LayerV is a preemptive cybersecurity platform that makes infrastructure invisible to attackers. We implement the OpenNHP (Network Hiding Protocol) standard from the Cloud Security Alliance. Instead of detecting attacks after they start, we prevent them by eliminating the attack surface entirely.

How does LayerV work?

LayerV uses a 5-step authentication flow: (1) Knock - encrypted request sent, (2) Verify - identity and policy validated, (3) Grant - temporary tunnel opened, (4) Connect - resource visible only to authenticated user, (5) Audit - access logged. Protected resources have zero network presence until authentication succeeds.

No. VPNs encrypt traffic but servers remain visible and scannable. LayerV makes servers completely invisible - they have zero network presence until authentication succeeds. This is a fundamentally different approach called Network Hiding.

LayerV is generally available. Free tier includes 500 QURLs/month for developers. Enterprise plans with custom SLAs are available. Try the interactive playground at layerv.ai/qurl/playground — no signup required.

What identity providers does LayerV support?

LayerV integrates with major identity providers including Okta, Azure AD (Entra ID), Google Workspace, Auth0, and Ping Identity. Any OIDC or SAML-compatible provider can be integrated.

QURL stands for Quantum URL. It is a cryptographic, time-limited access link that hides a server's real address behind identity verification. QURLs are single-use credentials that self-destruct after access or expiration — eliminating persistent URLs that can be scraped, shared, or replayed. Try the interactive QURL Playground at layerv.ai/qurl/playground.

Back to Blog

February 5, 20264 min read

Zero Trust vs Network Hiding: What Comes After ZTNA

ZTNA verifies identity at the application layer but infrastructure remains visible. Network hiding eliminates visibility at the network layer. Here's why the next evolution matters.

Ben ChenCo-Founder & CTO, LayerV

Zero TrustZTNANetwork HidingZscalerCloudflare Access

Zero Trust Network Access has been the gold standard for secure access since Forrester coined the term and Gartner validated the category. ZTNA solutions like Zscaler Private Access and Cloudflare Access have replaced VPNs at thousands of enterprises by enforcing "never trust, always verify" at the application layer.

But ZTNA has a blind spot. And it's the same blind spot that VPNs had.

The ZTNA Blind Spot

ZTNA operates at Layer 7 — the application layer. It verifies user identity, checks device posture, and grants access to specific applications. This is a massive improvement over VPNs, which grant broad network access after a single authentication.

But here's the gap: ZTNA doesn't hide infrastructure at the network layer.

With Zscaler Private Access, applications register with the Zscaler cloud and run connectors. The broker hides applications from direct internet access. But the connectors have network presence. DNS entries exist. Port scans can reveal that services exist behind Zscaler.

With Cloudflare Access, a reverse proxy authenticates users at the edge. But the origin server has a public IP. Certificate transparency logs, historical DNS records, and IP scanning can reveal the origin.

In both cases, a determined attacker can discover that infrastructure exists — even if they can't immediately access it. And discovery is the prerequisite to attack.

What Network Hiding Adds

Network hiding operates at Layer 3/4 — the network layer. It makes infrastructure invisible before any application-layer check happens.

| Aspect | ZTNA | Network Hiding | |--------|------|----------------| | Layer | Application (L7) | Network (L3/4) | | Visibility | Infrastructure discoverable at network layer | Zero network presence | | Port scan result | Connection refused or timeout | No response (host appears non-existent) | | DNS | Entries exist for broker/proxy | No DNS entries for protected resources | | Authentication timing | After network connection established | Before any network visibility | | Discovery resistance | Partial — broker fingerprinting possible | Complete — nothing to fingerprint |

The key insight: ZTNA controls access to visible infrastructure. Network hiding eliminates visibility of the infrastructure itself. These are different operations at different layers of the stack.

ZTNA + Network Hiding: The Complete Model

The strongest security posture combines both:

Network hiding eliminates the attack surface. Protected resources have zero network presence. Scanners, bots, and attackers find nothing.
ZTNA principles govern access policies. When a user authenticates, they get access based on identity, device posture, location, and time — the zero trust principles that ZTNA pioneered.

This is what NIST 800-207 actually describes when it talks about zero trust architecture — but most implementations stop at the application layer. Network hiding completes the model by extending zero trust to the network layer.

Why This Matters Now

Three trends are making network-layer hiding urgent:

1. AI-powered reconnaissance. Automated scanning tools are faster and smarter than ever. LLM-powered agents can enumerate infrastructure, identify vulnerabilities, and chain exploits with minimal human intervention. Application-layer controls can't prevent discovery.

2. Supply chain attacks. Attackers increasingly target infrastructure components (VPN concentrators, SSO gateways, ZTNA connectors) rather than applications. If the infrastructure is invisible, there's nothing to target.

3. Regulatory pressure. The White House national cyber strategy explicitly calls for denying initial access — not just controlling access, but preventing discovery. ZTNA alone doesn't meet this bar.

The Practical Difference

Consider an EKS API server on AWS:

ZTNA-only: The API server is behind a ZTNA broker. Users authenticate before accessing it. But the server has a public endpoint, the broker has fingerprints, and a determined attacker can discover it exists.

ZTNA + Network hiding: The API server has zero network presence. It doesn't respond to anything until a user presents a valid QURL after authenticating through Okta. Port scans return nothing. DNS returns nothing. The server doesn't exist to the internet.

The difference is between "access controlled" and "undiscoverable." In a world where reconnaissance is automated and fast, undiscoverable wins.

What This Means for Your Architecture

If you're already running ZTNA, you don't need to rip it out. Network hiding adds a layer beneath it — making the infrastructure invisible before ZTNA's application-layer controls kick in.

The question for security teams: for how much of your infrastructure is "access controlled" sufficient, and how much should be "undiscoverable"?

For internal applications, admin panels, APIs, and cloud infrastructure — the answer is increasingly "undiscoverable."

LayerV implements network hiding at the network layer, complementing your existing ZTNA investment. Try it in the playground — no signup required.

Ben ChenCo-Founder & CTO, LayerV

Back to Blog

February 5, 20264 min read

Zero Trust vs Network Hiding: What Comes After ZTNA

ZTNA verifies identity at the application layer but infrastructure remains visible. Network hiding eliminates visibility at the network layer. Here's why the next evolution matters.

Ben ChenCo-Founder & CTO, LayerV

Zero TrustZTNANetwork HidingZscalerCloudflare Access

But ZTNA has a blind spot. And it's the same blind spot that VPNs had.

The ZTNA Blind Spot

But here's the gap: ZTNA doesn't hide infrastructure at the network layer.

In both cases, a determined attacker can discover that infrastructure exists — even if they can't immediately access it. And discovery is the prerequisite to attack.

What Network Hiding Adds

Network hiding operates at Layer 3/4 — the network layer. It makes infrastructure invisible before any application-layer check happens.

ZTNA + Network Hiding: The Complete Model

The strongest security posture combines both:

Network hiding eliminates the attack surface. Protected resources have zero network presence. Scanners, bots, and attackers find nothing.
ZTNA principles govern access policies. When a user authenticates, they get access based on identity, device posture, location, and time — the zero trust principles that ZTNA pioneered.

Why This Matters Now

Three trends are making network-layer hiding urgent:

The Practical Difference

Consider an EKS API server on AWS:

The difference is between "access controlled" and "undiscoverable." In a world where reconnaissance is automated and fast, undiscoverable wins.

What This Means for Your Architecture

If you're already running ZTNA, you don't need to rip it out. Network hiding adds a layer beneath it — making the infrastructure invisible before ZTNA's application-layer controls kick in.

The question for security teams: for how much of your infrastructure is "access controlled" sufficient, and how much should be "undiscoverable"?

For internal applications, admin panels, APIs, and cloud infrastructure — the answer is increasingly "undiscoverable."

LayerV implements network hiding at the network layer, complementing your existing ZTNA investment. Try it in the playground — no signup required.

Ben ChenCo-Founder & CTO, LayerV

The ZTNA Blind Spot#

What Network Hiding Adds#

ZTNA + Network Hiding: The Complete Model#

Why This Matters Now#

The Practical Difference#

What This Means for Your Architecture#

The ZTNA Blind Spot#

What Network Hiding Adds#

ZTNA + Network Hiding: The Complete Model#

Why This Matters Now#

The Practical Difference#

What This Means for Your Architecture#

The ZTNA Blind Spot

What Network Hiding Adds

ZTNA + Network Hiding: The Complete Model

Why This Matters Now

The Practical Difference

What This Means for Your Architecture

The ZTNA Blind Spot

What Network Hiding Adds

ZTNA + Network Hiding: The Complete Model

Why This Matters Now

The Practical Difference

What This Means for Your Architecture