LayerV.ai is a preemptive cybersecurity platform that makes infrastructure invisible to attackers. We implement the OpenNHP (Network Hiding Protocol) standard from the Cloud Security Alliance. Instead of detecting attacks after they start, we prevent them by eliminating the attack surface entirely.

How does LayerV.ai work?

LayerV uses a 5-step authentication flow: (1) Knock - encrypted request sent, (2) Verify - identity and policy validated, (3) Grant - temporary tunnel opened, (4) Connect - resource visible only to authenticated user, (5) Audit - access logged. Protected resources have zero network presence until authentication succeeds.

No. VPNs encrypt traffic but servers remain visible and scannable. LayerV makes servers completely invisible - they have zero network presence until authentication succeeds. This is a fundamentally different approach called Network Hiding.

When will LayerV.ai be available?

LayerV.ai is currently in pilot program, accepting enterprise applications. General availability is planned for Q1 2026, alongside the official CSA OpenNHP specification publication. You can try an interactive demo at layerv.ai/demos.

What identity providers does LayerV support?

LayerV integrates with major identity providers including Okta, Azure AD (Entra ID), Google Workspace, Auth0, and Ping Identity. Any OIDC or SAML-compatible provider can be integrated.

Why is LayerV.ai better than a VPN?

VPNs encrypt traffic but still expose server IPs to the internet—attackers can find and probe your VPN endpoints. LayerV.ai hides your infrastructure entirely using the Network Hiding Protocol (NHP). There's nothing to scan, nothing to attack.

Why is LayerV.ai better than ZTNA solutions like Zscaler?

ZTNA solutions require agents on every device and grant coarse-grained access at the application layer. LayerV.ai operates at the network layer—ports don't open until after authentication. No agents required for web applications.

What's the difference between LayerV.ai and a firewall?

Firewalls block traffic after discovery—attackers already know you exist and can probe for vulnerabilities. LayerV.ai prevents discovery entirely. Protected infrastructure has zero network presence until authentication succeeds.

What does a port scan show before and after LayerV?

Before LayerV: nmap reveals open ports like SSH (22), HTTPS (443), and databases. After LayerV: all 65,535 ports return "filtered" or "no response"—zero attack surface visible.

What deployment options does LayerV.ai offer?

LayerV.ai offers three deployment paths: Proxy Mode (DNS change only, available now), JavaScript SDK (npm install, available now), and Sidecar Agent for EKS/ECS (coming soon). All integrate with Okta for identity.

Authentication Before
Visibility.

Only verified users ever see protected resources.

Traditional security operates after discovery—firewalls, WAFs, and VPNs all require attackers to first find your infrastructure. LayerV.ai flips this model: your AWS resources are cryptographically invisible until Okta authentication succeeds.

OpenNHP Specification →Cloud Security Alliance →

Process

How Invisibility Works

A fundamentally different approach to connection. Trust is established before packets are routed.

Scroll to see the process →

Knock

Cryptographic Handshake

The NHP Agent sends a cryptographically signed UDP packet containing device identity, authentication tokens, and timestamp. This 'knock' is encrypted and unreadable to network observers.

Technical: ECC signatures with Noise Protocol key exchange. Encrypted and authenticated in a single packet.

Verify

Identity & Policy Check

LayerV Controller validates the cryptographic signature, checks device posture, and verifies identity against your Okta tenant in real-time.

Technical: Millisecond verification via Okta SAML 2.0 or OIDC. Device posture via Okta Device Trust.

Grant

Dynamic Port Opening

Upon successful verification, the Controller instructs the Gateway to open a temporary, session-specific port for only that authenticated user.

Technical: Ports opened for configurable duration. Automatic cleanup on session end or timeout.

Connect

Encrypted Session

The user connects through the opened port. The resource becomes visible only to that authenticated session—invisible to everyone else.

Technical: End-to-end encrypted tunnel. Session bound to authenticated identity.

Audit

Identity at the Network Layer

Every connection is cryptographically bound to an authenticated identity—not just an IP address. No more 'unknown actor' incidents. Full attribution for compliance, forensics, and real-time alerting.

Technical: Identity-based connection logs. Attack attribution to verified principals. SIEM integration (Splunk, Sentinel).

Performance

Invisible Doesn't Mean Slow

Faster than VPN handshakes with enterprise-grade reliability

≤ 24

hrs

Time to First Protected Connection

From signup to production protection

< 50ms

Knock-to-Access Latency (p99)

vs 100-300ms for typical VPN handshakes

Discoverable Endpoints

All ports closed until authenticated

99.99%

Handshake Success Rate

With built-in retry and automatic failover

Why NHP Instead of VPN, ZTNA, or Firewall?

Every existing solution operates after your infrastructure is already visible. LayerV.ai adds the missing layer.

VPNs

Encrypt traffic but still expose server IPs to the internet

ZTNA

Requires agents on every device; grants coarse-grained access at the app layer

Firewalls

Block traffic after discovery—attackers already know you exist

WAFs

Protect apps that are already visible and discoverable

LayerV.ai

Works with Okta to hide your AWS infrastructure completely—nothing to scan, nothing to attack

Attack Surface

What Attackers See: Before vs. After

Results from nmap scan against protected infrastructure

Before LayerV

$ nmap -sS target.example.com

Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for target.example.com
PORT      STATE  SERVICE
22/tcp    open  ssh
443/tcp   open  https
3389/tcp  open  ms-wbt-server
5432/tcp  open  postgresql
8080/tcp  open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 2.41s

5 open ports = 5 attack vectors

After LayerV

$ nmap -sS -Pn -p- target.example.com

Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for target.example.com
All 65535 scanned ports are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 1312.48s

0 discoverable ports = 0 attack surface

Use Cases

What Can You Protect on AWS?

LayerV.ai integrates with your Okta tenant to protect any AWS resource

Internal Tools & Admin Panels

Hide Grafana, Jenkins, Kibana, and admin dashboards from the internet. Only Okta-authenticated employees see them.

Result: Your Jenkins instance disappears from Shodan overnight

SSH Bastion Hosts

Eliminate exposed port 22 on your bastion hosts. SSH access only appears after Okta authentication.

Result: Zero brute-force attempts—port 22 doesn't exist until you authenticate

Staging & Dev Environments

Stop exposing pre-production environments to the internet. Dev and staging invisible except to your team.

Result: staging.yourapp.com returns nothing to unauthorized scanners

EKS API Server Access

Protect your Kubernetes API endpoint. kubectl access requires Okta authentication before the endpoint is reachable.

Result: EKS control plane invisible to network scans

Integration

Choose Your Deployment Path

From a DNS change to full AWS infrastructure integration—all secured by Okta

Proxy Mode

Available Now

Zero code changes—route traffic through LayerV and we handle the cloaking automatically

Platforms: ALB/NLB endpoints, API Gateway, Any AWS service

Integration: DNS change + Okta app

Ideal for: Web applications, admin panels, internal tools on AWS

# Point your DNS to LayerV
app.example.com  CNAME  proxy.layerv.ai

# Configure in LayerV dashboard:
# - Origin: your-alb-1234.us-east-1.elb.amazonaws.com
# - Auth: Okta SSO (SAML 2.0)
# - Policy: Require Okta Device Trust

# That's it. Your AWS app is now invisible.

JavaScript SDK

Available Now

Deep integration for applications with granular control over Okta authentication flows

Platforms: Node.js, TypeScript, Browser, React Native

Integration: npm install @layerv/sdk

Ideal for: Custom apps, Lambda functions, API integrations

import { LayerV } from '@layerv/sdk';

const client = new LayerV({
  appId: 'your-app-id',
  oktaDomain: 'your-org.okta.com'
});

// Authenticate via Okta and establish secure session
const session = await client.connect();
console.log('Access granted:', session.id);

Sidecar Agent

Coming Soon

Zero-trust networking for EKS, ECS, and EC2 workloads

Platforms: Amazon EKS, Amazon ECS, EC2 instances

Integration: Helm chart or ECS task definition

Ideal for: Microservices, RDS access, EC2 bastion hosts

# EKS deployment
helm repo add layerv https://charts.layerv.ai
helm install layerv-agent layerv/agent \
  --set appId=your-app-id \
  --set oktaDomain=your-org.okta.com \
  --set controller=ctrl.layerv.ai

Protect what matters before it's seen.

Deploy invisibility from day one.

Start Your Pilot Watch Live Demo

Authentication Before Visibility.

How Invisibility Works

Knock

Cryptographic Handshake

Verify

Identity & Policy Check

Grant

Dynamic Port Opening

Connect

Encrypted Session

Audit

Identity at the Network Layer

Invisible Doesn't Mean Slow

Time to First Protected Connection

Knock-to-Access Latency (p99)

Discoverable Endpoints

Handshake Success Rate

Why NHP Instead of VPN, ZTNA, or Firewall?

VPNs

ZTNA

Firewalls

WAFs

LayerV.ai

What Attackers See: Before vs. After

Before LayerV

After LayerV

What Can You Protect on AWS?

Internal Tools & Admin Panels

SSH Bastion Hosts

Staging & Dev Environments

EKS API Server Access

Choose Your Deployment Path

Proxy Mode

JavaScript SDK

Sidecar Agent

Protect what matters before it's seen.

Authentication Before
Visibility.