360° Risk Analysis

Status Quo

Die SAP 360° security analysis by SERPENTEQ is a comprehensive technical security review of your SAP system landscape with a clear focus on Penetration testing, offensive attack simulations, and code-level security. We think like attackers — and find what automated scanners miss.

Our team of aggressive SAP security specialists actively and manually analyses your systems. The focus is not on compliance checklists, but on the question: How far can a real attacker get in your SAP environment?

Full overview

Offensive approach

  • Network-based attack vectors — Active enumeration of SAP services (message server, dispatcher, ICM, RFC gateway), exploitation of known SAP-specific CVEs
  • RFC gateway attacks — Exploitation of misconfigured gateway ACLs, registration of external RFC servers, command injection via external programs
  • SAP router & reverse proxy analysis — Identification of tunneling options and unsecured router string configurations
  • Privilege Escalation — Systematic exploitation of SoD conflicts, permission gaps and misuse of debug permissions (S_DEVELOP) for escalation of rights in production
  • Lateral Movement — Analysis of trusted RFC connections and system trust for movement between SAP clients and systems

Code Security & ABAP Security Review

  • Static Code Analysis (SAST) — Manual and tool-based testing of ABAP code for critical vulnerabilities:
    • SQL injection via Open SQL & Native SQL
    • Directory Traversal & Path Manipulation
    • OS command injection via CALL 'SYSTEM'
    • Unsafe file operations (OPEN DATASET)
    • Hardcoded credentials & keys in source code
  • Dynamic Code Analysis (DAST) — Runtime analysis of critical in-house developments and user exits under attack conditions
  • BSP/Fiori/UI5 Security — Review of web applications for XSS, CSRF and insecure authorization checks in the backend (OData services, BAPIs)
  • RFC-enabled function modules — Identification of unsafely exposed RFC-enabled function modules without authorization verification (AUTHORITY CHECK)
  • Backdoor & Manipulation Detection — Search for hidden, damaged, or manipulated code in productive systems

Outcome & Deliverables

  • Technical Findings Report — Complete documentation of all vulnerabilities
  • Attack Path visualization — Graphical presentation of real attack chains from initial access to complete system compromise
  • Prioritized Remediation Plan — Specific fixes at code and configuration levels, not abstract recommendations
  • Executive Summary — Compact risk assessment for management and CISO

Find out more

C-Level Awareness

Dive into SAP cybersecurity with us as a C-level manager.

Managed Service

Automated, continuous 360° monitoring of the cybersecurity of entire SAP system landscapes.

Penetration Testing

Evaluate existing vulnerabilities in SAP systems using black or gray box pentests.

From individual SAP applications to complex SAP landscapes — our solutions are scalable, powerful and take your security to the next level.

An overview of our solutions
50+ Companies rely on our expertise
We DO SAP Cybersecurity

Maximize the security of your SAP systems with us.

Get in touch

We secure
SAP systems.

Solutions

360° Risk AnalysisPenetration TestingManaged ServicesC-Level Awareness

Company

Our TeamGet in Touch

Legal

ImprintPrivacy Policy
SERPENTEQ GmbH © 2026. All rights reserved.