Skip to content

SAP penetration testing and security audits

Specialist penetration testing for SAP - ECC, S/4HANA, HANA, BTP, Fiori, HCM. A report with CVSS scoring, a remediation plan and the option of a retest. Evidence of due diligence for the board and auditors.

What your organisation gains

Evidence of due diligence

Regular security testing of critical systems is expected by auditors, boards and regulators. An SAP penetration test allows an organisation to document that it actively identifies and mitigates risks in its SAP environment.

Finding weaknesses before an attacker does

SAP systems support critical financial, logistics, production and HR processes. Penetration testing uncovers vulnerabilities in authorisations, integrations, ABAP code, and HANA, Fiori and BTP configuration before they become part of a real incident.

A concrete, prioritised remediation plan

The report is not simply a list of findings. Every risk is described in terms of business impact, criticality, remediation priority and a recommended action for the SAP, Basis, Security or Development teams.

Retesting after remediation

After fixes are implemented, we verify that vulnerabilities have been effectively removed. Without a retest, a penetration test easily becomes a one-off report rather than a genuine part of the security improvement process.

What we deliver on this project

SAP ECC and S/4HANA penetration testing

We test authorisations, custom ABAP, RFC, IDoc, transport management, security configuration and Segregation of Duties conflicts. Scope can include whitebox, greybox or blackbox testing.

SAP HANA and BTP penetration testing

We check SAP HANA vulnerabilities, SQL injection scenarios, BTP service configuration, the identity provider, SAP Cloud Connector and API integrations.

SAP Fiori and Portal penetration testing

We test SAP Fiori, SAP Portal and UI5 applications against the OWASP Top 10 and SAP-specific vectors. Scope includes JWT, CSRF, SAP Personas and vulnerabilities in custom user interfaces, among others.

SAP Code Vulnerability Analyzer

We scan custom ABAP code for vulnerabilities such as SQL injection, command injection, path traversal, hardcoded credentials and broken access control.

SoD and authorisation audit

We identify Segregation of Duties conflicts, excessive privileges, superuser profiles and risks associated with SAP_ALL and critical administrative transactions.

Report, remediation and retest

We deliver a report with risk assessment, CVSS scoring, vulnerability descriptions, proof of exploit, a remediation plan and recommendations for the teams responsible for SAP. After fixes are implemented, we can carry out a retest.

How we deliver projects in this area

An SAP penetration test begins by defining the scope: the systems in scope, the test type - whitebox, greybox or blackbox - and the business and audit objectives.

We then carry out reconnaissance and map the attack surface. We analyse entry points, integrations, roles, authorisations, interfaces, code and the technical configuration of the SAP environment.

During the testing phase we verify vulnerabilities, the possibility of privilege escalation, access to test data, integration risks and the business impact of identified weaknesses.

After testing, we prepare a report containing proof of exploit, CVSS scoring, a remediation plan, remediation priorities and recommended actions. The entire engagement follows OWASP, the SAP Pentest Framework and PTES.

After fixes are implemented, we can carry out a retest to confirm that the remediation was effective.

Technology stack

SAP ECCSAP S/4HANASAP HANASAP NetWeaverSAP BTPSAP Fiori / UI5SAP Cloud ConnectorSAP Code Vulnerability AnalyzerBurp SuiteOWASP ZAPMetasploitPowerSAPPySAP

Partnerships backed by our team's certifications. Full authorisation for delivery and support.

Where we have delivered similar solutions

Bank in the financial sector

S/4HANA penetration test ahead of go-live, a report for the Polish Financial Supervision Authority (KNF), and a retest following remediation.

Critical infrastructure operator

ECC and HANA penetration test ahead of an NIS2 audit, concluded with a prioritised remediation plan.

Industrial manufacturer

An annual cycle of SAP penetration tests across three countries, including regular progress reviews and verification of fix effectiveness.

FAQ - SAP Penetration Testing

How does an SAP penetration test differ from a classic application pentest? +

An SAP penetration test requires familiarity with platform specifics: transactions, SU01/PFCG authorisations, RFC, IDoc, ABAP, SAP HANA SQL, Fiori and integrations with external systems. A classic web application pentest typically does not cover these vectors.

How long does an SAP penetration test take? +

A standard test of a single system, such as ECC or S/4HANA, typically involves 3-4 weeks of testing plus 1-2 weeks for reporting. For a full, multi-system SAP landscape, a project usually takes 6-10 weeks.

Can an SAP penetration test disrupt production? +

It should not, if the scope and environment are properly planned. By default we work in a QA or Pre-Production environment configured to mirror production. Production testing is carried out only with the client's consent and in non-disruptive mode.

Does penetration testing support NIS2 compliance? +

Yes. SAP penetration testing can support NIS2 compliance in the area of regularly assessing the security of critical systems. A report with risk assessment, CVSS scoring, a remediation plan and a retest can serve as evidence of due diligence for the board, an internal audit or a regulator.

Get in touch