diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index a71ac67..b20bdf1 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2901,7 +2901,12 @@ monitor_network_attacks() {
                                 # Cap at 100
                                 [ "$score" -gt 100 ] && score=100
 
-                                # Write to file for main process
+                                # CRITICAL FIX: Write to centralized ip_data file (not individual ip_*.files)
+                                # auto_mitigation_engine() reads from $TEMP_DIR/ip_data, not individual files
+                                # Without this, SYN-detected IPs are never auto-blocked!
+                                write_ip_data_to_file "$ip" "$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" 2>/dev/null &
+
+                                # Also write to individual file for debugging/tracking
                                 echo "$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" > "$ip_file"
 
                                 # Store block reasons for auto-mitigation