People have been asking me how or when this war might actually end?
After years in cybersecurity and critical infrastructure, I tend to look at this through the lens of DoD (or DoW). Wars don’t end when the fighting stops. They end when the system that caused the conflict is replaced by something stable enough that it doesn’t restart.
In incident response, removing the attacker is only half the job. If the architecture that allowed the breach is still there, weak trust boundaries, the same access paths, the threat comes back. Maybe not immediately, maybe not in the same way, but it comes back. The same logic applies at a much larger scale. Destruction can dismantle a system. It doesn’t replace it.
If we shut down malware, remove compromised admins, rebuild some servers, but keep the same weak architecture, the breach returns.
War behaves the same way. If the underlying conditions remain, power structures, grievance drivers, economic failures, security gaps, then insurgencies form, proxy conflicts emerge, coups happen, civil wars restart, external actors step in. It doesn’t end. It just changes form.
We’ve seen this play out repeatedly. Some wars have ended decisively because a new system became stable. Post-WWII Western Europe stabilized after deep reconstruction and a new security architecture. Japan transformed politically, economically, and institutionally.
Other wars never really ended because no stable replacement system emerged. Iraq after 2003 entered prolonged instability. Libya after 2011 fragmented into competing power centers. Syria’s conflict evolved through multiple phases without ever truly resolving. The real end state of war is often institutional, not military.
In serious cyber incidents, you don’t just react. You move from disruption, to containment, to systematic degradation, then recovery. Eventually everything comes down to one question: can the system regenerate?
Once a component’s role in sustaining that regeneration becomes clear, decisive removal follows. Targeted assassinations of key planners (like Larijani and Khatib), elimination of hardened command facilities, disruption of specialized weapons teams, these resemble physically pulling critical blade servers out of a data center rack. The system doesn’t collapse immediately, but decision-making slows down, trust weakens, and coordination breaks down.
Financial pressure works the same way. Take the attack on Bank Sepah. You don’t need to destroy it completely. You introduce instability into the system that pays the salaries of military personnel, supplies, and sustains operations, and that instability spreads.
Another part people often miss is that not everything gets shut down all at once. In cybersecurity, we sometimes deliberately leave compromised systems running so we can observe them. Visibility reveals architecture, fallback paths, hidden dependencies, how the system actually holds together. The same applies here.
Eventually, the critical pieces do get removed, not just to reduce capability, but to make recovery slower and more difficult. That’s why this phase always looks messy from the outside. Some targets are hit repeatedly, others are left alone as priorities shift. But internally, it’s not random. It’s dependency mapping.
The focus isn’t just eradication. It’s regeneration.
And this is where the biggest misconception shows up. In both cybersecurity and geopolitics, people assume recovery means going back to how things were. It almost never does. Real recovery means building a new architecture, new governance, new trust boundaries, and new economic structures.
If that part isn’t done well, the conflict isn’t over. It’s just paused.
