LayerV is a preemptive cybersecurity platform that makes infrastructure invisible to attackers. We implement the OpenNHP (Network Hiding Protocol) standard from the Cloud Security Alliance. Instead of detecting attacks after they start, we prevent them by eliminating the attack surface entirely.

How does LayerV work?

LayerV uses a 5-step authentication flow: (1) Knock - encrypted request sent, (2) Verify - identity and policy validated, (3) Grant - temporary tunnel opened, (4) Connect - resource visible only to authenticated user, (5) Audit - access logged. Protected resources have zero network presence until authentication succeeds.

No. VPNs encrypt traffic but servers remain visible and scannable. LayerV makes servers completely invisible - they have zero network presence until authentication succeeds. This is a fundamentally different approach called Network Hiding.

LayerV is generally available. Free tier includes 500 QURLs/month for developers. Enterprise plans with custom SLAs are available. Try the interactive playground at layerv.ai/qurl/playground — no signup required.

What identity providers does LayerV support?

LayerV integrates with major identity providers including Okta, Azure AD (Entra ID), Google Workspace, Auth0, and Ping Identity. Any OIDC or SAML-compatible provider can be integrated.

QURL stands for Quantum URL. It is a cryptographic, time-limited access link that hides a server's real address behind identity verification. QURLs are single-use credentials that self-destruct after access or expiration — eliminating persistent URLs that can be scraped, shared, or replayed. Try the interactive QURL Playground at layerv.ai/qurl/playground.

← All Comparisons

LayerV vs Zscaler Private Access (ZPA)

Network-Layer Hiding vs Application-Layer ZTNA

Zscaler Private Access (ZPA) is the market leader in Zero Trust Network Access. It brokers connections between users and applications using an application-layer proxy model. LayerV takes a fundamentally different approach: instead of controlling access to visible infrastructure, LayerV makes infrastructure invisible at the network layer.

Architectural Difference

ZPA operates at Layer 7 (application layer). Applications must register with the Zscaler cloud, maintain DNS entries, and run Zscaler connectors. While ZPA hides applications from the public internet through its broker model, the underlying infrastructure still has network presence — port scans, DNS enumeration, and certificate transparency logs can reveal that services exist behind Zscaler. LayerV operates at Layer 3/4 (network layer). Protected resources have zero network presence. They don't respond to pings, port scans, or any unauthorized traffic. There are no DNS records to enumerate, no ports to scan, no certificates to discover. The infrastructure is indistinguishable from non-existent until a valid QURL is presented. This is not a marginal difference — it's a different security model entirely. ZPA assumes infrastructure will be visible and controls access to it. LayerV assumes infrastructure should be invisible and only reveals it to authenticated users.

Feature Comparison

Feature	LayerV	Zscaler Private Access (ZPA)
Security model	Infrastructure invisibility (network-layer hiding)	Application-layer access brokering
Network presence	Zero — no ports, no DNS, no response to scans	Reduced — services hidden behind broker but connectors have network presence
Discovery resistance	Immune to port scanning, DNS enumeration, certificate transparency	Connectors and broker infrastructure can be fingerprinted
Protocol layer	Layer 3/4 (network)	Layer 7 (application)
Authentication model	Cryptographic SPA before any network visibility	Identity verification at application layer after network connection
Access credentials	Ephemeral QURLs — configurable single-use or time-limited, self-destruct on expiration	Session tokens — persist for session duration
Deployment complexity	DNS change (proxy mode) — minutes to deploy	Requires Zscaler connectors, App Segments, policies — days to weeks
DDoS protection	Inherent — invisible infrastructure can't be targeted	Requires additional Zscaler DDoS services
Pricing model	Free sandbox tier, Growth at $299/month with full cloaking	Per-user annual licensing, no free tier
Inline DLP/CASB	Not included (network-layer focus)	Available as part of Zscaler platform

When to Choose

Choose Zscaler Private Access (ZPA)

Choose Zscaler Private Access if you need inline data loss prevention (DLP), CASB functionality, or are a large enterprise with an existing Zscaler contract. ZPA is also a strong choice for organizations that need application-layer policy enforcement (URL filtering, browser isolation) as part of a broader Zscaler Zero Trust Exchange deployment.

Choose LayerV

Choose LayerV if your primary security concern is eliminating attack surface and preventing reconnaissance. LayerV is the better choice when you need true infrastructure invisibility — zero network presence, not just access control. It's ideal for protecting internal applications, APIs, admin panels, and cloud infrastructure (AWS ALB, EKS, RDS) where discovery itself is the threat. LayerV is also significantly faster to deploy (under an hour for proxy mode vs weeks) and offers a free sandbox tier for evaluation before committing to the Growth plan for full cloaking.

Frequently Asked Questions

Can I use LayerV and Zscaler together?

Yes. LayerV and Zscaler solve different problems. Zscaler provides application-layer access control, DLP, and CASB. LayerV provides network-layer infrastructure hiding. You can use Zscaler for employee web access and LayerV for hiding critical infrastructure that should have zero network presence.

Is LayerV a ZTNA replacement for Zscaler?

LayerV goes beyond ZTNA. While it can replace Zscaler for infrastructure access use cases, LayerV is fundamentally a network hiding platform, not a ZTNA solution. If you need the full Zscaler platform (DLP, CASB, browser isolation), LayerV isn't a direct replacement. If your goal is making infrastructure invisible, LayerV is purpose-built for that.

How does deployment time compare?

LayerV can protect a resource in minutes — a DNS change or iframe embed is all that's needed for proxy mode. Zscaler Private Access typically requires days to weeks for connector deployment, App Segment configuration, and policy setup.

Which has better latency?

LayerV's knock-to-access latency is under 50ms (p99). ZPA routes traffic through Zscaler's cloud, which can add latency depending on the proximity of Zscaler edge nodes to your users and applications.

See LayerV in Action

Try the QURL Playground — no signup required.

Try the Playground Sign Up Free