diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index a52cb48..79283a6 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -71,23 +71,27 @@ IPSET_SUPPORTS_TIMEOUT=0
 IPSET_INIT_ERROR=""  # Store initialization error message
 
 # Initialize IPset for fast blocking (if available)
+# PRIORITY: Always use CSF's chain_DENY if available - it's the standard CSF blocking ipset
 if command -v ipset &>/dev/null; then
-    # Check if CSF's chain_DENY IPset exists AND supports timeouts
-    if ipset list chain_DENY &>/dev/null 2>&1 && ipset list chain_DENY | grep -q "^Type:.*timeout"; then
-        # CSF ipset exists with timeout support - use it!
+    # Check if CSF's chain_DENY IPset exists (use it regardless of timeout support)
+    if ipset list chain_DENY &>/dev/null 2>&1; then
+        # CSF ipset exists - use it for all blocking!
         IPSET_NAME="chain_DENY"
         IPSET_AVAILABLE=1
-        IPSET_SUPPORTS_TIMEOUT=1
-        echo "✓ Using CSF IPset: chain_DENY (with timeout support)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
-    else
-        # CSF ipset doesn't exist OR doesn't support timeouts - create our own
-        IPSET_NAME="live_monitor_$$"
 
-        if ipset list chain_DENY &>/dev/null 2>&1; then
-            echo "→ CSF chain_DENY exists but no timeout support - creating our own ipset" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
+        # Check if it supports timeouts (nice-to-have, not required)
+        if ipset list chain_DENY | grep -q "^Type:.*timeout"; then
+            IPSET_SUPPORTS_TIMEOUT=1
+            echo "✓ Using CSF IPset: chain_DENY (with timeout support)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
         else
-            echo "→ No CSF IPset found - creating our own ipset" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
+            IPSET_SUPPORTS_TIMEOUT=0
+            echo "✓ Using CSF IPset: chain_DENY (without timeout - CSF manages cleanup)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
         fi
+    else
+        # CSF ipset doesn't exist - only create our own as last resort
+        echo "→ CSF chain_DENY ipset not found - creating temporary monitor ipset" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
+
+        IPSET_NAME="live_monitor_$$"
 
         # Capture detailed error output
         IPSET_CREATE_OUTPUT=$(ipset create "$IPSET_NAME" hash:ip timeout 3600 maxelem 65536 2>&1)
@@ -108,7 +112,7 @@ if command -v ipset &>/dev/null; then
                 IPSET_INIT_ERROR="iptables rule creation failed: $IPTABLES_OUTPUT"
                 echo "✗ IPset created but iptables rule failed: $IPTABLES_OUTPUT" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
             else
-                echo "✓ IPset initialized: $IPSET_NAME (fast blocking enabled)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
+                echo "✓ Temporary IPset initialized: $IPSET_NAME (fast blocking enabled)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
             fi
         else
             # IPset creation failed - capture why