diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index e73bcfe..af6466d 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2816,13 +2816,14 @@ monitor_network_attacks() {
 
                                     # 4. Spoofed source detection (high SYN, low other traffic)
                                     # Check if IP has ANY other traffic (HTTP requests, DNS, etc)
+                                    # CRITICAL FIX: Use already-loaded $attacks variable from ip_data (line 2597)
+                                    # Bug: was trying to read from individual ip_* file which may not exist
+                                    # If this is first SYN detection of an IP with prior HTTP attacks, file won't exist
+                                    # Result: has_other_traffic stays 0, missing indicator of multi-attack IP
                                     local has_other_traffic=0
-                                    if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
-                                        local ip_attacks=$(cut -d'|' -f4 "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
-                                        # If has HTTP attacks, not spoofed
-                                        if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
-                                            has_other_traffic=1
-                                        fi
+                                    # If has HTTP attacks in history, not spoofed
+                                    if [[ "$attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
+                                        has_other_traffic=1
                                     fi
 
                                     # High SYN but no other traffic = likely spoofed source
@@ -2843,17 +2844,14 @@ monitor_network_attacks() {
 
                                     # Multi-vector attack detection: Check if IP also has HTTP attacks
                                     # This indicates sophisticated attacker (SYN flood + application layer)
+                                    # CRITICAL FIX: Use already-loaded $attacks variable from ip_data (line 2597)
+                                    # Bug: was trying to read from individual ip_* file which may not exist
+                                    # If this is first SYN detection of an IP with prior HTTP attacks, file won't exist
+                                    # Result: multi_vector stays 0, missing the sophisticated attacker indicator
                                     local multi_vector=0
-                                    if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
-                                        # CRITICAL FIX: Parse pipe-delimited format correctly
-                                        # File format: score|hits|bot_type|attacks|ban_count|rep_score
-                                        # Bug: was trying to parse 'attacks=' key which doesn't exist
-                                        # Fixed: Use cut to extract 4th field (attacks)
-                                        local existing_attacks=$(cut -d'|' -f4 "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
-                                        if [[ "$existing_attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL) ]]; then
-                                            multi_vector=1
-                                            conn_bonus=$((conn_bonus + 30))  # Multi-vector = very dangerous
-                                        fi
+                                    if [[ "$attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL) ]]; then
+                                        multi_vector=1
+                                        conn_bonus=$((conn_bonus + 30))  # Multi-vector = very dangerous
                                     fi
 
                                     # Connection persistence bonus (repeated detections of same IP)