Open Training Sessions
Creating an SAP Pentest Playbook based on BSI Guidelines and the Current SAP Threat Situation

Gain an overview of how the current threat situation in SAP systems is developing and learn how to check your SAP system for typical security vulnerabilities. This four-hour training begins by bringing you up-to-date  on the most current attack vectors being implemented in the business world and IT landscapes. Following this overview, you will learn how to gain a comprehensive assessment of the current security status of your SAP system without performing an elaborate pentest or audit. Finally, you will learn to set up a playbook for your SAP system and its security needs. The playbook is focused primarily on determining security checks in SAP system landscapes and is based on the BSI guideline APP 4.3 SAP ERP from the German Federal Office for Information Security. These contain the minimum requirements for a hardened and protected SAP system.  

€ 400
per learner

Live instructor

Marco Hammel


Maximum 14 Learners


4 hours


 Certificate Upon Completion

Start Date

18 November 2024

Who’s a Good Fit

  Application Security Experts
 Blue Teamers
 SAP Basis Administrators
 SAP Security Administrators
 SAP System Owners
 SAP IT Auditors

A Taste of What You Will Learn:

  • Gain an overview of the current SAP threat situation and identify the most important components for the protection of SAP systems
  • Gain insight into critical SAP security topics and learn general SAP security measures
  • Learn how to quickly check SAP systems for basic security and mitigate the most critical SAP security vulnerabilities  
  • Learn how to test all important components of an SAP system with test guidelines in accordance with BSI

Course Information

Who's a Good Fit
Practice Environment Tools

Information Security Line of Defense 

  • Application Security Experts
  • Blue Teamers

SAP Operations Line of Defense

  • SAP Basis Administrators
  • SAP Security Administrators
  • SAP System Owners

Audit Line of Defense

  • SAP IT Auditors

Who Else Might Be a Good Fit

The target group is all users who need to carry out a formal evaluation of SAP systems without having to go through the effort of a revision or an extensive pen test. Essential methods are described here using the example of the minimum requirements of the BSI guideline and translated into an action guideline.

NIST/NICE Cybersecurity Workforce Framework Work Roles

Work Role Title Work Role ID
SAP Security Control Assessor SP-RSK-002
(SAP) Secure Software Assessor SP-DEV-002
SAP Security Architect SP-ARC-002
SAP System Administrator OM-ADM-001
SAP IT Program Auditor OV-PMA-005


  • General understanding about SAP S/4HANA technology
  • General understanding about information system security measures such as authentication, access control, and encryption


  • Fundamental understanding about SAP system configuration and security settings

  • Basic understanding how to use the SAP Logon Pad


  • Basic understanding of the German BSI "Grundschutz" aka baseline security recommendation structure 
  • Basic knowledge about the "Dark Web"
  • Gerneral understanding about penetration testing and IT security audits


For this course you will use a lab environment hosted by us to practice.  The lab provides access to an SAP S/4HANA© landscape consisting of two  stages. You can access to environment by a virtual desktop system via  your browser with all necessary tools preinstalled

In Addition You Will Need:

  • A HTML5 ready browser preferably Edge, Chrome, Firefox
  • (optional) Zoom

SAP Security Training Overview

Number of Modules: 4
Duration: 1 half-day, 4 hours total, (9:00 – 13:00 CET)
Class size: 7-14 participants per class
Investment: €400 per person (excluding taxes excluded)
Software Version: Unrestricted
Instructor: Marco Hammel
Modules Covered in Training:
  • Current threat situation and general SAP security measures
  • Testing of all important components of an SAP system in accordance with BSI guidelines
  • Quick check of SAP systems for basic security
  • Mitigation of the most important SAP security vulnerabilities
*NO MONKEY SAP Security training content is referenced to existing standards for application security such as OWASP, NIST , and SAP recommendations.