Deep SAP® security expertise. Four specialist domains.
Beyond assessment and pen testing, sapcyberx delivers specialist design, architecture and deployment across four SAP security domains. Engaged as a fixed-scope package, advisory hours, or embedded alongside your team.
SAP AI Security
Joule, BTP-hosted AI workloads and AI agents introduce a new attack surface that most SAP security teams have no existing controls for. The risk is real — prompt injection, unauthorised data access via AI agents, audit traceability gaps, and admin policy misconfigurations that expose sensitive business data. Most SAP customers don't yet have a governance picture for it. We build one.
What we assess and govern
- • Joule access controls and admin policy configuration
- • AI agent authorisation scope and runtime controls
- • BTP-hosted AI model exposure and API access
- • Prompt injection attack surface mapping
- • Data access boundary validation for AI workloads
- • AI-specific identity and federation controls
- • Audit traceability and logging for AI interactions
- • BTP AI service subaccount structure review
- • AI workload monitoring integration (SIEM)
- • Governance policy design and enforcement
- • SAP evolving AI security guidance alignment
- • ISO 42001 (AI management system) mapping
Engagement options
Targeted review of your Joule and BTP AI footprint. Covers access controls, admin policy, agent scope and data exposure. Output: risk register, control gaps, prioritised action plan.
End-to-end governance design covering admin policies, runtime controls, audit traceability, data boundary enforcement and SIEM monitoring integration for AI workloads.
Extends a standard SAP penetration test to include AI surface — prompt injection testing, agent access abuse, BTP-hosted model exposure and authorisation bypass scenarios.
SAP BTP Security
BTP security incidents consistently trace back to a small set of repeatable misconfigurations — subaccount structure, destination trust, Cloud Connector allowlisting, principal propagation and key management. They are knowable in advance. We assess BTP fast, identify the gaps, and configure it correctly before those gaps become incidents.
Coverage across the BTP stack
- • Subaccount structure and authorisation design
- • Identity federation — IAS integration and SAML trust
- • Destination service configuration and trust chain
- • Cloud Connector version, principal propagation and allowlist scoping
- • API and connectivity security — OAuth, mTLS, token handling
- • BTP Role Collection design and privilege review
- • Key Management Service (KMS) configuration
- • Certificate management and automation posture
- • Application vulnerability review — BTP-hosted apps
- • SIEM and audit log integration
- • Third-party integration trust and token scope
- • Joule and AI workload subaccount isolation
Engagement options
Configuration review of one or more BTP subaccounts. Covers identity, destinations, Cloud Connector, connectivity and key management. Output: prioritised findings and remediation playbook.
Target-state BTP security architecture covering subaccount design, identity federation, connectivity security, Cloud Connector hardening, key management and SIEM integration.
Version uplift, principal propagation configuration, allowlist scoping, certificate automation and end-to-end connectivity trust chain validation. Includes retest.
SAP Identity — IAS, IAG & GRC
SAP IDM is approaching end-of-maintenance. Most large enterprises will run SAP GRC on-premise and IAG in the cloud — connected via the IAG Bridge — for years before full migration. The identity architecture decisions made now determine the remediation cost later. We advise, design and deploy across IAS, IPS, IAG, Bridge and GRC — and we bridge the gap to your corporate IDAM.
What we cover
- • IAS configuration — SAML, OIDC, social and corporate IdP federation
- • IPS provisioning — source and target system design, transformation rules
- • IAG Standard and Premium edition configuration
- • IAG Access Request, Access Analysis and Role Management
- • IAG Bridge to GRC Access Control coexistence architecture
- • GRC Access Control — ruleset design, risk analysis, emergency access
- • SAP IDM current-state assessment and migration position
- • Corporate IDAM bridge — Entra ID, Active Directory, LDAP integration
- • MFA enforcement design across IAS and federated systems
- • SoD ruleset design — business-role aligned, process-mapped
- • Provisioning workflow design and approval governance
- • Role architecture — 300 best-practice roles, SoD-free, available as accelerator
Engagement options
Current-state assessment across IAS, IPS, IAG and GRC. Target-state recommendation. SAP IDM migration position. Corporate IDAM alignment gap analysis.
End-to-end target-state design across IAS, IAG, Bridge and GRC. Includes role architecture, SoD ruleset design, provisioning workflow and corporate IDAM integration design.
Fixed-scope deployment packages for IAS and IdP federation, IPS provisioning configuration, IAG Standard or Premium edition, IAG Bridge to GRC coexistence, and GRC Access Control deployment or uplift.
300 SoD-free SAP best-practice business roles, pre-mapped to S/4HANA and cloud products, Signavio-aligned, with Fiori Spaces, Pages and Sections configured. Ready before your functional workshops start.
SAP Cyber Architecture
Standard enterprise cyber controls — Zero Trust frameworks, SIEM playbooks, endpoint detection — don't map cleanly to SAP reality. RFC Gateway doesn't appear in your EDR. ABAP injection won't trigger your WAF. HANA privilege escalation looks like normal database activity to a generic SIEM. SAP cyber architecture requires someone who understands both disciplines. We are that resource.
Architecture domains we cover
- • RISE shared-responsibility architecture and control mapping
- • Identity architecture — corporate IDAM to SAP IAS/IPS/IAG
- • BTP and Cloud Connector security architecture
- • RFC Gateway, ICM and Web Dispatcher security design
- • Fiori and OData security architecture
- • Custom code governance — ABAP static and dynamic analysis programme
- • Logging and SIEM integration — SAP log sources, normalisation, alert design
- • Network security architecture — WAF, FW, DNS, TLS posture
- • AI workload governance architecture — Joule, BTP AI, agent controls
- • GRC architecture — Access Control, Process Control, Risk Management
- • Security operations model — incident response, escalation, hypercare
- • Framework mapping — ISM, Essential Eight, NIST, CIS, ISO 27001, IRAP
Engagement options
Pre-built SAP cyber architecture document customised to your RISE landscape. Every security domain covered — application, identity, network, infrastructure, integration and AI — with SAP best-practice controls and cyber framework alignment baked in. Delivered as a living document your teams own post go-live.
SAP cyber architect embedded alongside your programme or internal security team. Part-time or full-time. Advisory-led or delivery-led. Covers architecture decisions, vendor scope guidance, framework alignment and security sign-off across the programme lifecycle.