Specialist SAP® cybersecurity. Built for Australian enterprise.
Independent assessment, penetration testing and advisory — for SAP customers evaluating RISE, mid-implementation, or running live.
Fast to scope. Fixed scope after scoping call. Audit-ready evidence.
Built for regulated and business-critical SAP environments — Australian and New Zealand listed organisations, government, and critical infrastructure.
The gap no one else fills.
Your cyber team runs CrowdStrike, Sentinel and Splunk. None of them see inside SAP. Your SAP team manages roles and transports. Neither speaks ISM or Essential Eight.
sapcyberx sits at the intersection. We translate SAP risk into cyber language. We map SAP findings to the frameworks your board and auditors already use.
- —Corporate IAM to SAP IAM. We bridge both.
- —Enterprise cyber frameworks to SAP controls. We map both.
- —Independent pen testing scoped to SAP RISE, S/4HANA and BTP. Delivered to your cyber team's standard, not just SAP's.
Two core services. Two methodologies.
SAP Cyber Assessment
A 14-day structured assessment of your SAP landscape. Benchmarked against ISM, Essential Eight and NIST. Every finding mapped to the Three-Bucket Method™ — so your team knows exactly who fixes what and at whose cost.
Learn more →SAP Penetration Testing
A structured adversarial test of your SAP environment. RFC Gateway, ABAP custom code, Fiori, OData, identity federation and RISE cloud layer. Scoped independently. SAP NDA managed. Delivered to your cyber team's reporting standard.
Learn more →The Three-Bucket Method™
Every finding allocated to one of three remediation buckets. Your team knows what to do next.
SAP-free
Fixed by SAP ECS under your existing RISE contract.
SAP-billable
Requires an ECS Service Request. We benchmark cost.
Customer-owned
Yours to remediate. We provide the playbook.
Which service do I need?
| Your situation | Best starting point |
|---|---|
| Considering SAP RISE | Pre-RISE Security Review |
| 3–6 months from go-live | In Deployment support |
| Need independent testing | SAP Penetration Test |
| Already live, want to strengthen posture | 14-Day SAP Cyber Assessment |
| Identity or GRC modernisation | Talk to us about capabilities |
| Joule or BTP-AI workloads | Talk to us about capabilities |
Where you are on your SAP journey
Supporting capabilities
SAP AI Security · SAP BTP Security · SAP Identity (IAS, IAG, GRC Bridge) · Cyber Architecture
Explore capabilities →Frequently asked questions
What does SAP cybersecurity actually cover?
Application security, identity, custom code, database, BTP and Cloud Connector, AI integrations, and monitoring. It complements network and endpoint cyber rather than replacing them.
How is sapcyberx different from a general cyber consultancy?
SAP cyber is our core specialisation. Methodology, tooling and SAP engagement process are productised — which means faster delivery and more relevant findings than a general practice can offer.
Do you work with organisations not yet on RISE?
Yes. We work with organisations across all stages — evaluating cloud ERP options, mid-implementation on S/4HANA or ECC, and on-premise landscapes considering a future move to the cloud. RISE is not a prerequisite to engage us.
How does pricing work?
Most engagements are fixed scope after scoping call. Request a quote.