Most SAP breaches don’t start with a hacker.
They start with trust — and end with regret.
Every organisation believes their SAP landscape is safe because it sits inside a firewall, has SOD rules configured, and the audit team visits twice a year.
But the reality is harsh:
SAP is often breached from the inside — slowly, silently, and without a single alert being triggered.
A global manufacturing giant recently lost ~$1.5M in a fraud that should have been impossible — yet every step of the attack chain was created by everyday comfort, convenience, and complacency inside their SAP landscape.
It started with a user ID that remained active for eight months after the consultant left the project.
In the QA system, the same ID still had SAP_ALL “just for testing,” and a trusted RFC connection from QA to Production made pivoting trivial.
The attacker used this forgotten identity to change a vendor’s bank account, and the nightly automatic payment run did the rest.
No one noticed.
No alert fired.
No dashboard blinked.
Why?
Because the SAP logs were never integrated into the enterprise SIEM — the organization was “compliant,” but blind.
This is the silent reality in many SAP landscapes: security doesn’t break loudly… it is compromised quietly.
Let’s keep this simple, as many of the clients thinks they are in a good posture and they don’t need any additional security measures. Let’s break down the story of a breach that actually happens every day… though it never appears in the news.
Scene 1: Just give him access, it’s urgent
It starts with a common conversation:
- A manager needs a report urgently
- A user complains they cannot post an entry
- An auditor is visiting next week
- Someone senior puts pressure: “Just give temporary access.”
The role is assigned.
The request is closed.
No one checks later.
The “temporary” stays permanently.
This is the first breach.
No malware. No hacker.
Convenience is the silent killer of security.
Scene 2: The Invisible Accumulation
Over months the user collects:
- Z-roles
- Firefighter IDs
- Critical t-codes “for one-time tasks”
- Access to non-production systems
- Download permissions via Excel/SE16N
- A forgotten ID in a sandbox with SAP_ALL
No one notices — because:
- SOD reports show 4000 conflicts anyway
- The role catalog is messy
- User access reviews have become a check in the box
- Everyone assumes someone else is checking
- Everyone thinks it is not my job
This is how 90% of SAP risks are created internally, without any evil intention.
Scene 3: The Perfect Storm
One day, this user:
- Moves to another team
- Leaves the organisation
- Gets compromised through phishing
- Or simply makes a mistake
Imagine this:
A user who left 6 months ago still has developer access in QA and his/her colleague uses it.
Their old laptop gets compromised.
An attacker gets in through VPN → QA → Production trusted RFC → Modify table → Change bank account → Money gone.
And your SIEM doesn’t catch it because SAP logs were never integrated.
This is EXACTLY how the famous “silent financial drain attacks” happen across industries.
No Hollywood hacking.
Just bad access hygiene.
Scene 4: The Aftermath
The finance team discovers a mismatch.
IT says logs are incomplete.
Audit asks why the user still had access.
Security says business never approved.
Business says IT never removed.
The vendor says it was out of scope.
Everyone blames everyone.
But the damage is already done.
The Hard Truth
You don’t need a hacker to breach SAP.
You just need:
- One separated user whose ID is still available in the system
- One developer with SE37 in production
- One basis admin with unlimited RFC rights
- One failed SOD mitigation that no one reviewed
- One over-friendly manager who says “give all access”
This is the real breach — the one no one talks about.
So how do we fix it?
A practical, zero-nonsense checklist:
Treat access like money, not permissions → Ask for justification the way finance asks for budget.
Solution Recommendation: Use ToggleNow’s ReviewNow application which will help you to periodically review critical authorizations, and user authorizations. It further provides various data points for better decision making. Periodic reviews are no more check in the box exercise.
Enable Firefighter with alerts, not just logs → If no one reviews logs, the system is lying to you.
Solution Recommendation: Use AGIL’s FF Trust solution which will automatically review the logs based on pre-defined rules.
Clean your SOD ruleset → If your SOD report is 500 pages… no one will read it.
Solution Recommendation: There is no click-to-deploy solution that can do the magic. You need to look at the usage trends, identify the risks associated with the business teams and build your ruleset. Remember, stock-ready ruleset is a start point and may not fit every business.
Monthly access cleanup = highest ROI → Just removing unused roles reduces 40–60% of your SOD.
Solution Recommendation: As recommended earlier, ToggleNow’s ReviewNow solution helps in automating the reviews and provides various data points to the reviewers to make informed decisions. Keeping right authorizations is always good and also optimizes your licensing costs.
Monitor table changes, not just t-codes → Fraud happens at tables, not transactions.
SAP has the table logging feature and all the critical tables that have financial impact must be enabled for logging.
Don’t get all your production data into QA/Sandbox → Lower systems are the easiest entry point for attackers.
Solution Recommendation: Once your critical business data is in lower systems, they can map your processes, identify weak users, and plan the perfect fraud. Protect non-prod systems like production, or don’t move sensitive data at all. Use selective transformation approach and data masking techniques. There are many tools available which helps you in selective data refresh.
Implement RFC hardening → This is the biggest blind spot in most SAP landscapes.
Solution Recommendation: SAP has a built-in feature called UCON – Unified Connectivity. It has many capabilities to secure the RFMs.
Refer: UNIFIED CONNECTIVITY (UCON) – The built-in SAP Cybersecurity solution
Additionally, use ThreatSense AI SIEM+SOAR and TADS solutions to protect your business data. With these solutions, no critical data can go out.
Final Words
People don’t share articles full of tables and reports.
They share stories, warnings, and truths nobody else says.
This article speaks directly to:
- CISOs
- CFOs
- SAP leaders
- Audit teams
- Managed service providers
- Anyone who has ever said: “Just give access.” 😊
What is your security posture and which scenes are applicable to you?
