diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 8077204..4e56b27 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -650,6 +650,46 @@ apply_reputation_decay() {
     done
 }
 
+# Context-aware scoring (geo, ISP, time-of-day)
+# Returns: context_bonus|reason
+calculate_context_bonus() {
+    local ip="$1"
+    local now=$(date +%s)
+
+    local bonus=0
+    local reasons=""
+
+    # Time-of-day analysis (attacks at odd hours = suspicious)
+    local hour=$(date +%H)
+    if [ "$hour" -ge 2 ] && [ "$hour" -le 5 ]; then
+        # Attacks between 2am-5am (server timezone) = suspicious
+        bonus=$((bonus + 8))
+        reasons="NIGHT_ATTACK:${hour}h"
+    fi
+
+    # Check geolocation if available (from threat intelligence)
+    if [ -f "$TEMP_DIR/threat_enrich_${ip//\./_}" ]; then
+        local threat_data=$(cat "$TEMP_DIR/threat_enrich_${ip//\./_}")
+        IFS='|' read -r abuse_conf abuse_rpts country isp geo timing whitelisted <<< "$threat_data"
+
+        # High-risk country already detected
+        if is_high_risk_country "${geo:-XX}" 2>/dev/null; then
+            bonus=$((bonus + 5))
+            [ -n "$reasons" ] && reasons="${reasons}+" || reasons=""
+            reasons="${reasons}HIGH_RISK_GEO:${geo}"
+        fi
+
+        # Residential ISP (suspicious for server attacks)
+        if echo "$isp" | grep -qiE "(comcast|verizon|att|residential|cable|dsl|fiber|broadband)"; then
+            bonus=$((bonus + 10))
+            [ -n "$reasons" ] && reasons="${reasons}+" || reasons=""
+            reasons="${reasons}RESIDENTIAL_ISP"
+        fi
+    fi
+
+    echo "${bonus}|${reasons}"
+}
+
 # Get threat level from score
 get_threat_level() {
     local score="$1"
@@ -1182,6 +1222,15 @@ monitor_ssh_attacks() {
                         block_reasons="${block_reasons}${subnet_reason}"
                     fi
 
+                    # 5. Context-aware bonus (geo, ISP, time)
+                    local context_data=$(calculate_context_bonus "$ip")
+                    IFS='|' read -r context_bonus context_reason <<< "$context_data"
+                    if [ "$context_bonus" -gt 0 ]; then
+                        score=$((score + context_bonus))
+                        [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
+                        block_reasons="${block_reasons}${context_reason}"
+                    fi
+
                     # Cap at 100
                     [ $score -gt 100 ] && score=100