LayerV is a preemptive cybersecurity platform that makes infrastructure invisible to attackers. We implement the OpenNHP (Network Hiding Protocol) standard from the Cloud Security Alliance. Instead of detecting attacks after they start, we prevent them by eliminating the attack surface entirely.

How does LayerV work?

LayerV uses a 5-step authentication flow: (1) Knock - encrypted request sent, (2) Verify - identity and policy validated, (3) Grant - temporary tunnel opened, (4) Connect - resource visible only to authenticated user, (5) Audit - access logged. Protected resources have zero network presence until authentication succeeds.

No. VPNs encrypt traffic but servers remain visible and scannable. LayerV makes servers completely invisible - they have zero network presence until authentication succeeds. This is a fundamentally different approach called Network Hiding.

LayerV is generally available. Free tier includes 500 QURLs/month for developers. Enterprise plans with custom SLAs are available. Try the interactive playground at layerv.ai/qurl/playground — no signup required.

What identity providers does LayerV support?

LayerV integrates with major identity providers including Okta, Azure AD (Entra ID), Google Workspace, Auth0, and Ping Identity. Any OIDC or SAML-compatible provider can be integrated.

QURL stands for Quantum URL. It is a cryptographic, time-limited access link that hides a server's real address behind identity verification. QURLs are single-use credentials that self-destruct after access or expiration — eliminating persistent URLs that can be scraped, shared, or replayed. Try the interactive QURL Playground at layerv.ai/qurl/playground.

Back to Blog

February 27, 20264 min read

How to Make AWS Infrastructure Invisible to Attackers

Your AWS ALBs, API Gateways, and EKS clusters are being scanned right now. Here's how to make them invisible using network hiding — with a DNS change, no agents required.

Joe OllisCOO, LayerV

AWSCloud SecurityNetwork HidingInfrastructure ProtectionAttack Surface

Right now, someone is scanning your AWS infrastructure. Shodan indexes new endpoints within hours. Censys maps the internet continuously. Automated scanners run 24/7 looking for publicly accessible ALBs, API Gateways, EC2 instances, and EKS API servers.

When they find yours, they'll fingerprint the software version, probe for known CVEs, test default credentials, and add it to a target list. All of this happens before you get a single alert.

Security groups and NACLs filter traffic, but they don't hide your infrastructure. A scanner can still see that your ALB exists at a specific IP, that it's running a specific software stack, and that it's accepting connections on specific ports.

What if they found nothing?

The Problem with Visible AWS Infrastructure

Every AWS resource with a public endpoint has attack surface:

Application Load Balancers (ALB): Public DNS name, open ports (80, 443), SSL certificate revealing domain names. Scanners identify ALBs instantly.

API Gateway: Public endpoints with discoverable paths. Even with API keys, the endpoints are visible and can be enumerated.

EKS API Server: The Kubernetes API endpoint is reachable from the internet by default. Even with RBAC, the endpoint itself is a target.

EC2 Instances: Any instance with a public IP or Elastic IP is scannable. Even with security groups, port responses reveal the instance exists.

RDS Instances: If publicly accessible (even "accidentally"), the database endpoint is discoverable and targetable.

AWS-native security (Security Groups, NACLs, WAF) operates on visible infrastructure. It filters traffic after your resources are already discovered. This is defense — not prevention.

Making AWS Resources Invisible

Network hiding removes AWS resources from the internet entirely. Protected resources have zero network presence — Shodan returns nothing, Nmap returns nothing, DNS queries return nothing.

Here's what this looks like for common AWS resources:

Protecting an ALB

Point your domain's DNS at LayerV's proxy instead of the ALB
The ALB becomes unreachable from the internet
Authorized users authenticate via Okta, receive a QURL, and access the ALB through LayerV's tunnel
The ALB is invisible to everyone else

No AWS configuration changes. No agents. No sidecars. One DNS change.

Protecting an API Gateway

Configure a custom domain pointing through LayerV
API endpoints become invisible to unauthorized traffic
Authorized consumers (users, services, AI agents) access APIs through QURLs
Scanners and bots find nothing

For machine-to-machine access, QURLs can be created programmatically via the QURL API with configurable expiration and access policies.

Protecting an EKS API Server

Route the EKS API endpoint through LayerV
The Kubernetes API becomes invisible to the internet
Authorized operators access it through time-limited QURLs after SSO authentication
kubectl and other tools work normally through the QURL tunnel

This eliminates one of the most dangerous attack vectors in cloud infrastructure: a publicly accessible Kubernetes API server.

What This Looks Like to an Attacker

Before LayerV:

$ nmap -sV your-alb.example.com
PORT    STATE SERVICE VERSION
443/tcp open  https   Amazon ALB
80/tcp  open  http    Amazon ALB (redirect)

After LayerV:

$ nmap -sV your-alb.example.com
All 1000 scanned ports on your-alb.example.com are filtered
Nmap done: 1 IP address (0 hosts up)

Not "connection refused." Not "filtered by firewall." Zero response. The host appears non-existent.

Beyond Security Groups

Security Groups and NACLs are essential — they're your baseline. But they operate after discovery:

| Control | Prevents Discovery? | Prevents Probing? | Prevents Targeting? | |---------|---------------------|-------------------|---------------------| | Security Groups | No | Partially | No | | NACLs | No | Partially | No | | WAF | No | No | Partially | | VPC Private Subnets | Yes (requires VPN) | Yes | Yes | | Network Hiding | Yes | Yes | Yes |

VPC private subnets are the closest AWS-native equivalent, but they require VPN or Direct Connect for access — which reintroduces the VPN attack surface. Network hiding provides the same isolation with per-resource, time-limited access through QURLs.

Getting Started

The fastest way to see this working:

Try the QURL Playground — 30 seconds, no signup
Sign up free — 500 QURLs/month
Point one domain at LayerV — your first resource becomes invisible in minutes

Your AWS infrastructure is being scanned right now. Make it disappear.

Joe OllisCOO, LayerV

Back to Blog

February 27, 20264 min read

How to Make AWS Infrastructure Invisible to Attackers

Your AWS ALBs, API Gateways, and EKS clusters are being scanned right now. Here's how to make them invisible using network hiding — with a DNS change, no agents required.

Joe OllisCOO, LayerV

AWSCloud SecurityNetwork HidingInfrastructure ProtectionAttack Surface

When they find yours, they'll fingerprint the software version, probe for known CVEs, test default credentials, and add it to a target list. All of this happens before you get a single alert.

What if they found nothing?

The Problem with Visible AWS Infrastructure

Every AWS resource with a public endpoint has attack surface:

Application Load Balancers (ALB): Public DNS name, open ports (80, 443), SSL certificate revealing domain names. Scanners identify ALBs instantly.

API Gateway: Public endpoints with discoverable paths. Even with API keys, the endpoints are visible and can be enumerated.

EKS API Server: The Kubernetes API endpoint is reachable from the internet by default. Even with RBAC, the endpoint itself is a target.

EC2 Instances: Any instance with a public IP or Elastic IP is scannable. Even with security groups, port responses reveal the instance exists.

RDS Instances: If publicly accessible (even "accidentally"), the database endpoint is discoverable and targetable.

AWS-native security (Security Groups, NACLs, WAF) operates on visible infrastructure. It filters traffic after your resources are already discovered. This is defense — not prevention.

Making AWS Resources Invisible

Network hiding removes AWS resources from the internet entirely. Protected resources have zero network presence — Shodan returns nothing, Nmap returns nothing, DNS queries return nothing.

Here's what this looks like for common AWS resources:

Protecting an ALB

Point your domain's DNS at LayerV's proxy instead of the ALB
The ALB becomes unreachable from the internet
Authorized users authenticate via Okta, receive a QURL, and access the ALB through LayerV's tunnel
The ALB is invisible to everyone else

No AWS configuration changes. No agents. No sidecars. One DNS change.

Protecting an API Gateway

Configure a custom domain pointing through LayerV
API endpoints become invisible to unauthorized traffic
Authorized consumers (users, services, AI agents) access APIs through QURLs
Scanners and bots find nothing

For machine-to-machine access, QURLs can be created programmatically via the QURL API with configurable expiration and access policies.

Protecting an EKS API Server

Route the EKS API endpoint through LayerV
The Kubernetes API becomes invisible to the internet
Authorized operators access it through time-limited QURLs after SSO authentication
kubectl and other tools work normally through the QURL tunnel

This eliminates one of the most dangerous attack vectors in cloud infrastructure: a publicly accessible Kubernetes API server.

What This Looks Like to an Attacker

Before LayerV:

$ nmap -sV your-alb.example.com
PORT    STATE SERVICE VERSION
443/tcp open  https   Amazon ALB
80/tcp  open  http    Amazon ALB (redirect)

After LayerV:

$ nmap -sV your-alb.example.com
All 1000 scanned ports on your-alb.example.com are filtered
Nmap done: 1 IP address (0 hosts up)

Not "connection refused." Not "filtered by firewall." Zero response. The host appears non-existent.

Beyond Security Groups

Security Groups and NACLs are essential — they're your baseline. But they operate after discovery:

Getting Started

The fastest way to see this working:

Try the QURL Playground — 30 seconds, no signup
Sign up free — 500 QURLs/month
Point one domain at LayerV — your first resource becomes invisible in minutes

Your AWS infrastructure is being scanned right now. Make it disappear.

Joe OllisCOO, LayerV

The Problem with Visible AWS Infrastructure#

Making AWS Resources Invisible#

Protecting an ALB#

Protecting an API Gateway#

Protecting an EKS API Server#

What This Looks Like to an Attacker#

Beyond Security Groups#

Getting Started#

The Problem with Visible AWS Infrastructure#

Making AWS Resources Invisible#

Protecting an ALB#

Protecting an API Gateway#

Protecting an EKS API Server#

What This Looks Like to an Attacker#

Beyond Security Groups#

Getting Started#

The Problem with Visible AWS Infrastructure

Making AWS Resources Invisible

Protecting an ALB

Protecting an API Gateway

Protecting an EKS API Server

What This Looks Like to an Attacker

Beyond Security Groups

Getting Started

The Problem with Visible AWS Infrastructure

Making AWS Resources Invisible

Protecting an ALB

Protecting an API Gateway

Protecting an EKS API Server

What This Looks Like to an Attacker

Beyond Security Groups

Getting Started