Skip to content

SAP breach: First aid & what to do after

SAP breach

We know. You are reading this because you have been either recently breached or wondering what to do in such cases. Well, if that is the case, then you are in the right place. This article will talk about first aid after an SAP breach, how to mitigate its impact, and how to strengthen your SAP security posture in the future. As SAP systems are at the core of business processes in most corporations, they have become an “interesting” target for cyberattacks aiming for critical business data. So, protecting those systems will usually pay out within the first blocked attack.  

What is an SAP breach?

Before understanding what to do after a breach, we need to understand what a breach is and what can cause it. Any unauthorized access or exploitation of vulnerabilities within an SAP system classifies as an SAP breach. Usually, these breaches lead to data loss that may result in financial losses and reputational damage. A breach in SAP can be caused by different attack vectors like:  

  1. Unapplied SAP security patches can expose vulnerabilities for attackers to use for breaching systems.  
  2. Insiders, either an employee or more probably an external with a highjacked user account, can gain unauthorized access to your SAP systems and cause a security breach from within your organization.  
  3. Code vulnerabilities within your SAP custom applications can be used by any user with system access to perform a cyber-attack.  
  4. One or multiple system misconfigurations can also create an attack vector for hackers to initiate one of the abovementioned or to perform a dedicated SAP breach.  

What to do after an SAP breach?

Now that we’ve covered the various attack vectors of an SAP breach, we can look at a first aid plan in such cases. Whenever you encounter an SAP breach, you need to focus on limiting the damage and restoring your security posture. With the following 10 steps, you ensure that you are responding to an attack in the right way:

  1. As soon as you identified the breach, lock identified user accounts involved in the attack or isolate identified clients from the network. If not possible isolate the entire system, e.g., by cutting off the internet connection of the system, to prevent more unauthorized access.
  2. Immediately assemble a threat response team consisting of SAP administrators, experts, and stakeholders.
  3. Save all security-related SAP logs, like the Security Audit Log, HANA audit log, and JAVA audit log and initiate a forensic analysis and correlate them on a time scale.
  4. Identify critical events or activity patterns and gather additional events within the same period to understand the attack vector and impact of the breach.
  5. In parallel to the forensic activities make sure you comply with legal and regulatory requirements. Notify all relevant parties and be transparent so all affected parties can take the necessary precautions. This can also aid you in supporting a potential legal investigation.
  6. Patch all vulnerabilities, update security configurations, and remediate as much as possible what can compromise the security of your systems, at least the issues related to the breach.
  7. Reactivate normal SAP operations step by step and monitor closely all SAP security logs for some time to ensure secure operations.
  8. To avoid future breaches, make sure you improve your overall security posture. Strengthen your security controls by extending the scope of the activities from item 6 following common SAP security frameworks like NIST or the SAP Security Recommendations.
  9. Consider setting up a process for SAP users to be informed when their credentials are used from a new device and a simple feedback channel, e.g., email, to the SAP security team in case they detect a misuse. You find a good example of such Identity Protection here.
  10. Consider implementing comprehensive SAP Thread Detection solutions with Zero Day threat coverage and anomaly detection features like the one from SecurityBridge. Also, include automation capabilities for efficient SAP security operations.


Experiencing an SAP breach is a challenging event, but by following an attack response plan and acting quickly you can minimize the impact and consequences of the breach. Leveraging third-party security solutions and platforms for SAP can help you improve your thread response performance, the efficiency of your SAP security posture and finally harden your SAP system. SecurityBridge provides all necessary tools for your landscape. We help you all the way from incident forensics to threat intelligence and system hardening. With our guided approach to SAP security excellence, you reduce your overall SAP security risk and can act quickly even in case of a zeroday vulnerability. Have we caught your eye? Learn more and book a free demo here! 

Posted by 

Ivan Mans

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.