diff --git a/api/frequent_ips.php b/api/frequent_ips.php
index 59136c1..82ed7aa 100644
--- a/api/frequent_ips.php
+++ b/api/frequent_ips.php
@@ -11,7 +11,9 @@
  *   - ?token=<TRIGGER_TOKEN>
  *
  * Optional query parameters:
- *   threshold  int  Override the configured minimum connection count
+ *   threshold  int     Override the configured minimum connection count
+ *   since      string  YYYYMMDDHHmmss (e.g. "20260315000000"); only IPs
+ *                      with a last_seen >= this value are returned
  */
 
 require_once __DIR__ . '/../includes/auth.php';
@@ -55,11 +57,23 @@ $threshold = isset($_GET['threshold'])
     ? max(1, (int)$_GET['threshold'])
     : $configured_threshold;
 
-$rows = frequent_ips($threshold);
+$since = null;
+if (isset($_GET['since']) && $_GET['since'] !== '') {
+    $dt = DateTime::createFromFormat('YmdHis', $_GET['since']);
+    if ($dt === false) {
+        http_response_code(400);
+        echo json_encode(['error' => 'Invalid since parameter; expected YYYYMMDDHHmmss e.g. 20260315000000']);
+        exit;
+    }
+    $since = $dt->format('Y-m-d H:i:s');
+}
+
+$rows = frequent_ips($threshold, $since);
 
 echo json_encode([
     'threshold'            => $threshold,
     'configured_threshold' => $configured_threshold,
+    'since'                => $since,
     'count'                => count($rows),
     'ips'                  => array_map(fn($r) => [
         'src_ip'             => $r['src_ip'],
diff --git a/includes/functions.php b/includes/functions.php
index b8cf553..c44c5fd 100644
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -203,19 +203,32 @@ function set_setting(string $key, string $value): void {
 /**
  * Return all IPs with a total connection count >= $min_connections, sorted
  * highest-count first. Includes first and last seen timestamps.
+ *
+ * @param int         $min_connections  Minimum number of connections to include.
+ * @param string|null $since            Optional ISO datetime; only IPs whose
+ *                                      most-recent connection is >= this value
+ *                                      are returned.
  */
-function frequent_ips(int $min_connections): array {
+function frequent_ips(int $min_connections, ?string $since = null): array {
+    $having = 'total_connections >= ?';
+    $params = [$min_connections];
+
+    if ($since !== null) {
+        $having .= ' AND last_seen >= ?';
+        $params[] = $since;
+    }
+
     $s = db()->prepare(
         'SELECT src_ip,
-                COUNT(*)     AS total_connections,
+                COUNT(*)         AS total_connections,
                 MIN(occurred_at) AS first_seen,
                 MAX(occurred_at) AS last_seen
          FROM connections
          GROUP BY src_ip
-         HAVING total_connections >= ?
+         HAVING ' . $having . '
          ORDER BY total_connections DESC'
     );
-    $s->execute([$min_connections]);
+    $s->execute($params);
     return $s->fetchAll();
 }
 
diff --git a/version.php b/version.php
index bf64781..31b36a6 100644
--- a/version.php
+++ b/version.php
@@ -1,2 +1,2 @@
 <?php
-define('APP_VERSION', '2603.15');
+define('APP_VERSION', '2603.18');