The assessment of Nord Security and its primary subsidiary, NordVPN, necessitates a granular deconstruction of its corporate layering, jurisdictional maneuvers, and the ideological provenance of its leadership. For a defense logistics analyst, the primary challenge in auditing a cybersecurity entity lies in the inherent dual-use nature of the technology and the intentional opacity maintained by the parent conglomerate to mitigate regulatory and geopolitical risks. Established in 2012 by Eimantas Sabaliauskas and Tomas Okmanas, NordVPN originated as a Lithuanian startup supported by the Tesonet business incubator.1 Over the subsequent decade, the entity evolved into a global “privacy powerhouse,” merging with Surfshark in early 2022 to form a conglomerate valued at approximately $3 billion.2
The corporate structure of Nord Security is characterized by a deliberate bifurcation between operational reality and legal jurisdiction. NordVPN officially operates under the jurisdiction of Panama, a choice strategically marketed to emphasize the absence of mandatory data retention laws.5 However, the parent holding company, Nord Security (formerly Nordsec Ltd), is incorporated in Amsterdam, the Netherlands, while its primary operational hub, known as “Cyber City,” is located in Vilnius, Lithuania.1 This tripartite arrangement — Panamanian legal protection, Dutch corporate registration, and Lithuanian technical execution — creates a complex landscape for forensic auditing, as it allows the company to claim jurisdictional immunity in various contexts while maintaining a deep physical and economic footprint in NATO and EU-aligned territories.1
| Corporate Entity | Role | Primary Jurisdiction |
|---|---|---|
| Nord Security (Nordsec Ltd) | Parent Holding Company | Netherlands 1 |
| NordVPN s.a. | Consumer VPN Entity | Panama 1 |
| Tesonet | Incubator/Accelerator | Lithuania 2 |
| Cyberspace B.V. | Holding for Nord/Surfshark | Netherlands 8 |
| Surfshark VPN | Subsidiary Brand | Netherlands/Lithuania 9 |
The Vilnius headquarters, a state-of-the-art facility housed in a former Soviet-era sock factory, employs over 1,800 staff members as of 2026.2 This facility serves as the nerve center for product development across the entire suite, including NordLayer (B2B), NordPass (Password Management), and NordLocker (Encrypted Storage).11 The scale of this operation and its integration into the Lithuanian digital infrastructure — one of the most advanced in Europe — suggests that Nord Security is not merely a software provider but a critical component of the Baltic defense-adjacent technology sector.2 This regional positioning is significant, as the founders have explicitly referenced the “strengths of the Israeli tech community” as a blueprint for the Lithuanian ecosystem.13
A primary intelligence requirement for this audit is the identification of direct contracts between Nord Security and the Israeli Ministry of Defense (IMOD) or the Israel Defense Forces (IDF). An exhaustive review of the Israeli Defense and Homeland Defense Directory, specifically the SIBAT (International Defense Cooperation Directorate) listings, does not currently reveal “NordVPN” or “Nord Security” as a registered defense manufacturer or service provider.14 SIBAT acts as the primary bridge between the Israeli defense industry and international partners, managing G2G (Government-to-Government) and B2G (Business-to-Government) frameworks.14 The absence of Nord from these directories suggests that the company does not provide purpose-built, “mil-spec” hardware or offensive cyber capabilities directly to the Israeli state through traditional procurement channels.
However, the modern landscape of Israeli defense procurement has shifted significantly toward “agile” engagement with civilian technology startups. The Directorate of Defense Research & Development (DDR&D) has increased its contracts with security startups by 72% since the onset of intensified regional conflict in 2023.17 This shift is driven by the need for rapid solutions in cyber defense, autonomous systems, and secure communication.17 In this context, the procurement of “off-the-shelf” (OTS) cybersecurity tools like NordVPN or NordLayer often occurs through third-party resellers or via standard IT tender processes that are not captured in military-specific directories.19
The procurement mechanism for Israeli government agencies often utilizes local distributors. While NordVPN is a consumer-facing product, NordLayer is marketed as an “adaptive network access security solution” for businesses and “public administrations”.22 The presence of “physical” servers in Tel Aviv data centers implies commercial agreements with Israeli infrastructure providers, which often maintain their own relationships with the security establishment.24
| Complicity Indicator | Nord Security Status | Contextual Evidence |
|---|---|---|
| SIBAT Registered Contractor | Not Listed | Indicates lack of “prime” military status 14 |
| IMOD/DDR&D Engagement | Unconfirmed/Indirect | Procurement likely through civilian IT channels 17 |
| Tactical Software Variant | Probable (NordLayer) | ZTNA and Meshnet features used in high-stakes OPSEC 12 |
| Physical Infrastructure in IL | Confirmed | 20+ servers in Tel Aviv; locally exploited 24 |
The forensic implication for defense logistics is that while Nord Security is not a “Tier 1” military contractor in the vein of Elbit Systems or Rafael, it acts as a “Tier 3” or “Tier 4” supplier of essential digital infrastructure.30 Its products secure the peripheral networks of the defense industrial base, meaning its operational complicity is tied to the sustainment of the economic and technological ecosystem that supports the occupation, rather than the direct delivery of munitions or offensive code.22
The distinction between “off-the-shelf” civilian sales and “purpose-built” military supply is increasingly blurred in the cybersecurity domain. Nord Security produces several technologies that possess high tactical utility for military or paramilitary units. This “dual-use” profile is a critical element of the audit, as it demonstrates how civilian privacy tools can be repurposed for military operational security (OPSEC).
One of NordVPN’s most significant tactical features is “Meshnet,” launched in June 2022.1 Meshnet allows users to create an encrypted private network by linking up to 60 devices directly, bypassing the need for a centralized VPN server.1 For military logistics and field operations, Meshnet facilitates:
In 2025, NordVPN introduced “NordWhisper,” a new protocol designed specifically to mimic regular web traffic and blend into the noise of a network.1 Unlike traditional VPN protocols (OpenVPN, IKEv2) which can be identified and blocked by sophisticated deep packet inspection (DPI) systems, NordWhisper aims to be “invisible” to network filters.1 This technology is essential for “tactical” operations in environments where an adversary maintains control over the network infrastructure, such as the digital occupation of the West Bank or Gaza, where Israeli security forces manage the communications backbone.34
Nord Security’s move into post-quantum encryption in September 2024 reflects a direct response to nation-state threats.1 The “harvest now, decrypt later” strategy — where encrypted traffic is intercepted and stored by intelligence agencies (including the IDF’s Unit 8200) to be decrypted once quantum computing becomes viable — is a primary concern for modern defense organizations.1 By implementing PQE, Nord Security provides a high-level strategic defense that is typically the province of classified military communications systems.10
| Technical Feature | Tactical Utility | Strategic Implication |
|---|---|---|
| NordLynx (WireGuard) | Ultra-low latency communication | Real-time surveillance data transmission 1 |
| Meshnet | P2P Encrypted Tunnels | Decentralized unit communication/OPSEC 1 |
| NordWhisper | Traffic Mimicry/Obfuscation | Bypassing state-level network blocks 1 |
| Post-Quantum Enc. | Long-term data protection | Counter-intelligence against “Harvest Now” 1 |
The audit must determine if Nord Security provides essential services that sustain the IDF’s physical or digital presence. While there is no evidence of Nord providing physical catering, transport, or construction to IDF bases in the Negev or the West Bank, its role in “digital sustainment” is undeniable. The company maintains a consistent presence in Tel Aviv, with over 20 physical servers that facilitate high-speed, localized internet traffic.24
NordLayer, the enterprise arm, is designed to “centralize your organization’s security infrastructure”.12 It offers features such as network segmentation, identity and access management (IAM), and “device posture security”.12 In the Israeli context, where the boundary between “civilian technology” and “security infrastructure” is highly porous, NordLayer serves as a foundational tool for companies operating in sensitive sectors.
Evidence from Iranian-aligned cyber-attacks (e.g., MuddyWater and Lyceum) in early 2025 highlights the sectors where Nord Security’s products are most relevant.22 These attacks targeted Israeli entities in:
NordLayer is explicitly listed as a “directory supplier” for these types of high-value, high-risk organizations.22 By providing the “Zero Trust” infrastructure that protects these sectors from regional adversaries, Nord Security provides “logistical sustainment” to the broader Israeli economic and security apparatus. The ability of an Israeli utility company or an engineering firm (potentially a subcontractor for Elbit or IAI) to continue operations despite cyber-warfare is directly enabled by the security layers provided by Nord.12
NordVPN’s marketing in Israel encourages users to “feel safe with NordVPN” whether they are at home or at a “local hummusiya”.24 This localized engagement, combined with the provision of Israeli IP addresses, allows individuals and potentially security operatives to appear as though they are browsing from within the pre-1967 borders, even when operating in the occupied territories.25 While this is a standard feature of any VPN, the density of Nord’s infrastructure in Israel (ranking as the #1 VPN for the region in several independent tests) suggests it is a preferred tool for institutional and professional users in the country.29
The fourth requirement involves documenting the supply of components or services to known Israeli defense primes like Elbit Systems, Israel Aerospace Industries (IAI), and Rafael. As a software-as-a-service (SaaS) provider, Nord Security does not supply “optical glass” or “engine parts”.30 However, its role in the “digital supply chain” is critical.
Modern defense primes like Elbit Systems are increasingly focused on “military technology” and “defense contracting” that relies on cloud-native and AI-driven platforms.31 Elbit’s record $23.8 billion order backlog includes massive deals for “strategic equipment” and “intelligence capabilities”.32 For these companies to manage their global operations — which include subsidiaries in the UK, US, and UAE — they require secure, low-latency network access for their hybrid workforce.31
NordLayer’s “Zero Trust” and “Software-Defined Perimeter” (SDP) solutions are specifically designed for this type of distributed, high-security enterprise.12 While specific customer lists for NordLayer are often confidential, the platform is benchmarked alongside Israeli security giants like Check Point (which acquired Perimeter 81) and Cato Networks.33 The presence of NordLayer in the same market niche as these “Blue and White” consolidated platforms indicates that it is a viable and likely choice for the subcontractors and technology partners that feed into the Elbit/IAI/Rafael supply chain.40
The financial backing of Nord Security provides further evidence of its integration into the defense-industrial complex. In its recent Series C funding rounds, Nord Security raised $200 million from investors including Warburg Pincus, General Catalyst, and Novator Partners.42
General Catalyst, in particular, maintains a portfolio that is heavily weighted toward “hard-tech” and “defense applications”.44 Their investments include:
The fact that the same capital pool funding the world’s most advanced autonomous weapons systems (Anduril) is also a lead investor in Nord Security suggests a high degree of “ideological and material” synergy.11 This “nexus of defense capital” ensures that Nord Security’s development path is aligned with the requirements of the modern security state, which increasingly prioritizes AI-driven, cloud-native security platforms.40
| Funding Date | Amount | Lead Investor | Contextual Portfolio |
|---|---|---|---|
| Apr 07, 2022 | $100M | Novator Partners | Investment in Cyberspace B.V. 8 |
| Sep 28, 2023 | $100M | Warburg Pincus | Infoblox, NEOGOV (GovTech) 11 |
| Series C (Part) | — | General Catalyst | Anduril, Helsing, Varda 44 |
The leadership of Nord Security and the Tesonet group has consistently looked to the Israeli technology ecosystem as a model for success.13 Tomas Okmanas has explicitly noted that “Israeli tech community” strengths were an inspiration for building the Lithuanian startup scene.13 This ideological alignment is reflected in the company’s recruitment and marketing strategies.
While the founders are Lithuanian, the company maintains a “global community” that includes individuals with deep experience in the Israeli security market.11 For example, the use of NordLayer is championed by IT administrators at companies like SentinelOne — an Israeli-founded cybersecurity firm that is deeply integrated into the IDF’s digital defense architecture.41 This personnel cross-pollination ensures that Nord’s product development remains responsive to the needs of the Israeli market.
Furthermore, Nord Security’s public stance on regional conflicts demonstrates a selective “corporate conscience.” In 2022, the company’s subsidiary CyberCare opened an office in Ukraine and donated money to “help arm Ukraine”.7 This precedent for “material support” in a military conflict indicates that Nord Security does not maintain a strict policy of “incidental association.” Its silence on the human rights implications of its infrastructure in Israel, contrasted with its vocal support for Ukrainian defense, suggests a geopolitical alignment that favors the security interests of its primary investors and host nations.7
A forensic audit of NordVPN is incomplete without a comparison to its primary competitor, Kape Technologies. Kape, the owner of ExpressVPN, CyberGhost, and Private Internet Access, represents a “Tier 1” complicity profile in the Israeli context.9 Kape is owned by Israeli billionaire Teddy Sagi, a former member of the Israeli military who has significant real estate and shipping holdings.9
Kape’s history is rooted in “Crossrider,” a company that was associated with the distribution of adware before rebranding and acquiring a string of VPN companies.9 The acquisition of ExpressVPN for $936 million in 2021 remains the largest deal in the industry.9 In contrast to Nord’s “Blue and White” Lithuanian identity, Kape is an explicitly Israeli-owned enterprise that has integrated Israeli “spyware” narratives into its corporate evolution.47
| Feature | Nord Security | Kape Technologies |
|---|---|---|
| Ownership | Lithuanian Founders (Okmanas/Sabaliauskas) 43 | Israeli Billionaire (Teddy Sagi) 9 |
| Defense Ties | Indirect/Supply Chain 22 | Direct/Leadership 9 |
| Key Product | NordVPN / NordLayer 1 | ExpressVPN / CyberGhost 10 |
| Valuation | $3 Billion (2023) 43 | $1.58 Billion (Private, 2023) 9 |
While Nord Security attempts to distance itself from the “Pegasus” and “NSO Group” controversies by marketing its tools as “anti-spyware,” the underlying reality is that both Nord and Kape provide the encryption and obfuscation tools required for modern “grey zone” operations.47 Nord’s “meaningful complicity” is less overt than Kape’s but perhaps more systemic, as it provides the “Zero Trust” framework that is becoming the global standard for securing military-industrial networks.33
As the cybersecurity industry moves toward “Agentic Cyber” — where AI agents autonomously make decisions and execute remediation tasks — Nord Security is positioning itself as a “Foundational Pillar”.40 The “Wiz Effect” has proven that Israeli startups can achieve massive global scale by centralizing the fragmented security stack.40 Nord Security’s strategy to “centralize your organization’s security infrastructure” through NordLayer is a direct application of this model.12
For the IDF and the Israeli defense establishment, this “platformization” is vital. CISOs (Chief Information Security Officers) in the defense sector face “alert fatigue” from disconnected tools.40 NordLayer’s “single pane of glass” for network access, combined with its “AI-powered” threat detection, makes it a critical tool for maintaining the “IDF’s technological edge” in a landscape of automated, AI-driven attacks.40
The 2025 launch of “NordStellar” (a threat exposure management tool) and “Nexos.ai” (an AI governance platform founded by Okmanas and Sabaliauskas) indicates a move into the high-end strategic consulting and management space.11 These products are designed for “enterprises” and “public administrations” to manage the risks of AI integration — a top priority for the Israeli Ministry of Defense as it seeks to integrate AI into every aspect of its battlefield operations.17
The forensic audit of Nord Security (NordVPN) identifies several markers of military complicity, categorized by the core intelligence requirements.
There is no evidence of “Tier 1” direct contracting. However, the company’s products are widely available in the Israeli market through civilian procurement channels that serve the security establishment.14
Nord Security produces high-utility tactical tools (Meshnet, NordWhisper, PQE) that are standard requirements for military OPSEC and clandestine communication.1 These are “off-the-shelf” but possess the technical specs of purpose-built military gear.
The company provides “digital sustainment” by maintaining significant physical infrastructure in Tel Aviv and securing the networks of critical Israeli infrastructure and engineering firms.22
Nord Security is a “Tier 3/4” supplier in the digital supply chain of Israeli defense primes.22 Its financial backing comes from capital pools that are deeply integrated into the US and Israeli “hard-tech” and autonomous defense sectors.11
For the Defense Logistics Analyst, Nord Security represents a “Neutral-Adjacent” entity whose operations materially support the Israeli state’s digital resilience. While it avoids the “meaningful complicity” of direct weapons manufacturing, it provides the “Zero Trust” framework that secures the economic and technological foundations of the occupation and its related military systems. The company’s ideological alignment with the “Israeli tech model” and its selective support for military conflicts (Ukraine) suggest that it is a strategic actor in the global “cybersecurity decacorn” race, where the interests of the security state and the private sector are inextricably linked.13
| Complicity Level | Marker | Forensic Implication |
|---|---|---|
| Material Support | Infrastructure in Tel Aviv | Sustains local security operations 24 |
| Ideological Support | Emulation of Israeli Model | Aligns corporate strategy with security state goals 13 |
| Operational Support | NordLayer in Utilities/Tech | Secures the defense industrial base 22 |
| Financial Support | Defense Venture Capital | Links corporate growth to military AI outcomes 11 |
