diff --git a/internal/transport/http/ratelimit.go b/internal/transport/http/ratelimit.go
index 39c4c5e..1f4c76e 100644
--- a/internal/transport/http/ratelimit.go
+++ b/internal/transport/http/ratelimit.go
@@ -62,6 +62,8 @@ func (rl *RateLimiter) Allow(ip string) bool {
 }
 
 // Middleware wraps an HTTP handler with rate limiting.
+// Certain paths are excluded to prevent battle/scan traffic from blocking
+// dashboard access (auth, SSE stream, event ingestion).
 func (rl *RateLimiter) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if !rl.enabled {
@@ -69,6 +71,18 @@ func (rl *RateLimiter) Middleware(next http.Handler) http.Handler {
 			return
 		}
 
+		// Exclude critical dashboard paths from global rate limiter
+		p := r.URL.Path
+		switch {
+		case p == "/api/auth/login",
+			p == "/api/auth/refresh",
+			p == "/api/soc/stream",
+			p == "/api/v1/soc/events",
+			p == "/api/soc/events":
+			next.ServeHTTP(w, r)
+			return
+		}
+
 		// T4-3 FIX: Use RemoteAddr directly to prevent X-Forwarded-For spoofing.
 		// When behind a trusted reverse proxy, configure the proxy to set
 		// X-Real-IP and strip external X-Forwarded-For headers.