Skip links
SAP Security · Platform & Services

SAP Security Platform & Services

One platform. Full SAP security coverage.

RedRays secures your SAP landscape end to end - from continuous automated scanning to hands-on penetration testing, ABAP code security, threat modeling and incident response - so the systems that run your business stay secure, compliant and ready to grow. On-premise, cloud or hybrid: S/4HANA, NetWeaver, AS Java, SAP BTP and HANA, covered by one specialist team.

Get started Explore services
◆ ONE PLATFORM · FULL SAP SECURITY COVERAGE Your SAP landscape S/4HANA BTP ABAP Cloud RedRays Security Platform continuous scan · assess · monitor Secured & compliant VulnerabilityAssessment PenetrationTesting Cloud & BTPPentest ABAP CodeScan ThreatModeling IncidentResponse
Your SAPRedRays PlatformSecured
Vulnerability Assessment
Penetration Testing
Cloud & BTP Pentest
ABAP Code Scan
Threat Modeling
Incident Response

Trusted by the companies that run on SAP

IBM SAP Partner AGT Cenobe RedRays client Protiviti LRQA
15+ yrsspecialized in SAP security
150+0-day vulnerabilities discovered
4,000+vulnerabilities detected across SAP
99%of SAP-fixed vulns identified since 2010
Services

What we do

End-to-end SAP security - automated detection and expert offensive testing, on-premise and in the cloud. Every service is delivered by SAP security specialists, not generalists with a checklist.

Offensive

SAP Penetration Testing

Black, grey and white-box testing by researchers who have found 150+ SAP zero-days - real attack paths, proof of exploitability and a clear remediation plan.

Learn more →
Assess

SAP Vulnerability Assessment

A complete picture of weaknesses across your SAP landscape - missing SAP Security Notes, insecure configurations and exposed services, prioritized by business risk.

Learn more →
Cloud

SAP BTP & Cloud Pentest

Offensive testing for S/4HANA Cloud, SAP BTP, IAS, Build Work Zone and Cloud Connector - including lateral movement between cloud and on-premise zones.

Learn more →
For partners

Hybrid SAP Pentest

For consultancies and internal red teams: our platform runs the automated discovery, your team drives the manual exploitation - one combined engagement.

Learn more →
Code

ABAP Code Scan

Static analysis of custom ABAP code for injections, missing authority checks, backdoors and hardcoded credentials - before they reach production.

Learn more →
Design

SAP Threat Modeling

Map the connections, trust relationships and data flows between your SAP systems to see how an attacker could move through the landscape.

Learn more →
Platform

RedRays Security Platform

Continuous SAP vulnerability management - scan, assess and monitor every system in your landscape from one SAP-certified console.

Learn more →
Learn

SAP Security Training

Hands-on, instructor-led SAP security training that teaches your team to think like an attacker - and to defend like one.

Learn more →
Emergency

Under Attack? Incident Response

Suspect a breach in SAP? Immediate triage, containment and hardening from a team that knows exactly where attackers hide in SAP.

Get help →

ABAP Code Scan is also available as an SAP BTP app and an Eclipse plugin.

Process

How it works

Every engagement follows the same simple loop - whether you run one SAP system or three hundred.

1

Assess

We map your SAP landscape and scan every system for missing SAP Security Notes, dangerous configurations and vulnerable custom code - a full picture of each system in under one hour.

2

Test

Our researchers validate what matters. Penetration testing proves which findings are actually exploitable in your environment, so you fix real risk instead of chasing noise.

3

Fix

You receive a prioritized remediation plan in business language - what to patch, what to reconfigure and what to escalate, with guidance your BASIS and security teams can act on immediately.

4

Monitor

The RedRays Security Platform keeps watch continuously, catching new vulnerabilities, drifting configurations and risky changes as your landscape grows and evolves.

RedRays Security Platform

A SAP-certified platform that continuously scans, assesses and monitors your SAP landscape - detecting configuration issues, missing SAP Security Notes, vulnerabilities and custom-code flaws before attackers do.

See the platform
1,000+configuration issues detected
4,000+vulnerabilities across SAP platforms
< 1 hourto analyse a SAP system
Why us

Why RedRays

Most security vendors treat SAP as just another system on the network. We do the opposite: SAP security is all we do, and we have done it for more than 15 years. That focus matters, because SAP has its own protocols, its own authorization model, its own programming language and its own attack surface - and generic scanners and generalist pentesters simply do not see most of it.

We build our own technology instead of reselling someone else's. The RedRays Security Platform is SAP-certified for vulnerability assessment and detects more than 1,000 configuration issues and 4,000 vulnerabilities across S/4HANA, NetWeaver, AS Java, BTP and HANA - with a full analysis of a system in under one hour. The same checks our consultants rely on in penetration tests run continuously for our platform customers.

Everything is grounded in original research. RedRays researchers have discovered more than 150 zero-day vulnerabilities in SAP products, identified 99% of the vulnerabilities SAP has fixed since 2010, and present that work at international security conferences. When a new SAP threat appears, we are usually among the first to understand it - and our customers benefit the same week, not the next release cycle.

And we give back to the community that defends SAP. RedRays maintains the official OWASP ABAP Code Security Scanner, partners with Checkmarx on SAP code security and publishes real attack research openly on GitHub and YouTube. You can verify our expertise before you ever sign a contract.

Credentials

Recognized, certified, community-trusted

RedRays doesn't just sell SAP security - we help define it.

Research

Research-led SAP security

We don't just run tools - we find the vulnerabilities. RedRays researchers have discovered 150+ zero-day vulnerabilities and identified 99% of the vulnerabilities SAP has fixed since 2010, and present regularly at international security conferences.

Read our research Watch demos on YouTube
150+

zero-day SAP vulnerabilities discovered by the RedRays team

Real-world proof

Case study: six zero-days, one low-privileged user

In November 2023, RedRays presented a public SAP penetration testing example that shows what a determined attacker can really achieve. Starting from a single low-privileged user on the network, our researchers chained six zero-day vulnerabilities to compromise both the SAP Cloud and the SAP on-premise landscape. The full technical walkthrough is public - read it, replay it, and then ask whether your own landscape would hold.

6zero-day vulnerabilities chained
Cloud + on-premboth SAP landscapes compromised
1 low-priv userthe only starting foothold
Read the walkthrough on GitHub Get this tested in your SAP
Industries

Securing SAP across industries

The systems that run the enterprise - protected in every sector that depends on SAP, from regulated banking environments to 24/7 manufacturing lines where downtime is not an option.

Banking & FinanceEnergy & UtilitiesManufacturing Oil & GasRetailPharma & Healthcare Public SectorTelecom

Start your free 3-month trial

See how the RedRays Security Platform secures your SAP landscape - free for three months, no strings attached.

Start free trial Book a demo
FAQ

SAP security FAQ

What does RedRays do?

RedRays secures SAP systems end to end. We combine the SAP-certified RedRays Security Platform for continuous vulnerability management with expert services: SAP penetration testing, vulnerability assessment, ABAP code scanning, threat modeling, cloud and BTP testing, security training and incident response. One specialist partner covers the full lifecycle, from the first assessment to ongoing monitoring.

What is the RedRays Security Platform?

A SAP-certified platform that continuously scans, assesses and monitors your SAP landscape. It detects 1,000+ configuration issues and 4,000+ vulnerabilities across SAP platforms, checks for missing SAP Security Notes and analyses a full SAP system in under one hour. Editions are available for enterprises, consultants and penetration testers, and a free 3-month trial is included.

Which SAP systems does RedRays secure?

S/4HANA, SAP ABAP / NetWeaver, SAP AS Java, SAP BTP, SAP Cloud services (IAS, Build Work Zone, Cloud Connector) and HANA - on-premise, in the cloud and in hybrid landscapes. If it is part of your SAP estate, we can assess it.

What makes RedRays different?

Deep, exclusive SAP focus backed by original research. RedRays researchers have discovered 150+ zero-day vulnerabilities and identified 99% of the vulnerabilities SAP has fixed since 2010. We build our own SAP-certified platform, maintain the official OWASP ABAP Code Security Scanner and publish real attack research, including a public case study chaining six zero-days across SAP cloud and on-premise systems.

Does RedRays cover SAP cloud and BTP?

Yes. RedRays tests and secures S/4HANA Cloud, SAP BTP, IAS / CIS, Build Work Zone and Cloud Connector, including cross-zone lateral movement (BTP to Cloud Connector to S/4HANA). Our November 2023 public research demonstrated a full compromise of both SAP cloud and on-premise landscapes starting from a single low-privileged user.

Is there a free trial of the RedRays Security Platform?

Yes. You can evaluate the full RedRays Security Platform free for three months - scan your own systems, review real findings and see the reporting before you commit. Start from the platform page or book a demo and we will set it up with you.

How do I get started with RedRays?

Send us a short note through the contact form describing your SAP landscape - number of systems, on-premise or cloud, and what worries you most. Our SAP security experts will respond with a suggested scope, whether that is a platform trial, a vulnerability assessment or a full penetration test.

Ready to secure your SAP?

Tell us about your SAP landscape - our SAP security experts will get back to you.