A method, and a corresponding apparatus, provide for real-time network-based recovery from information warfare (IW) attacks on a network that includes subnets, with each subnet including one or more nodes. The method includes executing a pre-IW attack routine to identify IW attack recovery information, in response to an IW attack, executing an IW attack response routine, and executing a real-time network-based recovery routine. The pre-IW attack routine includes monitoring conditions on the network and at each of the subnets and nodes. When an IW attack occurs at an entity in the network, a condition flags are set to indicate the specific entity or entities being attacked. A condition flag set to 0 implies full operational capability of the entity, a condition flag set to 1 implies recent IW attack or IW attack in progress at the entity, and a condition flag set to 2 implies recovery of the entity from the IW attack.