SAP security beyond patching: are your controls keeping up?

TL;DR: SAP remains a prime target because it holds critical business data, while attackers use public-facing exposures, identity abuse, and CVEs such as CVE-2025-31324 to reach databases and exfiltrate data, according to Acalvio. Preemptive deception, not prevention alone, is the practical control shift when patching lags and detection on SAP is incomplete.

NHIMG editorial — based on content published by Acalvio: Beyond patching, why preemptive defense is essential to secure SAP

By the numbers:

• With an average of 10 to 15 patches and security notes published each month, security teams struggle to ensure systems are properly patched.

Questions worth separating out

Q: How should security teams detect SAP compromise before data exfiltration starts?

A: Use decoys, honeytokens, and identity-aware monitoring to trigger on attacker interaction rather than waiting for log-based confirmation.

Q: Why do SAP service accounts create a governance gap for defenders?

A: SAP service accounts can become the shortest path from initial foothold to sensitive business data if they are over-trusted, poorly inventoried, or not monitored as identities.

Q: What breaks when EDR cannot be fully deployed on SAP systems?

A: When EDR coverage is limited on SAP hosts, defenders lose a major endpoint telemetry source and must rely on logs that may be incomplete or proprietary.

Practitioner guidance

• Instrument SAP service accounts as attack-surface identities Inventory SAP-related service accounts, privileged connectors, and trusted pathways, then monitor them for unexpected use patterns and lookup activity.
• Deploy decoys on internet-facing SAP surfaces Place realistic SAP NetWeaver decoys on exposed entry points that attackers are likely to probe, so scanning and exploitation attempts generate early alerts before production systems are touched.
• Plant honeytokens in identity stores and endpoints Create convincing but controlled SAP service accounts in Active Directory and deceptive credentials on endpoints, then wire any usage attempt into SIEM and SOAR containment workflows.

What's in the full article

Acalvio's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step deception playbook design for SAP NetWeaver and related systems.
• Deployment patterns for SAP decoys, honeytokens, and internet-facing traps.
• Example attack-path scenarios showing how attacker interaction triggers containment.
• Automation details for triage, alerting, and refresh of deception assets.

👉 Read Acalvio's blog on preemptive defense for SAP security →

SAP security beyond patching: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →