News: Live SAP hacking webinar on the 4th of May, 2015: How SAP systems get hacked and what you can do to protect them.

ESNC Enterprise Security Suite

for SAP Systems and Applications

ESNC SAP Vulnerability Assessment and Penetration Testing Services

ESNC Success Story at SAP Oil Gas and Utilities Conference

Abu Dhabi National Oil Company (ADNOC) – Al Hosn chooses ESNC

Abu Dhabi National Oil Company is the world’s 4th largest oil company and UAE’s biggest company.

Al Hosn of ADNOC chose ESNC Security Suite for protecting its mission critical SAP systems.
AHG presented its success story at International SAP Conference for Oil, Gas and Utilities 2015 in Berlin, Germany.

On the left: Mr. Khan, Head of SAP Security at AHG with ESNC CEO Mr. Arsal and Head of Customer Services Mrs. Rattey

ESNC’s SAP Security Pack for Oil, Gas and Utilities Companies

ESNC Security Suite Risk Management Module add-on specialized for Oil, Gas and Utilities companies allows built in risk and attack detection capabilities specialized to these industries and national critical infrastructures.

The industries oil, gas and utilities are commonly national critical infrastructures, which have very special security requirements. Based on our continuous work with our customers in these industries, we have created the SAP security pack for oil, gas and utilities and recently updated it with even more features. ESNC Security Suite customers can use it as an add-on to their existing installations. The security package comes with the following features, additional to existing business risks and security signatures:
  • Industry specific business risks for Oil, Gas and Utilities sectors

  • Advanced persistent threat (APT) detection on SAP systems new

  • Industry specific security incident detection rules

  • Extended business risks for Utilities-Electric sector – grid transmission and distribution new


  • Fully customizable to integrate with existing business risk frameworks

  • Security rules focused on materials management, ERP and other components specific for OIL and Utilities new

  • Environmental health and safety (EHS) rules focused on SAP security

ESNC Security Suite Standard Modules

Pick and choose what is the best for you

  • A01 – Audit and Assessment for SAP

    Our Audit & Assessment module allows you to focus on business risks via technical assessment of your SAP infrastructure and segregation of duties analysis (SoD), where the focus is both on insider threats and Internet based attack vectors.

  • P01 – SAP Penetration Testing

    Assurance testing / SAP penetration testing is an important part of the security lifecycle. We are the first to offer a SAP penetration testing software for security professionals, internal audit teams, and for auditing companies, where no technical background is required.

  • A02 – SAP PCI-DSS 3.0, ISO27001, SoX and Industry Specific Compliance

    Check your SAP system compliance against industry standard compliance frameworks such as ISO27001:2013, SoX, PCI-DSS 3.0 and more. Easily implement rules and checklists for your organizational compliance frameworks and baselines

  • C01 – ABAP Code Security Assessment & Correction

    Securing self developed ABAP programs, BSP pages, and DynPros is a difficult task for large organizations. With this module, any code that needs to go to production can be easily tested and critical security issues such as ABAP injection or privilege escalation can be addressed before any incident takes place.

  • A03 – Remediation and Risk Management

    The Risk Management module adds enhanced SAP authorization/segregation of duties functionality and landscape based dashboards which you can drill-down. It allows easier risk assessments with its increased analysis capability and supports you in getting the most out of SAP scan results and simplifies SAP security review projects significantly.

  • R01 – Real-Time Monitoring & SAP Fraud Detection and Prevention

    SAP security efforts must focus on detecting hacking attempts and on prevention of any security breaches. Our module for enterprise threat detection raises alerts for hacking and fraud attempts in near real-time. The required actions can be directly triggered through SAP workflow and deadline monitoring to ensure incidents are investigated on time.

  • A04 – Security Policy Enforcement

    Real time policy enforcement is a must to remain in a secure state. Accidental changes when adding a new application server instance to the SAP system can lead to insecure/misconfigured SAP settings becoming productive. New SAP systems can be setup without adhering to company policies. Define and setup organizational security policies and apply them automatically to any SAP system.

  • R02 – SIEM Integration

    Pre-collect and pre-correlate your SAP event information and automatically send this to any SIEM solution in its native format. ESNC’s long research and SAP background ensures that you get the right events in real time pushed into your SIEM solution.

How does it work?
  • Pick your modules – Easy and quick to install
  • Select systems for scan, no specialized SAP knowledge is required
  • Scan in minutes
  • Start automated mitigation process
  • Review results
  • Generate detailed reports
  • Automatically assign tasks
  • Repeat as required

Management Dashboards for Enhanced Visibility

ESNC Security Suite comes with 20+ built-in dashboards which are fully customizable. Both for managers and technical leads, separate dashboards are supplied. You can focus on any system with any detail level.

  • System security dashboards
  • ABAP code security overview
  • Real-time alerts and attack detection related dashboards
  • Fraud detection statistics
  • Business risks and business impact oriented data visualizations
  • Trending information
  • Patch management and missing patch information
  • User account security dashboards
  • System exposure overview
  • Remediation activity progress
  • Ability to drill-down into details of each landscape and SAP system

Many business risks can be easily eliminated by simple security measures

ESNC Security Suite “Automatic Prioritization” feature shows you which security gaps you should focus
the first based on your current business risks and systems interconnectivity.


ESNC’s SAP Security Pack for Mining and Metals Companies

ESNC Security Suite Risk Management Module add-on specialized for Mining and Metals companies allows built in risk and attack detection capabilities specialized to these industries.

The industries Mining and Metals are critical industries which have direct effect to many other industries such as automotive, aerospace high-tech and discrete manufacturing. Based on our research in these industries, we have created the SAP security pack for mining and metals. ESNC Security Suite customers can use it as an add-on to their existing installations. The security package comes with the following features, additional to existing business risks and security signatures:
  • Industry specific business risks for mining and metals sectors

  • Advanced persistent threat (APT) detection on SAP systems

  • Industry specific security incident detection rules

  • Extended business risks for metal industry regarding for on-time delivery/distribution of goods new


  • Fully customizable to integrate with existing business risk frameworks

  • Security rules focused on materials management, ERP and other components specific for mining and metals new

  • Environmental health and safety (EHS) rules focused on SAP security

Selected ESNC Customers

ESNC secures world class institutions and enterprises

Customer care

Faced a problem? No worries – our premium class customer support service
is always ready to help you.


Extensive user manual




Dedicated support team

Support requests are being processed on business days from 8:00 to 17:00 (Central European Time) [normally] within 24h in the order they were received.

SAP Security Audits by ESNC

SAP Vulnerability Assessment by proven experts


  • SA1 – In-depth SAP Security Analysis

    We check your ABAP and Java AS systems, Hana systems, Solution Manager, SAP ERP and mobile platforms such as SAP Afaria and all other SAP technologies involved in the assessment scope for vulnerabilities such as remote OS command execution, SoD authorizations bypass and password theft which can have direct business impact.

  • SA2 – ABAP Code Security Assessment

    We check your ABAP code against OWASP Top 10 vulnerabilities and ABAP specific vulnerabilities such as ABAP injection, SQL injection, XSS and authentication bypass. We check your code for signs of ABAP backdoors and provide you clear guidelines how to mitigate discovered issues.

  • Focus on Your Business Risks

    Both with SA1 and SA2, we analyze the security of your systems based on its business functionality and business impact. We present your management the root cause of the discovered issues. We show you what you need to do to directly eliminate certain business risks via quick gains.

  • SAP Security Assessment Specific to Your Industry

    The requirements and security posture of an Oil and Gas company is different than e.g. an enterprise in retail sector. Similar to this, a company in Utilities has a different threat landscape than a logistics provider. Our SAP security assessments are specific to your industry and business.

  • Detection of Existing Breaches and Fraud

    We analyze system logs, traces and business data via ESNC Security Suite Attack and Fraud Detection module to detect whether a breach of your system has actually happened.

    Did someone steal the customer list, download payroll information of the employees, change the bank details of a vendor and initiate a purchase? This and many other cases are covered. We also show when is it done and which person was responsible.

    Based on all the details available in the system, we show you the attack progress and whether any other SAP systems were compromised by the same attacker.

  • Answer to your question “What do we do next?”

    Prioritization of the security activities is one of the most important aspects of our SAP security review. Based on the security vulnerabilities in your SAP landscape and the interconnectivity of them, we tell you which SAP security issues you need to focus the most for quick-wins.

    We collaborate with your SAP and security teams and come up with an action plan to focus on the root causes to eliminate the chances that the issues will reappear even after fixing, based on the gaps in your business processes.

  • Mind blowing Security Charts and Dashboards for Your Management

    With our multivector threat analysis feature we analyze inter-connectivity of your systems and we present the findings to you with visualizations, you have never seen before. The result is very clear and understandable security posture of all of your SAP systems in scope, which any manager will easily understand and approve, even without any SAP background.

  • SAP Security Baselines for Sustainable Security

    Per request, we work together with your SAP teams to develop SAP security hardening documents specific to your environment. The baselines cover ABAP security, SAP JAVA security, SAP BASIS security and user authorizations. They help aligning business requirements with proper security controls enterprise-wide and they are the main input for security enforcement.

  • SAP Vulnerability Assessment by Proven Experts

    ESNC SAP security consultants have a proven track record, which is acknowledged by SAP. More than 101 SAP vulnerabilities are discovered and reported by ESNC consultants. Our consultants understand the business and technical security very well and provide the best service to you. The results are astonishing and an eye opener especially for management. Security projects in collaboration with ESNC will make you a shining star at your company.

  • Power and Speed by ESNC Security Suite

    ESNC SAP security consultants always use ESNC Security Suite during assessments. This gives them immense speed and accuracy for detecting the security issues and detecting whether the systems are already breached. The SAP security checks and automatic inventory detection done by our software can take man-months if done solely via consultancy. For critical checks such as password security analysis, it is the only tool available which can analyze the latest SAP password hashes.

ESNC Enterprise Threat Monitoring



Engineered in Germany

ESNC focuses heavily on SAP security research and innovation. To date, SAP AG released patches for more than 101 SAP security vulnerabilities, which ESNC reported. ESNC’s multivector threat analysis helps largest corporations in the world to effectively prioritize SAP security tasks and secure their business.


Ranked #89 at

ESNC ranked #89 at Cybersecurity 500


ESNC GmbH – Impressum

Nördliche Münchnerstr. 15a, 82031
Grünwald by Munich, Germany
Tel : +49 89 693 93 0 11
Geschaeftsfuehrer: Ertunga Arsal
HRB-Nr. 212274 Muenchen
USt-IdNr. DE 268107160

ESNC GmbH – Training Center

Highlight Towers
Tel : +49 89 693 93 0 12
Mies-van-der-Rohe Str 4, 80807
Munich, Germany