SAP ECC and S/4HANA penetration testing
We test authorisations, custom ABAP, RFC, IDoc, transport management, security configuration and Segregation of Duties conflicts. Scope can include whitebox, greybox or blackbox testing.
Specialist penetration testing for SAP - ECC, S/4HANA, HANA, BTP, Fiori, HCM. A report with CVSS scoring, a remediation plan and the option of a retest. Evidence of due diligence for the board and auditors.
Regular security testing of critical systems is expected by auditors, boards and regulators. An SAP penetration test allows an organisation to document that it actively identifies and mitigates risks in its SAP environment.
SAP systems support critical financial, logistics, production and HR processes. Penetration testing uncovers vulnerabilities in authorisations, integrations, ABAP code, and HANA, Fiori and BTP configuration before they become part of a real incident.
The report is not simply a list of findings. Every risk is described in terms of business impact, criticality, remediation priority and a recommended action for the SAP, Basis, Security or Development teams.
After fixes are implemented, we verify that vulnerabilities have been effectively removed. Without a retest, a penetration test easily becomes a one-off report rather than a genuine part of the security improvement process.
We test authorisations, custom ABAP, RFC, IDoc, transport management, security configuration and Segregation of Duties conflicts. Scope can include whitebox, greybox or blackbox testing.
We check SAP HANA vulnerabilities, SQL injection scenarios, BTP service configuration, the identity provider, SAP Cloud Connector and API integrations.
We test SAP Fiori, SAP Portal and UI5 applications against the OWASP Top 10 and SAP-specific vectors. Scope includes JWT, CSRF, SAP Personas and vulnerabilities in custom user interfaces, among others.
We scan custom ABAP code for vulnerabilities such as SQL injection, command injection, path traversal, hardcoded credentials and broken access control.
We identify Segregation of Duties conflicts, excessive privileges, superuser profiles and risks associated with SAP_ALL and critical administrative transactions.
We deliver a report with risk assessment, CVSS scoring, vulnerability descriptions, proof of exploit, a remediation plan and recommendations for the teams responsible for SAP. After fixes are implemented, we can carry out a retest.
An SAP penetration test begins by defining the scope: the systems in scope, the test type - whitebox, greybox or blackbox - and the business and audit objectives.
We then carry out reconnaissance and map the attack surface. We analyse entry points, integrations, roles, authorisations, interfaces, code and the technical configuration of the SAP environment.
During the testing phase we verify vulnerabilities, the possibility of privilege escalation, access to test data, integration risks and the business impact of identified weaknesses.
After testing, we prepare a report containing proof of exploit, CVSS scoring, a remediation plan, remediation priorities and recommended actions. The entire engagement follows OWASP, the SAP Pentest Framework and PTES.
After fixes are implemented, we can carry out a retest to confirm that the remediation was effective.
Technology stack
Partnerships backed by our team's certifications. Full authorisation for delivery and support.
Bank in the financial sector
S/4HANA penetration test ahead of go-live, a report for the Polish Financial Supervision Authority (KNF), and a retest following remediation.
Critical infrastructure operator
ECC and HANA penetration test ahead of an NIS2 audit, concluded with a prioritised remediation plan.
Industrial manufacturer
An annual cycle of SAP penetration tests across three countries, including regular progress reviews and verification of fix effectiveness.
An SAP penetration test requires familiarity with platform specifics: transactions, SU01/PFCG authorisations, RFC, IDoc, ABAP, SAP HANA SQL, Fiori and integrations with external systems. A classic web application pentest typically does not cover these vectors.
A standard test of a single system, such as ECC or S/4HANA, typically involves 3-4 weeks of testing plus 1-2 weeks for reporting. For a full, multi-system SAP landscape, a project usually takes 6-10 weeks.
It should not, if the scope and environment are properly planned. By default we work in a QA or Pre-Production environment configured to mirror production. Production testing is carried out only with the client's consent and in non-disruptive mode.
Yes. SAP penetration testing can support NIS2 compliance in the area of regularly assessing the security of critical systems. A report with risk assessment, CVSS scoring, a remediation plan and a retest can serve as evidence of due diligence for the board, an internal audit or a regulator.