diff --git a/data/suspicious-login-monitor/baseline.dat b/data/suspicious-login-monitor/baseline.dat
new file mode 100644
index 0000000..bb32d52
--- /dev/null
+++ b/data/suspicious-login-monitor/baseline.dat
@@ -0,0 +1,8 @@
+# Baseline data for suspicious login monitor
+# Last updated: Tue Feb  3 04:04:53 PM EST 2026
+BASELINE_SSH_KEY_COUNT=1
+BASELINE_USER_COUNT=3
+BASELINE_TYPICAL_LOGIN_HOURS="16"
+BASELINE_PASSWORD_CHANGES_PER_WEEK=0
+BASELINE_NEW_USERS_PER_WEEK=0
+BASELINE_LAST_UPDATE=1770152693
diff --git a/modules/security/suspicious-login-monitor.sh b/modules/security/suspicious-login-monitor.sh
index bfef8c4..a280efb 100755
--- a/modules/security/suspicious-login-monitor.sh
+++ b/modules/security/suspicious-login-monitor.sh
@@ -49,8 +49,8 @@ PANEL_EVENTS="$TMP_DIR/panel_events_$$.txt"
 SUDO_EVENTS="$TMP_DIR/sudo_events_$$.txt"
 SUSPICIOUS_IPS="$TMP_DIR/suspicious_ips_$$.txt"
 
-# Baseline storage (persistent across runs)
-BASELINE_DIR="/var/lib/suspicious-login-monitor"
+# Baseline storage (persistent across runs, within toolkit directory)
+BASELINE_DIR="$TOOLKIT_ROOT/data/suspicious-login-monitor"
 BASELINE_FILE="$BASELINE_DIR/baseline.dat"
 mkdir -p "$BASELINE_DIR" 2>/dev/null