diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 5f91889..1987292 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2652,6 +2652,9 @@ monitor_network_attacks() {
                             if [ -z "${ALERT_SENT[$ip]}" ]; then
                                 ALERT_SENT[$ip]=1
 
+                                # Define ip_file for this IP's individual tracking file
+                                local ip_file="$TEMP_DIR/ip_${ip//\./_}"
+
                                 # Smart whitelisting: Skip SCORING for IPs with MANY successful established connections
                                 # But still track them - don't skip the write!
                                 # Only whitelist if IP has 20+ established connections (highly unlikely for attacker)