diff --git a/docs/FIREFROST-PROJECT-SCOPE-V2.md b/docs/FIREFROST-PROJECT-SCOPE-V2.md
index b56f8df..df8f653 100644
--- a/docs/FIREFROST-PROJECT-SCOPE-V2.md
+++ b/docs/FIREFROST-PROJECT-SCOPE-V2.md
@@ -301,6 +301,92 @@ Claude → Reads results from GitHub mirror
 
 ---
 
+
+---
+
+## 🛡️ PHASE 1: DDoS PROTECTION SYSTEM
+
+### Overview
+
+**Status:** Planning Phase  
+**Priority:** Deploy after Phase 0.5 completion, before soft launch  
+**Purpose:** Replace dismantled Phase 0 GRE system with reliable protection
+
+### Phase 0 Context (Completed)
+
+**What Was Dismantled:**
+- Complex GRE tunnel configuration
+- IP cloaking system prone to failures
+- Over-engineered solution causing more problems than it solved
+
+**Why It Was Removed:**
+- Frequent connectivity issues
+- Difficult to troubleshoot
+- Required constant maintenance
+- Prevented reliable infrastructure operations
+
+### Phase 1 Goals
+
+**Primary Objective:** Implement "good enough" DDoS protection that:
+- ✅ Protects against common attacks (Layer 3/4)
+- ✅ Doesn't break during normal operations
+- ✅ Easy to maintain and troubleshoot
+- ✅ Minimal complexity vs Phase 0
+
+**NOT trying to:**
+- ❌ Defend against state-level actors
+- ❌ Create perfect invisibility
+- ❌ Over-engineer like Phase 0
+
+### Proposed Architecture (To Be Designed)
+
+**Option A: Cloudflare Spectrum (Simplest)**
+- Pros: Managed service, no infrastructure complexity
+- Cons: Monthly cost, less control
+- Best for: Quick deployment, low maintenance
+
+**Option B: Simplified GRE + Cloudflare**
+- Pros: More control, proven technology
+- Cons: Requires careful implementation
+- Best for: Custom requirements, cost control
+
+**Option C: Hybrid Approach**
+- VPS services behind Cloudflare
+- Game servers with lightweight protection
+- Best for: Tiered protection based on risk
+
+**Decision Point:** Design session after Phase 0.5 completion
+
+### Implementation Timeline
+
+**Pre-Launch Requirements:**
+1. Assess actual threat level (public launch = attack surface)
+2. Design session: Choose architecture
+3. Document decision rationale
+4. Test implementation on non-critical service
+5. Deploy to production
+
+**Estimated Effort:** 4-8 hours (depends on approach chosen)
+
+**Target Date:** Before soft launch (late February 2026)
+
+### Success Metrics
+
+- Withstands common DDoS attacks (volumetric, SYN floods)
+- 99.9%+ uptime during normal operations
+- < 1 hour maintenance per month
+- Zero "midnight emergency" pages
+
+### Fallback Plan
+
+If Phase 1 protection proves inadequate:
+- Cloudflare Spectrum as immediate mitigation
+- Re-evaluate threat model
+- Consider managed DDoS services
+- Iterate rather than over-engineer
+
+---
+
 ## 📅 IMPLEMENTATION TIMELINE
 
 ### February 2026 (Month 1) - FOUNDATION