SAP security assessment

Research-led SAP pentest, NetWeaver to HANA, end to end.

CREST-accredited researchers test SAP NetWeaver, S/4HANA, ABAP custom code, SAP Gateway, and HANA databases. RFC abuse, SAPRouter exposure, ICM exploitation, and the bugs procurement teams want before signing.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Most SAP pentests are network scans with an SAP cover sheet.

  • Generic pentest firms run nmap against SAP ports and call it 'SAP testing.' RFC, ICM, and ABAP custom-code bugs stay hidden.

  • Standard pentest tooling does not speak DIAG, RFC, or SOAP-RFC. The bugs that actually compromise SAP live in those protocols.

  • Procurement and SAP security RFPs explicitly ask for SAP-specific testing methodology. Generic reports get rejected at vendor stage.

Here is what we ship.

Why teams pick us

SAP-specific testing, not nmap with a logo.

  • Protocol-aware testing

    DIAG, RFC, SOAP-RFC, Gateway, ICM, Message Server. The protocols where SAP bugs actually live.

  • ABAP custom-code review

    Custom Z* and Y* code, RFC-enabled function modules, user exits, and CDS view authorisations.

  • HANA and Fiori coverage

    HANA SQL injection, XS Advanced services, Fiori app authorisations, and the S/4HANA front-end.

How it works

From intro to report in two to three weeks.

  1. Scope SAP landscape

    Tell us NetWeaver, S/4HANA, custom ABAP, Gateway exposure, and HANA topology.

  2. Researchers test the protocols

    DIAG, RFC, SOAP-RFC, ICM, Message Server, HANA SQL. ABAP custom code reviewed.

  3. Report procurement accepts

    Findings tagged to SAP-specific notes and controls. RFP-ready format.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

Which SAP versions?
NetWeaver 7.0 through 7.5, S/4HANA 1909 through 2022, HANA 1.0 and 2.0, BTP, Fiori, GRC.
Do you cover ABAP custom code?
Yes. Z* and Y* code review, RFC-enabled FMs, user exits, BAdIs, and CDS view authorisations.
Will you find RFC abuse?
Yes. SAPRouter exposure, Gateway monitor bypass, RFC callback chains, trusted-RFC abuse.
Is it safe on production?
Yes. Read-only and recon by default. Destructive actions require explicit per-finding approval.
Do procurement teams accept the report?
Yes. RFP-ready, mapped to SAP security notes and ISO 27001 Annex A controls.

Ready to test SAP the way SAP attackers do?

20-minute scoping call with the lead SAP pentester. NetWeaver, HANA, ABAP, and the procurement-ready report.

CREST · CERT-In · SOC 2 · ISO 27001