Skip links
SAP Security · Cloud & BTP

SAP BTP and Cloud Penetration Testing

SAP Cloud Penetration Testing is a targeted security assessment of your SAP cloud footprint - S/4HANA (Public / Private Cloud or HANA Enterprise Cloud), SAP Business Technology Platform (BTP), SAP Build Work Zone, SAP Cloud Identity Services (IAS / CIS) and SAP Cloud Connector - delivered by senior SAP security consultants using a grey-box methodology.

Request a cloud pentest See our methodology
Your SAP Cloud S/4HANA BTP IAS Cloud Conn. 1 Discovery &reconnaissance 2 S/4HANA coreGateway · MS · ICM 3 BTP & IASXSUAA · trust · IdP 4 Cloud ConnectorSSFS · OS-layer 5 PrivilegeBTP→CC→S/4HANA Prioritized report

Join the companies trusting us

IBM SAP Partner AGT Cenobe Client logo Protiviti LRQA

What is SAP Cloud Penetration Testing?

SAP Cloud Penetration Testing is a targeted security assessment of an organization's SAP cloud footprint - S/4HANA, SAP BTP, SAP Build Work Zone, SAP Cloud Identity Services (IAS / CIS) and SAP Cloud Connector - that finds and safely proves exploitable weaknesses before an attacker does.

Unlike on-premise SAP environments, SAP Cloud landscapes mix multiple trust zones: a cloud control plane (BTP), an identity provider (IAS) federated with the corporate IdP, an externally exposed launchpad (Build Work Zone) and a bridge back to on-premise systems (Cloud Connector). A misconfiguration in any one of them can open a path across the whole landscape.

RedRays' grey-box methodology covers all four attacker models (external without credentials, external with credentials, internal without credentials, internal with credentials) and every privilege level - from anonymous to administrator.

Cloud systems we test

End-to-end coverage across the SAP cloud stack - control plane, identity, launchpad, integration and the bridge to on-premise.

S/4HANA (Cloud)

SAP S/4HANA

ABAP stack, Gateway, Message Server, ICM, Web Dispatcher, HANA 2.0 database security and the authorization model - including FFID and debug-access populations.

Control plane

SAP BTP

Global account, subaccounts, Entitlements, Destinations, Role Collections, XSUAA, trust setup with IAS, and Cloud Foundry / Kyma / ABAP environment.

Launchpad

SAP Build Work Zone

External Fiori Launchpad: sites, roles, content providers, tile visibility, trust with the S/4HANA content provider, and custom extensions.

Identity

SAP IAS / CIS

Identity Authentication Service: authentication policies, SAML / OIDC trust, shadow users, JIT provisioning, token validation and session lifecycle.

Bridge to on-prem

SAP Cloud Connector

OS-layer host pentest, Secure Storage (SSFS), system mappings, resource rules, trust store, Admin UI exposure, and LPE / NTLM-relay scenarios.

Integration

SAP CPI & Integrations

Per-iFlow review, sender / receiver adapters, Security Material, principal propagation, RFC / REST / SOAP / OData interfaces, and SAP Router.

Our SAP penetration testing example

In November 2023 we presented a public SAP penetration testing example: compromising SAP Cloud and SAP on-premise landscapes from a low-privileged user on the network by chaining six zero-day vulnerabilities.

6zero-day vulnerabilities chained
Cloud + on-premlandscape compromised
Low-priv userstarting foothold
RedRays SAP penetration testing example - compromising SAP cloud and on-premise from a low-privileged user
SAP penetration testing example - full write-up and PoCs on github.com/redrays-io/SAP-Penetration-Testing. Click to enlarge.

Our SAP cloud pentest methodology

A structured engagement across eleven technical phases, executed by senior SAP security consultants.

1

Discovery & reconnaissance

Environment mapping across S/4HANA servers, all BTP subaccounts, BWZ and IAS tenants, and Cloud Connector - service / version detection, profile parameters, ICM services, destination and entitlement enumeration, client discovery.

2

S/4HANA core services

Web Dispatcher, Gateway (RFC execution, fake RFC registration, reginfo / version disclosure), Message Server (fake application server registration), and ICM / ICF (public-service brute-forcing, SOAPRFC and dangerous-service abuse).

3

Supporting services

SAP Router (SAP Support connectivity), IGS, SAPHostControl and Enqueue service vulnerabilities and misconfigurations.

4

Application & integration testing

API & RFC security on all integration points, DAST across application components, OWASP Top 10 and SAP-specific frameworks, REST / SOAP / OData security, and EOL / vulnerable-component identification.

5

SAP CPI deep iFlow review

Tenant-level config audit (roles, Role Collections, IdP trust, API exposure), per-iFlow review, Security Material (User Credentials, OAuth2, JKS), and Cloud Connector integration / principal-propagation correctness.

6

Standard Fiori authorization review

Fiori app catalog and group review, tile-level and target-mapping authorization checks, Launchpad role assignments, and OData service exposure (mass assignment, function-import abuse, broken object-level authorization, $expand chains).

7

SAP BTP - config & lateral movement

Global-account audit, per-subaccount review (roles, Role Collections, Destination auth methods and ProxyType, space privileges), XSUAA scopes and JWT signature validation, IdP trust, and subaccount-takeover / BTP-to-on-premise lateral movement.

8

SAP CIS / IAS identity provider

Authentication policies and conditional access, SAML / OIDC trust with S/4HANA, BTP and BWZ, token validation (signature algorithms, audience binding, replay protection), session lifecycle, and principal-propagation certificate / key handling.

9

SAP Cloud Connector deep test (OS-layer)

Local OS / installation hardening, LPE, NTLM relay (Windows), Host Control interaction, Secure Storage (SSFS) config and key extraction, system mappings, resource rules, trust store / CA validation, Admin UI access control, and version-specific CVEs.

10

Build Work Zone & HANA + OS-layer

BWZ tenant audit (sites, roles, content providers, external exposure, custom-tile security), HANA 2.0 instance security and role review, SQL trace / audit logs, and OS-layer SAP-specific hardening.

11

Privilege escalation

User → DB, User → OS, cross-system escalation via trusted RFC, password / key decryption, DB → OS and trusted-link pivots, and cross-stack escalation (BTP → Cloud Connector → S/4HANA) - with focus on FFID and debug-access populations.

What you get

Reporting for every audience - engineers, risk owners and the board - plus verified remediation.

Technical report

  • Executive summary with key findings
  • Per-system findings (Critical / High / Medium / Low)
  • PoCs and step-by-step exploitation
  • CVSS scoring & business impact
  • Remediation with SAP Notes, T-Codes, profile parameters
  • Cross-system attack-path analysis (BTP → CC → S/4HANA)

Business report

  • Technical findings translated to business risk
  • Espionage, sabotage and fraud attack scenarios
  • Strategic recommendations

Executive presentation

  • Board-level deck
  • Security-posture overview per system
  • Prioritized action plan
  • Investment justification for remediation

Free retest

  • Unlimited retest cycles within 6 months
  • All findings re-verified (Fixed / Partial / Not Fixed)
  • Automatic trigger after go-live
  • Retest report addendum included

Penetration testing vs. vulnerability assessment

They answer different questions. A penetration test proves what an attacker could actually do; a vulnerability assessment gives you breadth - every weakness, prioritized.

Penetration testing
  • Determines the scope of a real attack
  • Tests sensitive-data collection
  • Gathers targeted intel and inspects the system
  • Exploits and escalates, then cleans up and reports
  • Proves impact on critical, real-time systems
Vulnerability assessment
  • Inventories assets and resources in the system
  • Discovers potential threats to each resource
  • Assigns value and significance to resources
  • Prioritizes and mitigates weaknesses - safe, non-intrusive
  • Comprehensive, recurring coverage

On-premise SAP pentest →
SAP vulnerability assessment →

SAP cloud penetration testing FAQ

What is SAP BTP penetration testing?

SAP BTP penetration testing is a hands-on security assessment of the SAP Business Technology Platform - global account and subaccounts, Entitlements, Destinations, Role Collections, XSUAA scopes and JWT validation, and IAS trust - that safely proves exploitable misconfigurations, including subaccount takeover and BTP-to-on-premise lateral movement.

Which SAP cloud systems do you test?

S/4HANA (Public / Private Cloud and HANA Enterprise Cloud), SAP BTP, SAP Build Work Zone, SAP Cloud Identity Services (IAS / CIS), SAP Cloud Connector, and SAP CPI / integrations - the full cloud stack from control plane and identity to launchpad and the bridge back to on-premise.

Is SAP cloud penetration testing safe for production?

Yes. RedRays uses a controlled grey-box methodology agreed with you in advance, with defined scope, rules of engagement and change windows, so testing proves real attack paths without disrupting production systems.

How is cloud pentesting different from on-premise SAP pentesting?

Cloud landscapes mix multiple trust zones - a BTP control plane, an IAS identity provider federated with your corporate IdP, an externally exposed Build Work Zone launchpad, and a Cloud Connector bridge to on-premise. The key risk is cross-zone lateral movement (BTP → Cloud Connector → S/4HANA), which on-premise-only testing does not cover.

Do you provide a free retest?

Yes. Every engagement includes unlimited retest cycles within six months: all findings are re-verified as Fixed, Partial or Not Fixed, with a retest report addendum - so you can confirm remediation actually closed the gaps.

Request a SAP cloud pentest

Tell us about your SAP cloud landscape - we'll get back to you with a scope and plan.