "$snapshot_file" 2>/dev/null
+}
+
 # Statistics counters
 declare -A IP_DATA  # Stores: IP -> score|hits|bot_type|attacks|ban_count|rep_score
 declare -A IP_TIMESTAMPS  # Stores: IP -> comma-separated attack timestamps (last 100)