LayerV is a preemptive cybersecurity platform that makes infrastructure invisible to attackers. We implement the OpenNHP (Network Hiding Protocol) standard from the Cloud Security Alliance. Instead of detecting attacks after they start, we prevent them by eliminating the attack surface entirely.

How does LayerV work?

LayerV uses a 5-step authentication flow: (1) Knock - encrypted request sent, (2) Verify - identity and policy validated, (3) Grant - temporary tunnel opened, (4) Connect - resource visible only to authenticated user, (5) Audit - access logged. Protected resources have zero network presence until authentication succeeds.

No. VPNs encrypt traffic but servers remain visible and scannable. LayerV makes servers completely invisible - they have zero network presence until authentication succeeds. This is a fundamentally different approach called Network Hiding.

LayerV is generally available. Free tier includes 500 qURLs/month for developers. Enterprise plans with custom SLAs are available. Try the interactive playground at layerv.ai/qurl/playground — no signup required.

What identity providers does LayerV support?

LayerV integrates with major identity providers including Okta, Azure AD (Entra ID), Google Workspace, Auth0, and Ping Identity. Any OIDC or SAML-compatible provider can be integrated.

A qURL is an identity-bound, single-use, expiring access object — the primitive replacing the URL for the agent era. It is minted by LayerV on the OpenNHP (Network Hiding Protocol) standard, and the resource it points to does not respond on the network until the qURL is presented and identity is proven. Try the interactive qURL Playground at layerv.ai/qurl/playground.

The team behind qURL

Built on the OpenNHP standard we wrote.

qURL is LayerV’s product. OpenNHP is the network-hiding standard underneath it — published by the Cloud Security Alliance, progressing through the IETF, and co-authored by LayerV’s founding team. This page is the receipts.

Cloud Security Alliance

Published as a CSA Zero Trust standard.

The Cloud Security Alliance — the body that governs cloud security standards for 500+ enterprise members including AWS, Google, Microsoft, and Alibaba — has published the NHP specification as “Stealth Mode SDP for Zero Trust Network Infrastructure.”

OrganizationCloud Security Alliance (CSA)

Working GroupZT5 — Pillar: Networks

Lead authorsBenfeng Chen, Justin Posey, Yuanyuan Liu

ReleasedFebruary 3, 2026

What the specification covers

NHP architecture: NHP-Agent, NHP-Server, NHP-AC components
Cryptographic framework using the Noise Protocol
Integration guidance for SDP, DNS, and FIDO
Logging and compliance auditing requirements
Default-deny posture aligned with Zero Trust

“Transitioning core networking technologies to a default-deny stance — one that aligns with emerging Zero Trust concepts.”

Read the CSA specification

IETF Internet-Draft

Progressing through the body that runs the Internet.

The Internet Engineering Task Force is the body that defined TCP/IP, HTTP, TLS, and DNS — virtually every protocol the Internet runs on. NHP is currently in the IETF standards track as draft-opennhp-ztcpp-nhp.

What the draft defines

Protocol architecture: NHP-Agent, NHP-Server, NHP-AC, ASP
Cryptographic framework: Noise Protocol, Curve25519, ChaCha20-Poly1305, HKDF
Message formats: NHP-KNK, NHP-ACK, NHP-AOP, NHP-ACC
Integration patterns: SDP, DNS, FIDO, Zero Trust policy engine

Read the IETF draft

The protocol, in three beats

What we standardized.

The spec defines a single ritual: default deny, then cryptographic knock, then micro-authorized access. Every qURL LayerV mints is one execution of this ritual.

Default deny

All ports closed. No banner, no response to any probe. The host is invisible to scanners and reconnaissance tools.

Cryptographic knock

Authenticated identities send a single encrypted packet proving who they are before any connection is attempted.

Micro-authorized access

A port opens only for that identity, only to that resource, only for that session. When the session ends, the host disappears again.

From spec to product

The standard is a document. LayerV is the system.

Production-hardened

The spec is a document. LayerV is the running system — battle-tested, monitored, with SLAs and compliance mapping.

Managed infrastructure

Global edge network, automated deployments, identity broker, audit engine. The platform that turns the standard into one API call.

Direct from the authors

We don't just implement the spec — we wrote it. Support and roadmap come from the people who define what the protocol does next.

The team that wrote the standard ships qURL.

Try qURL free — 500 qURLs/month, no credit card.

Try the demo Read the API docs

OpenNHP is open source under the Apache 2.0 license. View the reference implementation at github.com/OpenNHP/opennhp.