diff --git a/modules/security/suspicious-login-monitor.sh b/modules/security/suspicious-login-monitor.sh
index 252e5fd..f5657e3 100755
--- a/modules/security/suspicious-login-monitor.sh
+++ b/modules/security/suspicious-login-monitor.sh
@@ -503,7 +503,7 @@ correlate_with_access_logs() {
     fi
 
     # Check if this IP appears in bot analyzer results
-    local ip_data=$(grep -F "$ip" "$latest_report" 2>/dev/null || echo "")
+    local ip_data=$(grep -w "$ip" "$latest_report" 2>/dev/null || echo "")
 
     if [ -z "$ip_data" ]; then
         echo "0|No access log activity"
@@ -515,7 +515,7 @@ correlate_with_access_logs() {
     local additional_risk=0
 
     # Look for attack patterns in the report around this IP
-    local context=$(grep -A 5 -B 5 "$ip" "$latest_report" 2>/dev/null)
+    local context=$(grep -w -A 5 -B 5 "$ip" "$latest_report" 2>/dev/null)
 
     # Check for specific attack types
     if echo "$context" | grep -qi "RCE/Upload"; then
@@ -760,7 +760,7 @@ generate_report() {
             echo "      │ IP: $ip"
             echo "      │ Successful logins: ${successful:-0}"
             echo "      │ Failed attempts: ${failed:-0}"
-            echo "      │ Root logins: ${root_count:-0}"
+            echo "      │ Root logins: ${root:-0}"
             echo "      │ Users: $users"
             echo "      │ Services: $services"
             echo "      │ Initial Risk Factors: $reasons"