5 Things ZTNA Can't Do That Network Hiding Can
Zero Trust Network Access controls application access but can't prevent infrastructure discovery. Here are five security gaps that only network-layer hiding can close.
Zero Trust Network Access is one of the most important security advances of the last decade. ZTNA replaced VPNs' "trust everything inside the perimeter" model with identity-verified, application-specific access. Products like Zscaler Private Access, Cloudflare Access, and Palo Alto Prisma Access have genuinely improved enterprise security.
But ZTNA has limits. Here are five things that application-layer ZTNA fundamentally cannot do — and that network hiding can.
1. Prevent Infrastructure Discovery
ZTNA controls access at the application layer. But infrastructure exists at the network layer — and ZTNA doesn't hide it.
With ZTNA, an attacker running a port scan against your IP range will still get responses. Maybe a "connection refused." Maybe a timeout. But the response itself reveals information: something exists at that address. DNS enumeration can reveal service names. Certificate transparency logs can reveal domains. Network fingerprinting can identify the ZTNA vendor.
With network hiding, the same scan returns nothing. Not "connection refused" — literally nothing. The infrastructure is indistinguishable from a non-existent host. There's no information for an attacker to act on.
Why it matters: 94% of breaches begin with reconnaissance. If there's nothing to discover, the attack chain breaks at step one.
2. Stop Zero-Day Exploitation of Access Infrastructure
ZTNA solutions are software. Software has vulnerabilities. When a zero-day drops for Zscaler, Cloudflare, or any ZTNA vendor, every customer using that product is potentially exposed — because the ZTNA infrastructure is visible and reachable on the internet.
Network hiding doesn't have access infrastructure that's visible to the internet. The authentication mechanism (Single Packet Authorization) operates on a server that doesn't respond to unauthorized traffic. You can't exploit what you can't reach.
Why it matters: ZTNA vendors are high-value targets. A single ZTNA zero-day can compromise thousands of organizations simultaneously.
3. Eliminate DDoS Against Protected Resources
ZTNA proxies or brokers traffic to your applications. The proxy itself has a public presence and can be targeted. More critically, if an attacker discovers your origin IP (behind the proxy), they can DDoS it directly.
Network-hidden infrastructure can't be DDoSed because it has no network presence. You can't flood a server that doesn't respond to anything. The DDoS traffic goes nowhere — there's no endpoint to receive it.
Why it matters: DDoS attacks continue to grow in volume and sophistication. Hiding the target is more effective than absorbing the flood.
4. Prevent Lateral Movement After Compromise
ZTNA grants application-specific access, which is better than VPN's broad network access. But within a ZTNA session, users are on the application — and applications often have trust relationships with other systems. A compromised ZTNA session can be leveraged for lateral movement through application-layer connections.
Network hiding isolates each access session to a single resource. There is no concept of "being on the network." Each QURL connects to exactly one resource for a limited time. Compromising one session reveals nothing about other resources — they don't exist from the perspective of that session.
Why it matters: Lateral movement is how breaches escalate from a single compromised account to full infrastructure access.
5. Provide Authentication Before Visibility
ZTNA authenticates users before granting application access. But the ZTNA infrastructure itself — brokers, connectors, proxies — is visible before authentication. The authentication flow happens after a network connection is established.
Network hiding authenticates before any network visibility. Single Packet Authorization proves identity in a single cryptographic packet. Only after this proof is validated does the resource become visible. The order of operations is fundamentally different:
ZTNA: Connect → Authenticate → Access Network Hiding: Authenticate → Visibility → Access
This means an unauthenticated attacker interacting with ZTNA can at least establish a network connection and potentially probe the authentication layer. An unauthenticated attacker interacting with network hiding gets nothing — no connection, no probe, no information.
The Bottom Line
ZTNA solved the VPN problem by adding identity-based access control. Network hiding solves the ZTNA problem by eliminating infrastructure visibility. They're complementary — not competing — approaches.
For infrastructure that needs to be invisible (and most internal infrastructure does), network hiding closes the gaps that ZTNA can't:
- Prevents discovery (network-layer invisibility)
- Eliminates access infrastructure as a target (no visible broker)
- Makes DDoS impossible (no endpoint to flood)
- Prevents lateral movement (per-resource isolation)
- Authenticates before visibility (SPA before connection)
LayerV implements network hiding through the OpenNHP protocol, adding infrastructure invisibility to your existing security architecture. See it in action — no signup required.