Skip to content
aliter consulting mssp

SAP’s BloodHound Moment: SAPMAP Maps Attack Paths Across An Entire Landscape

author icon
SecurityBridge
July 15, 2026
4 min read

Chapters

Share Article

Let's Talk SAP Security

Have questions about SAP Security? We’re here to help. Contact Us

Open-source AI tool is available via invitation only under OWASP

INGOLSTADT, Germany – A prominent SAP cybersecurity researcher has built an open-source AI tool that can help organizations defend against sophisticated SAP system attacks. The flipside is that the tool can also be used to infiltrate one exposed system, enabling the threat actor to control an organization’s entire SAP environment.
To exercise caution, SAPMAP is available by invitation only, according to Joris van de Vis, who built the tool during his spare time and released it under the OWASP Core Business Application Security (CBAS) project.

To exercise caution, SAPMAP is available by invitation only, according to Joris van de Vis, who built the tool during his spare time and released it under the OWASP Core Business Application Security (CBAS) project.
“It’s a tool for defenders to help them better protect themselves and raise awareness for the important topic of SAP security,” said Joris van de Vis, who has more than 25 years of experience in SAP security.
The restraint exercised in releasing SAPMAP follows a playbook from Anthropic, which announced its Claude Mythos Preview frontier model in April only to withhold it from general release, given its powerful capabilities and potential for abuse.

“It’s a tool for defenders to help them better protect themselves and raise awareness for the important topic of SAP security,” said van de Vis, who has more than 25 years of experience in SAP security.

SAPMAP: like BloodHound for SAP environments

SAP systems, which support much of the world’s payroll, finance, manufacturing and supply chain operations, are connected by trust relationships that let one system command another. By mapping a system’s relationships and identifying weak points, attackers can grab a single foothold, yielding total control over everything a company runs.
SAPMAP shares similarities with BloodHound, an open-source penetration testing tool that also uses a mapping approach to exploit relationships in Microsoft Active Directory environments. Given the sheer scope of BloodHound’s influence, the tool permanently changing how enterprises defend themselves.
But Van de Vis, who also works as director of security research at SecurityBridge, a leading provider of SAP security solutions, said SAPMAP helps the SAP security community get rapid visibility into attack paths to give defenders a head start. He created software to help security, operations and audit teams discover and map the attack surface of their SAP landscape, identify exposures and improve detection before an attacker does.
“SAPMAP shows what becomes possible when deep SAP expertise, open-source collaboration, and responsible security research come together,” said Waseem Ajrab and Julian Petersohn, OWASP Project Leaders. “The OWASP Core Business Application Security project is proud to sponsor this project to give defenders a clearer view of complex attack paths while treating its powerful capabilities with the caution they deserve.”

More about how SAPMAP works

SAPMAP maps an organization’s entire SAP environment. The tool automatically plots the attack from first foothold to full control, targeting 16 business impact scenarios. These include salary theft, vendor bank fraud, production sabotage and customer data breaches. Other attributes of SAPMAP include:

  • 7 weaponized exploits, including CVE-2025-31324, the SAP flaw assumed to be exploited in recent real-world enterprise attacks, and a known root-level privilege escalation, CVE-2026-31431
  • 72 CVEs cataloged, 1,817 automated tests, 16 business-impact scenarios
  • Maps both on-premises SAP and SAP cloud (BTP), across the trust boundary, in both directions

SAPMAP is going out on a gated, invitation-only basis to SAP security experts. Enterprise security teams, vetted penetration testers and SAP security researchers can apply for access under strict terms. A public release will come later through the OWASP project.
Developers may register for early access to SAPMAP here.

About SecurityBridge

SecurityBridge is the leading provider of a comprehensive, SAP-native cybersecurity platform. Trusted by organizations worldwide to safeguard their most critical business systems. Our platform seamlessly integrates real-time threat monitoring, vulnerability management, and compliance capabilities directly into the SAP environment, empowering organizations to protect their data’s integrity, confidentiality, and availability with minimal manual effort. With a proven track record, including a stellar customer success rating and over 8,000 SAP systems secured globally. SecurityBridge stands out for its ability to accurately provide a 360° view of the SAP security posture, ease of use, rapid implementation, and transparent licensing. We are committed to innovation, transparency, and customer-centricity, ensuring businesses can confidently navigate the evolving landscape of SAP security threats.

Discover more

Text Base Post Tile
SAP Security Patch Day – July 2026
Stay informed with the latest updates from this July's SAP Security Patch Day - take action now to enhance your...
NIS2 and SAP 1
NIS2 and SAP: What the directive actually demands inside your ERP 
NIS2 and SAP: what the directive actually demands inside your ERP The NIS2 Directive is the European Union’s updated framework...
SAPs Updated API Policy A Security Perspective
SAP’s Updated API Policy: A Security Perspective
SAP’s Updated API Policy: A Security Perspective In April 2026, SAP released an updated version of the SAP API Policy....