editorially independent. We may make money when you click on links
to our partners.
Learn More
The time-proven adage, “Follow the money,” illustrates why SAP applications have emerged as a top target for cyber attacks: The SAP Business Network is linked to $4.9 trillion in multi-industry activity, with more than 2 million active users. All told, SAP customers generate 84% of total global commerce.
This means any compromise of SAP could constitute a material business crisis, and 2025 is shaping up as a most dangerous year for these enterprise resource planning (ERP) tools.
They are now, in fact, a core component of the organizational attack surface — but one which does not currently command the same attention from security leaders as other, more traditional components.
Recent Onapsis research reveals that the past year has been the most volatile since 2017, signaling why chief information security officers (CISOs) must rethink how SAP fits into their programs to protect their companies’ business-critical applications:
- Even though the year isn’t over yet, there has been a 39% increase in SAP vulnerabilities, with a 12% spike in critical issues.
- Ransomware attacks on SAP applications have grown 400% since 2021.
- It only takes 72 hours for cyber criminals to exploit newly released SAP security notes, and the market price for SAP code exploits has risen by 400% since 2020. Indeed, a single SAP exploit chain now goes for at least $250,000.
As we head into 2026, we must confront the grim reality that these threats will likely only increase, which is why CISOs need to bring SAP into the mainstream of enterprise security.
While satisfying compliance requirements remains a significant motivator, the severe consequences of exploits — network and system compromises, data theft, ransomware payments, financial losses and brand reputational damage — should serve as the primary drivers for prioritizing visibility and controls to strengthen SAP resiliency.
A diagram of SAP attackers
So who is behind these threats? They are state-sponsored groups, ransomware operators and highly financially motivated criminal organizations or individuals selling credentials, exploits and data for huge profits.
Even more troubling, they know SAP quite well — to the point of customizing threats so they can commoditize and reuse zero-day exploits within just days. This speaks to a logical progression that occurs when considerable financial motivation and familiarity & experience converge: As adversaries grow more SAP-savvy, they get better and faster at launching increasingly sophisticated, effective and profitable attacks.
A lack of adequate security controls only further advances their schemes: SAP arrives in the form of highly distributed integrations and architectures, which makes it difficult for CISOs and their teams to understand how to effectively defend it all.
What’s more, their controls are siloed, with the safeguarding of these tools too often pegged somewhere outside of enterprise vulnerability management initiatives. In other words, organizational ownership is fragmented. The bad guys know it. And they are eager to take advantage of it.
New strategies for today’s threat landscape
To respond, CISOs and their teams must undergo a mindset change in prioritizing their SAP environment as a top enterprise vulnerability — and a too-easily exploitable one at that.
Here are three steps to take to get to this essential state of awareness, visibility and defense strategies.
Embed SAP into core enterprise security planning
Teams should establish SAP-specific threat monitoring while integrating SAP logs into security information and event management (SIEM) and security orchestration, automation and response (SOAR) resources. They need to conduct SAP breach simulation exercises, focusing on real-life data exfiltration scenarios.
All of this requires teams to identify and understand their entire SAP landscape — the applications, technologies and modules that are now expanding the attack surface. What parts are running on-premise, and which are in public and/or private clouds? How do these components interconnect with the rest? What happens when just a single part gets compromised?
Build a threat-driven SAP security program
It’s key here to monitor for threat indicators, not just vulnerabilities. Teams need to detect privilege abuse and additional activities that routinely occur during an adversary’s dwell time. They must enable automated SAP note checks so that application code corrections are instantly made to protect against the latest attacks. They cannot allow for patching-cycle backlogs. Teams must also monitor for SAP-specific common vulnerabilities and exposures (CVEs) and exploit activity while pen-testing SAP business-critical applications.
Harden the SAP landscape throughout all layers
This includes the application of the latest SAP Security Notes, review of potential SAP services external exposures, validation of SAP backups, testing of SAP disaster recovery scenarios, confirmation of workflow-level resilience, fortification of the SAP DevSecOps pipeline, documentation of SAP incident playbooks and the training of IT and security teams on SAP-specific threats.
To be clear — and possibly comforting — This isn’t about creating more siloes and processes. It’s about integrating existing SAP applications into the processes and strategies teams are already committed to, rather than treating them as an afterthought.
When CISOs educate senior-level business leaders about the severe ramifications of SAP exploitation and downtime, they are more likely to gain needed buy-in. With this, they can implement a comprehensive strategy that incorporates SAP into the entire security planning picture, builds a threat-driven program and hardens the SAP landscape wherever it exists throughout the enterprise.
As a result, cyber adversaries who “follow the money” by targeting SAP environments will discover that this particular revenue source is now shut off from them — for 2026 and the indefinite future.
