SAP Cyber Assessment
A structured 14-day assessment of your SAP landscape. Pre-built test packages and accelerators mean we scope fast, test deep, and deliver an audit-ready evidence pack — without delay. Aligned to your cyber framework. Covering every SAP product layer — application, identity, infrastructure, integration and AI.
Request an assessment scopeMeasurable Essential Eight uplift. No new licence costs.
A typical sapcyberx engagement surfaces misconfigured SAP RISE controls that fall under SAP ECS responsibility — meaning your team gets remediation at no additional licence or tooling cost. Customers have moved from Maturity Level 1 to Maturity Level 2 across four Essential Eight controls within a single engagement cycle.
Outcome metrics are illustrative. Uplift depends on your starting maturity position and landscape scope. We measure and report your specific progress at engagement close.
How we deliver
- 01
Discovery (Day 1-2)
Scope, access, evidence request.
- 02
Evidence Collection (Day 3-7)
Configuration, roles, network, custom code, database, audit.
- 03
Analysis (Day 8-10)
CVSS scoring. Framework mapping. Three-Bucket Method™ allocation.
- 04
Reporting (Day 11-13)
Executive summary, findings register, remediation playbook.
- 05
Readout (Day 14)
Steering committee. 30-day post-delivery support.
Scope coverage
| Domain | Coverage |
|---|---|
| Mandatory parameters | SAP Note 3250501 |
| Identity & access | User store, IAS, IPS, IAG, MFA |
| Authorisation | Role design, SoD, emergency access |
| Network | RFC, Gateway, ICM, Web Dispatcher, Cloud Connector |
| Custom code | Static code analysis, ABAP review |
| HANA | Privileges, audit, encryption |
| Fiori & OData | Catalogues, OData exposure |
| Integration | BTP, IBP, SuccessFactors, Ariba |
| AI integrations | Joule, AI agents, BTP-hosted AI |
| Frameworks | ISM · Essential Eight · CPS 234 · ISO 27001 · IRAP · NIST · CIS |
What you receive
- ✓Executive report (Word + PDF) — audit-ready evidence pack, not a certification or attestation
- ✓Findings register (Excel), CVSS-rated, framework-mapped
- ✓Three-Bucket Method™ remediation playbook
- ✓SAP Service Request templates
- ✓Board-level one-page summary
- ✓30 days post-delivery support
FAQ
How long?
14 days from kickoff. Larger landscapes with extended scope extend to 3 weeks.
Cost?
Fixed scope after scoping call. Request a quote.
RISE compatible?
Yes — mapped to SAP Note 3250501 and ECS shared responsibility.
What does "audit-ready" mean?
Evidence that supports your internal or external audit cycle. It is not a certification or attestation in itself.
Frameworks?
SAP Note 3250501, ISM, Essential Eight, NIST, ISO 27001, IRAP.