Do you cover SoD across S/4HANA roles?

Yes. The conflict matrix is built per your role catalog. Each conflict cites the affected T-codes and the RBI ERP control violated.

RFC destination abuse paths reviewed?

Yes. Trusted RFC, RFC callback and SM59 destinations are mapped. The report shows the chain and the system boundary crossed.

ICM, gateway and Solman in scope?

Yes. ICM ACL, gateway secinfo/reginfo and Solman privileged paths reviewed. Findings tag the SAP Security Note ID and the RBI clause.

How is SEBI CSCRF Identify-2 evidence built?

Asset inventory, role inventory and SoD conflict registry ship as annexures. Each maps to the SEBI v2 workbook line.

SAP security assessment

Find what an SoD matrix can't see.

NetWeaver · ABAP · HANA · Fiori · SAProuter, tested by hand for RFC gateway abuse, authority-object chaining, segregation-of-duties violations that move money, ICMAD-class memory corruption, RECON-class unauthenticated user creation, and custom-ABAP injection. Every finding lands with a working proof-of-exploit, code-level fix guidance, and a re-test.

See the SAP attack paths

Four SAP surfaces

NetWeaver/ABAP · HANA · Fiori · SAProuter, one method, four control points.

Evidence

Working proof-of-exploit and ABAP-level fix guidance on every finding.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Accredited testers, audited handling.

CREST is the standard for offensive security execution. CERT-In, SOC 2 Type II, and ISO/IEC 27001 cover how SecureLayer7 handles your SAP landscape, your transport requests, and your engagement record.

CERT-In
Empanelled VAPT auditor · India CERT
RBI CSF
Banking sector cybersecurity framework
SEBI CSCRF
Capital-market cyber resilience framework
CREST
Tester accreditation
ISO/IEC 27001
Information security management

Why a role review isn't a pentest

An SoD matrix that passes is not a chain that holds.

GRC tooling and SoD matrices report what your SAP landscape looks like on paper, which authorization objects each user holds, which transactions sit inside which role. A pentest reports what an attacker can actually do with that landscape. SecureLayer7's operators chain those passing rows, S_TCODE for MM02, S_TCODE for FB01, an open RFC trust to the production system, into the proof-of-exploit your basis team can fix and your auditor will accept.

Two columns side by side, what an SAP role / SoD audit reports on the left, and the chained authorization-object exploit each becomes in a manual pentest on the right, terminating in one orange node.

IN SCOPE.

Where we look inside your SAP estate.

ROLES + SOD

Chained authorisations

SAP_ALL leakage, transaction-code combinations the SoD matrix passes, S_RFC + S_TCODE chains.

RFC + GATEWAY

External interfaces

Gateway ACL gaps, registered RFC servers, ABAP-to-Java trust, SOAP / OData endpoints exposed.

CUSTOM ABAP

Code-injection paths

Open SQL injection, directory traversal in custom Z* programs, OS-command via CALL SYSTEM.

BTP + INTEGRATIONS

Cloud + middleware

BTP destinations, Cloud Connector trust, S/4HANA Cloud APIs, IDP federation across landscapes.

What we test —

Six SAP surfaces. One engagement.

Every layer of the SAP landscape gets a manual, threat-modelled review against its real attack surface — kernel, database, presentation, transport, custom code, and authorization. Intensity tunes per scope.

NetWeaver / ABAP kernel

RECON-class unauth user creation (CVE-2020-6287 family), ICMAD memory corruption (CVE-2022-22536 family), authority-object bypass against S_TCODE / S_DEVELOP / S_RFC, ABAP code injection in dynamic CALL TRANSACTION and EXECUTE IMMEDIATELY, transport-request abuse, message server unauthenticated registration.

SAP HANA

SQL injection in custom procedures, SYSTEM privilege escalation, cross-schema access via shared CDS views, _SYS_REPO mis-grants, encryption-at-rest verification, audit-policy gaps, XSA tenant boundary bypass, replication-route abuse on system replication.

S/4HANA & ECC business logic

Segregation-of-duties chains that move money — vendor master maintenance + invoice posting + payment release in one user; F110 payment program abuse via spoofed bank master; MIRO three-way-match bypass; goods-receipt reversal-and-repost flows that paper over inventory shrink.

Fiori / UI5 frontend

OData service authorisation gaps, CSRF token reuse across sessions, UI5 mock-data leakage, Launchpad role-hiding bypass, Gateway service /sap/opu/odata/ exposure, web-dispatcher header-rewrite abuse, BSP application chained-XSS to ABAP RFC.

SAProuter & RFC Gateway

Gateway ACL bypass (reginfo / secinfo gaps), unauthenticated RFC server registration, message-server SXM access, SAProuter route-permission leakage, DIAG / RFC protocol replay where TLS isn't terminated, exposure of internal load-balancer behind public listener.

Custom Z* code & roles

Z-program authority-check omissions, hardcoded SAP* / DDIC credentials in customer transports, ABAP open-SQL injection in customer namespaces, role/profile drift between DEV and PROD landscapes, derived-role inheritance abuse, GRC mitigations that whitelist the chain rather than break it.

SAP METHODOLOGY.

Eight phases. Landscape to transaction.

Threat-modelled to your SAP landscape (clients, RFC trust, custom Z* footprint, GRC mitigations). Not a generic SAP checklist we run against every customer.

01
Scope & threat-model
Landscape topology, client boundaries, RFC trust graph, GRC and SoD-ruleset baseline mapped before any traffic.
02
Recon & enumeration
External exposure of SAProuter, Web Dispatcher, Fiori Launchpad, ICM ports. Internal enumeration of message servers, gateway listeners, attached HANA tenants, RFC destinations.
03
Authorization review
GRC, SoD, and authority-object snapshots collected as leads to chase, not findings to ship. Drift between role design and effective authorisation highlighted.
04
Authority exploitation
Authority-object chaining across S_TCODE, S_DEVELOP, S_RFC; derived-role inheritance abuse; GRC mitigation bypass; default SAP*, DDIC, and EARLYWATCH paths exercised to credential or transaction takeover.
05
Kernel & RFC exploitation
RECON-class auth bypass, ICMAD-class memory corruption, RFC gateway ACL bypass, message-server registration abuse, HANA SYSTEM-privilege escalation, cross-schema CDS pivots, XSA tenant boundary tests.
06
Vulnerability analysis
Findings correlated, chained into business-impact paths (vendor payout, payroll spoof, inventory shrink, SoX-bypass) and scored with SAP-aware blast-radius rather than CVSS in isolation.
07
Remediation guidance
ABAP patch notes, SAP Note IDs, role-redesign diffs, GRC ruleset corrections, transport-request templates, SAProuter and gateway ACL deltas. Written for basis and security architects, not auditors.
08
Patch verification
Every finding re-tested after your team ships the SAP Note or role change, at no extra cost. Written confirmation each path is closed.

Insights

SAP & ERP security Resources.

SAP-side audit notes: RFC abuse, transport drift, and the ABAP/Fiori findings our reviewers file across S/4HANA estates.

Oracle E-Business Suite file upload CVE

CVE-2015-2652: unauthenticated arbitrary file upload that mirrors the kind of issues we hunt in SAP NetWeaver and Fiori.

Attack surface management for ERP estates

Discovery, exposure scoring, and continuous validation across SAP, Oracle, and the integrations sitting in front of them.

Supply chain attacks on critical systems

Patterns from 3CX, polyfill, and similar campaigns and the controls that detect them in SAP-anchored environments.

Meet our expert

Nivedita Singh

Security Advisor & Engagement Lead

10+

Years in offensive security

300+

Engagements led

99.7%

On-time delivery rate

Nivedita scopes SAP-pentest engagements against your landscape topology, RFC trust graph, custom Z* footprint, and GRC ruleset. She guides the pod from kick-off through final report and remediation review with your basis and audit teams.

Scopes NetWeaver, S/4HANA, ECC, and HANA engagements against your real risk model.
Owns kick-off, mid-engagement check-ins, and live walkthrough with basis and audit.
Drives remediation review and re-test until every chained authorization path is closed.

SL7 Lab. Published CVE research.

Nivedita Singh, Security Advisor & Engagement Lead at SecureLayer7

Ready to scope an SAP pentest? Book 30 minutes with Nivedita to walk through your landscape, RFC trust, and timeline.

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

FinTech

SAP for banking treasury, S/4HANA financial close, custody adjacency.

See FinTech pentest

Retail

SAP retail merchandising, vendor master, store-replenishment data flows.

See Retail pentest

Tech SaaS

SAP for SaaS finance & ops, BTP integrations, identity sync to AD/Entra.

See Tech SaaS pentest

Built for India engagements

What changes when we deliver here.

Compliance scoping
SoD conflict matrix built against your role catalog
Regulatory framework
RBI ERP clauses and SEBI CSCRF Identify-2 cited per finding
Local engagements
S/4HANA review for Indian manufacturing and BFSI clients
Local pricing
INR per-system-tier pricing with GST
Compliance scoping
SAP Security Note ID referenced per gateway and ICM finding

SAP security questions Indian CISOs raise.

Do you cover SoD across S/4HANA roles?
Yes. The conflict matrix is built per your role catalog. Each conflict cites the affected T-codes and the RBI ERP control violated.
RFC destination abuse paths reviewed?
Yes. Trusted RFC, RFC callback and SM59 destinations are mapped. The report shows the chain and the system boundary crossed.
ICM, gateway and Solman in scope?
Yes. ICM ACL, gateway secinfo/reginfo and Solman privileged paths reviewed. Findings tag the SAP Security Note ID and the RBI clause.
How is SEBI CSCRF Identify-2 evidence built?
Asset inventory, role inventory and SoD conflict registry ship as annexures. Each maps to the SEBI v2 workbook line.

Delivery in India

SAP SoD and RFC review. RBI ERP-aligned.

Roles, SoD conflicts, RFC destinations, ICM and Solman paths reviewed. RBI Master Direction ERP clauses and SEBI CSCRF Identify-2 cited per finding.

Direct line: +91-20-71600505
Office: Pune, Maharashtra, India

Frameworks scoped: CERT-In · DPDP Act · RBI CSF · SEBI CSCRF · ISO/IEC 27001 · PCI DSS.

Sample SAP pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full vulnerability narrative, working PoC against an SAP authority-object chain, ABAP-level fix guidance, and SAP Note references. Sent on request after a 5-minute scoping call.