SAP systems in the crosshairs: How SAP penetration tests ensure security in the defence industry

Inhalt:

At a time when state and non-state actors are targeting critical infrastructure and its supply chains, proactive and specialized protection is essential. Meeting strict compliance requirements such as VS conformity or NATO standards is just one of many challenges. So how can companies in the defence industry ensure that their most sensitive data and processes are effectively protected without compromising operational efficiency? 

This blog post highlights the unique cybersecurity challenges facing the defence industry and shows why a specialized SAP penetration test is more than just a technical measure – it is a strategic imperative.

Learn how to uncover hidden vulnerabilities in your SAP landscape by simulating authentic attack vectors, harden your RFC interfaces, and develop a holistic security strategy that meets the specific requirements of your industry. In modern defence, cyber resilience is not an option, but the foundation for operational capability and sovereignty.

The myth of the secure "black box": Why SAP systems are the new battlefield

The threat situation in cyberspace has escalated dramatically. State and non-state actors are operating with increasing professionalism and specifically targeting companies in the defence industry. Their goal is no longer just to steal know-how, but to actively sabotage and prepare hybrid attacks. The hacker attack on the Rheinmetall defence contractor in 2025, in which sensitive data was stolen, is just the tip of the iceberg. It clearly shows that the digital front has long been a reality and that national security depends directly on the cyber resilience of industry. In this scenario, the focus shifts to a component that was long considered secure and often neglected: the SAP system landscape.

In many companies, SAP systems are treated as a kind of isolated "black box." They are the backbone of finance, logistics, human resources, and production, but are often only marginally supported by general IT security teams. The complexity of the SAP architecture and the lack of specialist knowledge mean that these systems are left out of traditional security checks. This is a fatal mistake, because attackers have long recognized this blind spot: Data exfiltration has become the biggest threat to SAP systems, and the number of attacks is steadily increasing. Attackers know that this is where they will find a company's crown jewels, from design plans and personnel data to critical supply chain information.

SAP systems: More vulnerable than you think

possible vulnerabilities:

  • Insecure RFC interfaces
  • Unpatched systems
  • Misconfigurations
  • Cloud connections

possible attack vectors:

  • External attackers (state/criminal)
  • Internal threats (compromised accounts)
  • Supply chain attacks

The dual challenge: Hybrid threats meet complex compliance

This danger is magnified for the defence industry. It is not just a matter of economic damage, but of the integrity of national and alliance-wide security architectures. The industry faces a double challenge: it must defend itself against highly professional attackers while complying with an extremely dense network of regulatory requirements. The mere existence of a firewall is no longer sufficient.

The regulatory squeeze: From NIS2 to VS-NfD

Legal requirements for cybersecurity are becoming increasingly stringent. The EU's  NIS2 Directive expands the obligations for operators of critical infrastructures and "essential facilities," which include a large part of the defence industry. It requires active risk management, supply chain security, and strict reporting requirements for security incidents. The Cyber Resilience Act (CRA) also places obligations on manufacturers of products with digital elements and requires comprehensive vulnerability management throughout the entire product lifecycle. 

    Specific requirements apply to the defence industry:

    • VS compliance: The processing of classified information (VS) requires special hardening and accreditation of IT systems in accordance with the specifications of the Federal Office for Information Security (BSI).
    • NATO standards: Cooperation within the alliance requires compliance with specific NATO requirements for IT security and interoperability.
    • War Weapons Control Act (KWKG) and export control: The handling of sensitive goods and data is subject to the strictest legal controls, compliance with which must also be reflected and verified in IT systems.

    The technical Achilles' heel: unpatched systems and open interfaces

    These regulatory requirements are met with a technical reality that is often characterized by undiscovered vulnerabilities. One of the biggest challenges here is the timely installation of security patches. The complexity of the systems and the fear of operational failures lead to dangerous patching backlogs. Attackers can often exploit newly discovered vulnerabilities within a few hours. RFC (Remote Function Call) interfaces are particularly critical in this regard. They are the central nerve pathways of the SAP landscape, connecting systems with each other. If they are not correctly configured and hardened, they offer attackers an open gateway to move laterally within the network and access critical systems.

    From blind spot to hardened fortress: The strategic necessity of SAP penetration testing

    How can companies in the defence industry meet these complex challenges? The answer lies in a proactive and specialized approach: SAP penetration testing. Such testing is much more than an automated vulnerability scan. It simulates a targeted attack by a real human expert who is familiar with the methods and mindsets of cybercriminals. The key advantage: it combines in-depth SAP know-how with proven cybersecurity expertise. In view of stricter regulatory requirements, such as those imposed by the  NIS2 Directive, which requires appropriate, proportionate, and effective technical and organizational measures to ensure high cyber resilience, companies in the defence industry are under additional compliance pressure. In this context, a specialized SAP penetration test is not only a security best practice, but also a traceable and verifiable measure for meeting these requirements.

    A standard penetration test that focuses only on the network and operating system level falls short with SAP. It cannot uncover the specific vulnerabilities in the SAP application layer, in the configurations, or in the countless interfaces. A specialized SAP penetration test, on the other hand, goes into depth precisely in these areas. It not only checks from the outside (black box approach), but also simulates an attack from the inside (gray box approach) to assess the risks posed by compromised user accounts or insider threats, for example. It analyzes the security of RFC communication, checks for incorrect configurations, and searches for vulnerabilities in in-house developments (ABAP-Code).

    More than just an audit: How a real attack simulation strengthens your line of defence

    An SAP penetration test is not a theoretical audit that works through checklists. It provides "proof by exploitation" and shows in black and white how an attacker could compromise your system. This shift in perspective from a purely defensive stance to an active attacker simulation is essential for a robust security strategy. It helps you understand the actual risks and set the right priorities for remediation.

    The results of such a test are more than just a list of technical vulnerabilities. They form the basis for a holistic security strategy:
     

    • Risk-based prioritization: You learn which vulnerabilities pose the greatest risk to your company secrets and can deploy your resources where they are most urgently needed.
    • Hardening of systems: You receive concrete, actionable recommendations for remedying the gaps found – from configuration adjustments to secure development.
    • Proof of compliance: A penetration test report serves as important evidence to auditors and authorities that you are fulfilling your duty of care and taking proactive measures to secure your systems.
    • Strengthening security awareness: Concrete attack scenarios raise awareness among developers, administrators, and management of the real threats.

    Your path to cyber resilience: A proven approach to SAP security

    Securing a complex SAP landscape in the defence industry requires a structured and experienced partner. At abat, we combine decades of SAP expertise with specialized cybersecurity knowledge. In addition to SAP-specific security audits, we also offer comprehensive cybersecurity assessments for non-SAP systems.

    To specifically secure your SAP solutions, we perform specialized SAP penetration tests that are individually tailored to your system landscape and regulatory requirements.

    • Preliminary discussion and scoping: Together, we define the scope of the test, analyze your system landscape, and determine the attack scenarios.
    • Conducting the penetration test: Our experts simulate realistic attacks on your systems without jeopardizing ongoing operations.
    • Analysis and reporting: You will receive a detailed report that clearly and comprehensively describes the vulnerabilities found, assesses their risk, and outlines specific measures for remediation.
    • Final workshop: We present the results to you, discuss the recommended actions, and support you in prioritizing them.
    • Re-test and continuous improvement: After the measures have been implemented, we check their effectiveness in a re-test and accompany you on the path to sustainably strengthened cyber resilience.

    At a time when digital sovereignty is becoming the foundation of national security, securing your SAP systems is not an option, but a strategic imperative. Don't wait until attackers find your vulnerabilities. Act proactively now.

    Contact our experts and let us work together to fortify your SAP fortress. Because your security is our mission.

    To our cybersecurity services

     

    Or go directly to our SMARTsolutions:

     

    Contact us ! 

    SAP security in the defence industry

    1. Are our general IT security measures not sufficient to protect SAP?

    No. SAP systems have a highly complex architecture with their own protocols (e.g., RFC), authorization concepts, and configurations. General security tools and audits often lack insight into this and overlook critical SAP-specific vulnerabilities. Only a specialized test can close this gap.

    2. Our SAP system is not directly connected to the internet. Are we still at risk?

    Yes. Many attacks today take place indirectly, for example through compromised user accounts, phishing attacks on employees, or attacks on connected systems in the supply chain. Once an attacker is inside the internal network, they can often move undetected to the SAP systems without specialized SAP security measures.

    3. What is the difference between a vulnerability scan and a penetration test?

    An automated scan finds known, pattern-based vulnerabilities. A penetration test, on the other hand, is performed by a human expert who takes a creative and context-sensitive approach. They combine different vulnerabilities to simulate complex attack chains and demonstrate the actual exploitability of a risk.

    4. How complex is an SAP penetration test and will it disrupt our operations?

    A professionally conducted penetration test is planned in close consultation with you and usually takes place on test or quality assurance systems so as not to jeopardize productive operations. The effort involved depends on the scope of the systems to be tested, but is a small investment compared to the potential damage caused by a successful attack.

    5. How does abat support us in maintaining VS compliance and other industry standards?

    Our experts are familiar with the specific requirements of the defence industry. We check your SAP systems specifically for compliance with these standards, identify deviations, and provide concrete recommendations on how you can achieve and demonstrate compliance. Our many years of experience in the industry, including projects such as the S/4HANA implementation at HIL GmbH, ensure that we speak your language.

    You may also be interested in

    Modern data center with security icon symbolizes abat's cyber security.

    cybersecurity consulting

    get advice now 

    cybersecurity assessments

    putting IT security to the test 

    SAP penetration test

    minimise risks now 

    Contact our expert