Guide
What Is Network-Layer Exam Security?
The 2026 AI-cheating tools — invisible overlays, on-device LLMs, remote-access proxies — run below the browser and outside the webcam's view. Network-layer exam security enforces integrity where they actually operate: the candidate's network path and operating system.
The short answer
Network-layer exam security enforces exam integrity at the network path and operating system of the candidate's device, rather than inside a single browser window or through a webcam. A per-session encrypted tunnel routes the device's traffic through a gateway that applies a default-deny policy: only assessment-approved destinations are reachable, and AI APIs, remote-access protocols, and unauthorized cloud storage are blocked before any connection completes. It controls what the device can reach — regardless of which application makes the request, what that application is named, or whether it is visible on screen.
It is also known as network-layer proctoring or zero-trust exam security.
Why the browser and webcam layers fail in 2026
Every lockdown browser and webcam proctor was architected for a threat model where cheating was visible: a second tab, a phone in frame, a person off-camera. Between 2023 and 2025 the cheating tool moved below that line.
- Invisible AI overlays like Cluely set an OS screen-capture-exclusion flag, so they don't appear in the screen a proctor or lockdown browser inspects. The technique is invisible by design.
- On-device LLMs running on Ollama or LM Studio answer questions from local memory — no screen artifact, no webcam-visible behavior, and no network traffic to intercept.
- Proxy rings and remote-access tools hand control to a third party over the network — beneath a single locked window entirely.
Name-matching the latest tool closes one binary and goes blind the moment the name changes. The layer where these tools live — the OS and the network — is the only place to catch the technique instead of the appearance.
How network-layer enforcement works
Four layers run together for the length of one exam session and leave nothing behind.
Per-session encrypted tunnel
A user-space WireGuard tunnel deploys on the candidate's own device in about 30 seconds — no kernel driver, no admin install, no persistent footprint. It auto-destructs after the session.
Default-deny network policy
All traffic routes through a per-session gateway that blocks everything except assessment-approved destinations. AI API endpoints, remote-access protocols, and unauthorized cloud storage never resolve.
OS-level firewall + DNS filtering
Per-session DNS filtering and OS firewall rules enforce the policy at the device, so a request can't slip out through a different application or a renamed process.
Client-side technique signals
The agent flags the cheating technique directly: the screen-capture-exclusion flag overlays must set, GPU VRAM deltas from a loaded model, and on-disk model-file and process signatures — independent of process name.
Network layer vs. browser lockdown vs. webcam proctoring
| Capability | Network layer (Aiseptor) | Lockdown browser | Webcam proctoring |
|---|---|---|---|
| What it controls | OS network path + device signals | One browser window | The candidate on camera |
| Invisible AI overlays (Cluely, forks) | Detected | No | No |
| On-device LLMs (Ollama, LM Studio) | Detected | No | No |
| Blocks AI API endpoints | Yes (default-deny) | No | No |
| Remote-access / proxy tools | Blocked at gateway | No | Sometimes (visual) |
| Requires a webcam | No | No | Yes |
| Data collected | Network access signals only | Browser activity | Webcam + screen video |
| Deployment | 30s, no driver, ephemeral | Install / extension | Webcam + agent |
The layers are complementary, not mutually exclusive — Aiseptor is built to sit beneath a lockdown browser or proctoring service, covering the device and network surface they cannot reach.
What network-layer enforcement catches
Because detection targets the technique rather than the name, the same mechanism catches the known tools and the ones that don't exist yet: Cluely and renamed overlay forks, on-device LLMs on Ollama or LM Studio, remote-access and proxy-ring services, and any application reaching for a blocked AI endpoint. See the live threat index for the current tool landscape.
What it is not
Network-layer exam security covers the device and network surface. It does not verify identity, watch the room, or catch a phone, a paper note, or an in-person accomplice off-camera. It is designed to sit beneath a lockdown browser or proctoring service and cover the AI surface they cannot reach — not to replace physical or identity proctoring. Pair it with a live proctor or identity check for that.
Compare against the tools you may already use: Respondus · ExamSoft · Safe Exam Browser · all comparisons
Frequently Asked Questions
What is network-layer exam security?
Network-layer exam security enforces exam integrity at the network path and operating system of the candidate's device, instead of inside a single browser window or through a webcam. A per-session encrypted tunnel routes the device's traffic through a gateway that applies a default-deny policy: only assessment-approved destinations are reachable, and AI APIs, remote-access protocols, and unauthorized cloud storage are blocked before any connection completes. It controls what the device can reach, regardless of which application makes the request.
How is network-layer enforcement different from a lockdown browser?
A lockdown browser controls one browser window. It cannot see the rest of the operating system, a second device, or a process running beside it. Network-layer enforcement controls what the whole device can reach on the network and inspects OS-level signals. An invisible AI overlay or an on-device LLM runs outside the browser sandbox — so it is invisible to a lockdown browser but visible to network-and-OS-layer detection.
Does network-layer exam security need a webcam?
No. Network-layer enforcement uses no webcam, no microphone, no screen recording, and no keystroke logging. The audit record is metadata about what the device could and could not reach during the session — not a recording of the candidate. This makes it suitable for institutions with strict candidate-privacy requirements such as GDPR and FERPA.
Can network-layer detection catch Cluely and other invisible overlays?
Yes. An invisible overlay like Cluely hides from screen capture by setting an OS-level screen-capture-exclusion flag — the same flag a lockdown browser or proctor cannot see. Network-layer detection looks for the technique rather than the process name: the exclusion flag itself, GPU VRAM deltas, and DNS/SNI requests to AI endpoints. Renamed builds and never-before-seen forks are caught the same way the known ones are.
Does it replace proctoring or identity verification?
No. Network-layer exam security covers the device and network surface — invisible overlays, on-device LLMs, remote-access tools, and AI API traffic. It does not verify identity, watch the room, or catch a phone, a paper note, or an in-person accomplice. It is designed to sit beneath a lockdown browser or proctoring service and cover the layer they cannot reach, not to replace physical or identity proctoring.
Enforce at the layer where the cheating actually happens.
No webcam, no screen recording, no keystrokes. Deploys in 30 seconds on any candidate device and leaves nothing behind.