diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 064304a..9e4540c 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2749,12 +2749,15 @@ monitor_network_attacks() {
                                 fi
 
                                 # CRITICAL FIX: Declare variables before skip_scoring block
-                                # Bug: multi_vector, geo_bonus, and ratio were declared inside skip_scoring but used outside
-                                # When skip_scoring=1, local vars never initialized, causing undefined variable in intel_tags logic
+                                # Bug: multi_vector, geo_bonus, ratio, target_ports, and has_other_traffic
+                                #      were declared inside skip_scoring but used outside in intel_tags logic
+                                # When skip_scoring=1, local vars never initialized, causing undefined variable errors
                                 # Fix: Move declarations outside skip_scoring so they're always available
                                 local multi_vector=0
                                 local geo_bonus=0
                                 local ratio=0
+                                local target_ports=0
+                                local has_other_traffic=0
 
                                 # Only do scoring/tracking if not whitelisted
                                 if [ "$skip_scoring" -eq 0 ]; then
@@ -2833,7 +2836,7 @@ monitor_network_attacks() {
                                     # Bug: was trying to read from individual ip_* file which may not exist
                                     # If this is first SYN detection of an IP with prior HTTP attacks, file won't exist
                                     # Result: has_other_traffic stays 0, missing indicator of multi-attack IP
-                                    local has_other_traffic=0
+                                    # Note: has_other_traffic declared outside skip_scoring block (line ~2760) for scope
                                     # If has HTTP attacks in history, not spoofed
                                     if [[ "$attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
                                         has_other_traffic=1
@@ -2851,7 +2854,8 @@ monitor_network_attacks() {
                                     # Bug: Unquoted 'src "$ip"' was treated as separate arguments, not a filter expression
                                     # Result: ss silently ignores the filter and returns ALL syn-recv (giving wrong port count)
                                     # Fix: Quote the expression so ss parses it correctly: 'src IP'
-                                    local target_ports=$(ss -tn "state syn-recv src $ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l)
+                                    # Note: target_ports declared outside skip_scoring block (line ~2760) for scope
+                                    target_ports=$(ss -tn "state syn-recv src $ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l)
                                     [ -z "$target_ports" ] && target_ports=0
                                     if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then
                                         conn_bonus=$((conn_bonus + 10))  # Single port = targeted attack