diff --git a/modules/security/bot-analyzer.sh b/modules/security/bot-analyzer.sh
index 6838a12..da4f4b2 100755
--- a/modules/security/bot-analyzer.sh
+++ b/modules/security/bot-analyzer.sh
@@ -1608,11 +1608,9 @@ is_excluded_ip() {
         return 0  # True - should be excluded
     fi
 
-    # Check if it's the server's own IP
-    if [ -f "$TEMP_DIR/server_ips.txt" ]; then
-        if grep -qFx "$ip" "$TEMP_DIR/server_ips.txt" 2>/dev/null; then
-            return 0  # True - should be excluded
-        fi
+    # Check if it's the server's own IP (using pre-loaded array for speed)
+    if [ -n "${server_ips_array[$ip]}" ]; then
+        return 0  # True - should be excluded
     fi
 
     return 1  # False - should not be excluded
@@ -1656,6 +1654,14 @@ analyze_time_series() {
 calculate_threat_scores() {
     print_info "Calculating threat scores..."
 
+    # Pre-load server IPs for fast exclusion checking (avoids grep in loop)
+    declare -A server_ips_array
+    if [ -f "$TEMP_DIR/server_ips.txt" ]; then
+        while read -r ip; do
+            [ -n "$ip" ] && server_ips_array["$ip"]=1
+        done < "$TEMP_DIR/server_ips.txt"
+    fi
+
     # Pre-count requests per IP (MUCH faster than grepping for each IP)
     declare -A ip_request_counts
     while IFS='|' read -r ip rest; do