Beyond Zscaler: Why Network Hiding Beats Application-Layer Zero Trust
Zscaler Private Access controls access at the application layer. Network hiding eliminates visibility at the network layer. For infrastructure that should be invisible, the difference is fundamental.
Zscaler Private Access is the market leader in ZTNA for a reason. It replaced the VPN model with something genuinely better: identity-verified, application-specific access through a cloud broker. For thousands of enterprises, ZPA was the catalyst for their zero trust journey.
But there's a class of infrastructure that ZPA wasn't designed to protect — infrastructure that shouldn't be visible at all.
Where Zscaler Excels
ZPA is excellent for what it does:
- Application access: Users get identity-verified access to specific applications without broad network access
- Inline security: DLP, CASB, browser isolation integrated into the access path
- Scale: Zscaler's global edge network handles massive enterprise deployments
- Ecosystem: Part of the broader Zscaler Zero Trust Exchange with internet access, digital experience monitoring, and more
If you need application-layer policy enforcement with inline data inspection, Zscaler is purpose-built for that.
Where the Gap Is
ZPA operates at Layer 7. It brokers connections between users and applications. But the infrastructure behind ZPA still has network presence:
- Connectors run on your network and maintain outbound connections to Zscaler's cloud. These connectors have network presence on your internal network.
- DNS entries exist for applications registered with ZPA. DNS enumeration can reveal service names.
- Fingerprinting is possible — security researchers have demonstrated techniques to identify services behind Zscaler's broker.
For most enterprise use cases, this is acceptable. The application layer is where access decisions should happen, and ZPA does this well.
But for infrastructure that should have zero network presence — admin panels, internal tools, cloud resources, API endpoints — application-layer brokering isn't sufficient. The infrastructure is still discoverable at the network layer, which means it can be targeted.
The Network Hiding Alternative
Network hiding operates at Layer 3/4. Protected resources have zero network presence — no open ports, no DNS records, no response to any unauthorized traffic. The resource is indistinguishable from a non-existent host.
Authentication happens through Single Packet Authorization — a cryptographic proof of identity sent in a single packet. Only after this proof is validated does the resource become visible, and only to the authenticated user for that specific session.
The full comparison is here, but the key differences:
| | Zscaler Private Access | Network Hiding (LayerV) | |---|---|---| | Protocol layer | Layer 7 (application) | Layer 3/4 (network) | | Network presence | Connectors have presence; DNS entries exist | Zero — nothing responds to scans | | Discovery | Fingerprinting and DNS enumeration possible | Impossible — no signal to detect | | Authentication timing | After network connection | Before any network visibility | | Deploy time | Days to weeks (connectors, policies) | Minutes (DNS change) | | DLP/CASB | Integrated | Not included | | Pricing | Per-user annual licensing | Free sandbox, Growth at $299/month for full cloaking |
When to Go Beyond Zscaler
Not every resource needs network hiding. But some do:
Definitely hide these:
- Admin panels for production infrastructure (Grafana, Jenkins, internal dashboards)
- Cloud API endpoints (AWS API Gateway, EKS API server)
- Staging environments that shouldn't be discoverable
- Database management interfaces
- SSH bastion hosts
ZPA is fine for these:
- Employee access to SaaS-like internal applications
- Use cases requiring inline DLP or CASB
- Environments already deeply integrated into Zscaler's ecosystem
The two approaches are complementary. You can use Zscaler for broad application access and add LayerV for infrastructure that should have zero network presence. There's no conflict — they operate at different layers of the stack.
The Cost Difference
Zscaler pricing is per-user, annual commitment, enterprise sales cycle. For a mid-size organization, this is often six figures annually.
LayerV offers a free sandbox (500 QURLs/month) for experimentation, Growth tier at $299/month with full proxy-mode cloaking, and enterprise contracts with custom SLAs. You can evaluate in the playground and sandbox before committing.
More importantly, LayerV deploys in minutes — not weeks. There are no connectors to install, no App Segments to configure, no Zscaler-specific policy language to learn. Point your DNS at LayerV, and the resource is invisible.
Try It
If you're running Zscaler and wondering whether network hiding adds value for your most sensitive infrastructure, try the QURL Playground. It takes 30 seconds, no signup required, and demonstrates exactly what it means for infrastructure to be invisible.
For the full technical comparison, see LayerV vs Zscaler Private Access.