What is Network Hiding? The Security Model That Eliminates Attack Surface
Network hiding makes infrastructure invisible at the network layer. Learn how it works, why it's different from firewalls and ZTNA, and how the OpenNHP protocol standardizes infrastructure invisibility.
Every security tool you use today assumes your infrastructure is visible. Firewalls filter traffic to visible servers. WAFs protect visible web applications. ZTNA solutions broker access to visible endpoints. Even "zero trust" architectures start with the premise that attackers can see your infrastructure — and then try to stop them from getting in.
Network hiding inverts this assumption entirely.
What Network Hiding Actually Means
Network hiding is a security technique that makes infrastructure invisible at the network layer. Hidden resources have zero network presence — they don't respond to pings, port scans, DNS queries, or any form of unauthorized traffic. To an attacker running Nmap, Shodan, or any scanning tool, the protected resource doesn't exist.
This isn't obscurity through misconfiguration. It's a deliberate, cryptographic enforcement of invisibility. Protected resources only become visible after a user proves their identity through a cryptographic handshake called Single Packet Authorization (SPA).
The sequence is:
- Default state: Resource is invisible. Zero network presence. No open ports, no DNS, no response.
- Authentication: User sends a cryptographic proof of identity (SPA packet).
- Verification: Controller validates identity against your IdP (Okta, Azure AD).
- Visibility: Resource becomes visible only to that authenticated user, only for that session.
- Reversion: When the session ends, the resource returns to invisible state.
Why This Is Different From Everything Else
Firewalls block traffic to servers that are visible. Attackers know the server exists — they just can't reach certain ports. They can still fingerprint the server, probe for misconfigurations, and wait for a zero-day.
ZTNA (Zscaler, Cloudflare Access) verifies identity before granting application access. Better than firewalls, but the infrastructure still has network presence. Port scans, DNS enumeration, and certificate transparency logs can reveal that services exist behind the broker.
Network hiding eliminates the information attackers need to plan attacks. You can't exploit a server you can't find. You can't brute-force a login page that doesn't exist. You can't target a zero-day against infrastructure that returns no response.
This is the difference between defense (protecting visible infrastructure) and prevention (eliminating the conditions that make attacks possible).
The OpenNHP Standard
Network hiding has been standardized through the OpenNHP (Network Hiding Protocol) specification, developed by the Cloud Security Alliance and published as an IETF Internet-Draft in January 2026.
OpenNHP defines:
- The cryptographic handshake for proving identity before visibility
- Single Packet Authorization format and validation
- Session management and automatic revocation
- Resistance to replay attacks, MITM, and DDoS
The reference implementation is open source on GitHub with over 14,000 stars and 200+ contributors worldwide.
What Network Hiding Protects
Network hiding is most valuable for infrastructure that should never be publicly discoverable:
- Admin panels: Grafana, Jenkins, Kibana, internal dashboards
- Cloud infrastructure: AWS ALB, API Gateway, EKS API servers, RDS
- Remote access: Replace VPNs with invisible infrastructure
- APIs: Backend services, partner integrations, AI/ML endpoints
- Staging environments: Development and testing resources
For public-facing websites that need to be discoverable by everyone, network hiding isn't the right fit. But for everything behind a login — which is most of your infrastructure — network hiding eliminates the attack surface that every other security tool assumes exists.
The Shift to Preemptive Security
Gartner predicts that by 2030, 50% of enterprise security spending will shift toward preemptive approaches. Network hiding is at the center of this shift because it eliminates attacks rather than detecting and responding to them.
The question isn't whether your infrastructure will be scanned — it already is. The question is whether there's anything to find.
LayerV is the commercial implementation of OpenNHP, making network hiding deployable in minutes for any organization. Try the QURL Playground to see infrastructure invisibility in action — no signup required.