SAP Security Platform & Services
One platform. Full SAP security coverage.
RedRays secures your SAP landscape end to end - from continuous automated scanning to hands-on penetration testing, ABAP code security, threat modeling and incident response - so the systems that run your business stay secure, compliant and ready to grow. On-premise, cloud or hybrid: S/4HANA, NetWeaver, AS Java, SAP BTP and HANA, covered by one specialist team.
Get started Explore servicesTrusted by the companies that run on SAP
What we do
End-to-end SAP security - automated detection and expert offensive testing, on-premise and in the cloud. Every service is delivered by SAP security specialists, not generalists with a checklist.
SAP Penetration Testing
Black, grey and white-box testing by researchers who have found 150+ SAP zero-days - real attack paths, proof of exploitability and a clear remediation plan.
Learn more → AssessSAP Vulnerability Assessment
A complete picture of weaknesses across your SAP landscape - missing SAP Security Notes, insecure configurations and exposed services, prioritized by business risk.
Learn more → CloudSAP BTP & Cloud Pentest
Offensive testing for S/4HANA Cloud, SAP BTP, IAS, Build Work Zone and Cloud Connector - including lateral movement between cloud and on-premise zones.
Learn more → For partnersHybrid SAP Pentest
For consultancies and internal red teams: our platform runs the automated discovery, your team drives the manual exploitation - one combined engagement.
Learn more → CodeABAP Code Scan
Static analysis of custom ABAP code for injections, missing authority checks, backdoors and hardcoded credentials - before they reach production.
Learn more → DesignSAP Threat Modeling
Map the connections, trust relationships and data flows between your SAP systems to see how an attacker could move through the landscape.
Learn more → PlatformRedRays Security Platform
Continuous SAP vulnerability management - scan, assess and monitor every system in your landscape from one SAP-certified console.
Learn more → LearnSAP Security Training
Hands-on, instructor-led SAP security training that teaches your team to think like an attacker - and to defend like one.
Learn more → EmergencyUnder Attack? Incident Response
Suspect a breach in SAP? Immediate triage, containment and hardening from a team that knows exactly where attackers hide in SAP.
Get help →ABAP Code Scan is also available as an SAP BTP app and an Eclipse plugin.
How it works
Every engagement follows the same simple loop - whether you run one SAP system or three hundred.
Assess
We map your SAP landscape and scan every system for missing SAP Security Notes, dangerous configurations and vulnerable custom code - a full picture of each system in under one hour.
Test
Our researchers validate what matters. Penetration testing proves which findings are actually exploitable in your environment, so you fix real risk instead of chasing noise.
Fix
You receive a prioritized remediation plan in business language - what to patch, what to reconfigure and what to escalate, with guidance your BASIS and security teams can act on immediately.
Monitor
The RedRays Security Platform keeps watch continuously, catching new vulnerabilities, drifting configurations and risky changes as your landscape grows and evolves.
RedRays Security Platform
A SAP-certified platform that continuously scans, assesses and monitors your SAP landscape - detecting configuration issues, missing SAP Security Notes, vulnerabilities and custom-code flaws before attackers do.
See the platformWhy RedRays
Most security vendors treat SAP as just another system on the network. We do the opposite: SAP security is all we do, and we have done it for more than 15 years. That focus matters, because SAP has its own protocols, its own authorization model, its own programming language and its own attack surface - and generic scanners and generalist pentesters simply do not see most of it.
We build our own technology instead of reselling someone else's. The RedRays Security Platform is SAP-certified for vulnerability assessment and detects more than 1,000 configuration issues and 4,000 vulnerabilities across S/4HANA, NetWeaver, AS Java, BTP and HANA - with a full analysis of a system in under one hour. The same checks our consultants rely on in penetration tests run continuously for our platform customers.
Everything is grounded in original research. RedRays researchers have discovered more than 150 zero-day vulnerabilities in SAP products, identified 99% of the vulnerabilities SAP has fixed since 2010, and present that work at international security conferences. When a new SAP threat appears, we are usually among the first to understand it - and our customers benefit the same week, not the next release cycle.
And we give back to the community that defends SAP. RedRays maintains the official OWASP ABAP Code Security Scanner, partners with Checkmarx on SAP code security and publishes real attack research openly on GitHub and YouTube. You can verify our expertise before you ever sign a contract.
Recognized, certified, community-trusted
RedRays doesn't just sell SAP security - we help define it.
We maintain the OWASP ABAP scanner
RedRays builds and maintains the official OWASP ABAP Code Security Scanner project.
View on OWASP → PartnershipCheckmarx partner
End-to-end security for your critical SAP code, together with Checkmarx.
Read more → CertifiedSAP-certified platform
The RedRays Security Platform is SAP-certified for SAP vulnerability assessment.
Learn more →Research-led SAP security
We don't just run tools - we find the vulnerabilities. RedRays researchers have discovered 150+ zero-day vulnerabilities and identified 99% of the vulnerabilities SAP has fixed since 2010, and present regularly at international security conferences.
Read our research Watch demos on YouTubezero-day SAP vulnerabilities discovered by the RedRays team
Case study: six zero-days, one low-privileged user
In November 2023, RedRays presented a public SAP penetration testing example that shows what a determined attacker can really achieve. Starting from a single low-privileged user on the network, our researchers chained six zero-day vulnerabilities to compromise both the SAP Cloud and the SAP on-premise landscape. The full technical walkthrough is public - read it, replay it, and then ask whether your own landscape would hold.
Securing SAP across industries
The systems that run the enterprise - protected in every sector that depends on SAP, from regulated banking environments to 24/7 manufacturing lines where downtime is not an option.
Start your free 3-month trial
See how the RedRays Security Platform secures your SAP landscape - free for three months, no strings attached.
Start free trial Book a demoSAP security FAQ
What does RedRays do?
RedRays secures SAP systems end to end. We combine the SAP-certified RedRays Security Platform for continuous vulnerability management with expert services: SAP penetration testing, vulnerability assessment, ABAP code scanning, threat modeling, cloud and BTP testing, security training and incident response. One specialist partner covers the full lifecycle, from the first assessment to ongoing monitoring.
What is the RedRays Security Platform?
A SAP-certified platform that continuously scans, assesses and monitors your SAP landscape. It detects 1,000+ configuration issues and 4,000+ vulnerabilities across SAP platforms, checks for missing SAP Security Notes and analyses a full SAP system in under one hour. Editions are available for enterprises, consultants and penetration testers, and a free 3-month trial is included.
Which SAP systems does RedRays secure?
S/4HANA, SAP ABAP / NetWeaver, SAP AS Java, SAP BTP, SAP Cloud services (IAS, Build Work Zone, Cloud Connector) and HANA - on-premise, in the cloud and in hybrid landscapes. If it is part of your SAP estate, we can assess it.
What makes RedRays different?
Deep, exclusive SAP focus backed by original research. RedRays researchers have discovered 150+ zero-day vulnerabilities and identified 99% of the vulnerabilities SAP has fixed since 2010. We build our own SAP-certified platform, maintain the official OWASP ABAP Code Security Scanner and publish real attack research, including a public case study chaining six zero-days across SAP cloud and on-premise systems.
Does RedRays cover SAP cloud and BTP?
Yes. RedRays tests and secures S/4HANA Cloud, SAP BTP, IAS / CIS, Build Work Zone and Cloud Connector, including cross-zone lateral movement (BTP to Cloud Connector to S/4HANA). Our November 2023 public research demonstrated a full compromise of both SAP cloud and on-premise landscapes starting from a single low-privileged user.
Is there a free trial of the RedRays Security Platform?
Yes. You can evaluate the full RedRays Security Platform free for three months - scan your own systems, review real findings and see the reporting before you commit. Start from the platform page or book a demo and we will set it up with you.
How do I get started with RedRays?
Send us a short note through the contact form describing your SAP landscape - number of systems, on-premise or cloud, and what worries you most. Our SAP security experts will respond with a suggested scope, whether that is a platform trial, a vulnerability assessment or a full penetration test.
Ready to secure your SAP?
Tell us about your SAP landscape - our SAP security experts will get back to you.
