Only verified users ever see protected resources.
Traditional security operates after discovery—firewalls, WAFs, and VPNs all require attackers to first find your infrastructure. LayerV flips this model: your AWS resources are cryptographically invisible until Okta authentication succeeds.
A fundamentally different approach to connection. Trust is established before packets are routed.
Scroll to see the process →
The NHP Agent sends a cryptographically signed UDP packet containing device identity, authentication tokens, and timestamp. This 'knock' is encrypted and unreadable to network observers.
Technical: ECC signatures with Noise Protocol key exchange. Encrypted and authenticated in a single packet.
LayerV Controller validates the cryptographic signature, checks device posture, and verifies identity against your Okta tenant in real-time.
Technical: Millisecond verification via Okta SAML 2.0 or OIDC. Device posture via Okta Device Trust.
Upon successful verification, the Controller instructs the Gateway to open a temporary, session-specific port for only that authenticated user.
Technical: Ports opened for configurable duration. Automatic cleanup on session end or timeout.
The user connects through the opened port. The resource becomes visible only to that authenticated session—invisible to everyone else.
Technical: End-to-end encrypted tunnel. Session bound to authenticated identity.
Every connection is cryptographically bound to an authenticated identity—not just an IP address. No more 'unknown actor' incidents. Full attribution for compliance, forensics, and real-time alerting.
Technical: Identity-based connection logs. Attack attribution to verified principals. SIEM integration (Splunk, Sentinel).
Faster than VPN handshakes with enterprise-grade reliability
From signup to production protection
vs 100-300ms for typical VPN handshakes
All ports closed until authenticated
With built-in retry and automatic failover
Every existing solution operates after your infrastructure is already visible. LayerV adds the missing layer.
Encrypt traffic but still expose server IPs to the internet
Requires agents on every device; grants coarse-grained access at the app layer
Block traffic after discovery—attackers already know you exist
Protect apps that are already visible and discoverable
Works with Okta to hide your AWS infrastructure completely—nothing to scan, nothing to attack
Your IdP handles WHO gets access. LayerV handles WHO CAN SEE your infrastructure.
← Scroll to see all →
| Capability | VPN | ZTNA | Firewall | LayerV |
|---|---|---|---|---|
| Encrypts traffic | ||||
| Identity-based access (via IdP) | ||||
| Device posture checks | ||||
| Blocks malicious traffic | ||||
| Hides infrastructure from scans | ||||
| Prevents reconnaissance | ||||
| Zero exposed attack surface | ||||
| Full access audit trail |
LayerV integrates with your existing Okta setup to add the invisibility layer.
Results from nmap scan against protected infrastructure
$ nmap -sS target.example.com Starting Nmap 7.94 ( https://nmap.org ) Nmap scan report for target.example.com PORT STATE SERVICE 22/tcp open ssh 443/tcp open https 3389/tcp open ms-wbt-server 5432/tcp open postgresql 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 2.41s
5 open ports = 5 attack vectors
$ nmap -sS -Pn -p- target.example.com Starting Nmap 7.94 ( https://nmap.org ) Nmap scan report for target.example.com All 65535 scanned ports are in ignored states. Not shown: 65535 filtered tcp ports (no-response) Nmap done: 1 IP address (1 host up) scanned in 1312.48s
0 discoverable ports = 0 attack surface
LayerV integrates with your Okta tenant to protect any AWS resource
Hide Grafana, Jenkins, Kibana, and admin dashboards from the internet. Only Okta-authenticated employees see them.
Result: Your Jenkins instance disappears from Shodan overnight
Eliminate exposed port 22 on your bastion hosts. SSH access only appears after Okta authentication.
Result: Zero brute-force attempts—port 22 doesn't exist until you authenticate
Stop exposing pre-production environments to the internet. Dev and staging invisible except to your team.
Result: staging.yourapp.com returns nothing to unauthorized scanners
Protect your Kubernetes API endpoint. kubectl access requires Okta authentication before the endpoint is reachable.
Result: EKS control plane invisible to network scans
From a DNS change to full AWS infrastructure integration—all secured by Okta
Zero code changes—route traffic through LayerV and we handle the cloaking automatically
# Point your DNS to LayerV
app.example.com CNAME proxy.layerv.ai
# Configure in LayerV dashboard:
# - Origin: your-alb-1234.us-east-1.elb.amazonaws.com
# - Auth: Okta SSO (SAML 2.0)
# - Policy: Require Okta Device Trust
# That's it. Your AWS app is now invisible.Deep integration for applications with granular control over Okta authentication flows
import { LayerV } from '@layerv/sdk';
const client = new LayerV({
appId: 'your-app-id',
oktaDomain: 'your-org.okta.com'
});
// Authenticate via Okta and establish secure session
const session = await client.connect();
console.log('Access granted:', session.id);Zero-trust networking for EKS, ECS, and EC2 workloads
# EKS deployment
helm repo add layerv https://charts.layerv.ai
helm install layerv-agent layerv/agent \
--set appId=your-app-id \
--set oktaDomain=your-org.okta.com \
--set controller=ctrl.layerv.ai