Gain more coverage at a lower cost than SAP RISE security solutions and services. Secure your application and data layers in SAP Cloud ERP with the industry’s most comprehensive SAP cybersecurity solution.
Adopting SAP RISE changes the security model from a fully customer-managed approach to a shared responsibility framework. SAP is responsible for securing the underlying hyperscaler, infrastructure, network, servers, and databases, while customers retain responsibility for protecting the application and data layers. SAP offers optional Cloud Application Services (CAS) to help address these responsibilities, but the services can involve multiple licenses and fragmented capabilities.
Layer Seven Security provides a unified, SAP-certified alternative that delivers stronger vulnerability management, broader custom code analysis, and more extensive threat detection within an integrated solution and a substantially lower total cost of ownership.
The transition from on-premise SAP to SAP RISE represents an important shift in security ownership. Although SAP takes on responsibility for infrastructure operations in SAP RISE, customers retain full accountability for securing their most valuable assets, including the application and data layers.
SAP RISE includes basic security support. However, more advanced functions require optional Cloud Application Services (CAS) or separate solutions. The Cybersecurity Extension for SAP from Layer Seven Security provides a unified, cost-effective alternatives to such services and solutions.
| Security Scenario | Standard RISE Service / Solution | Optional RISE Service / Solution | Layer Seven Security |
|---|---|---|---|
|
Access Risk Analysis |
|
Segregation of Duties Check |
|
|
Vulnerability & Compliance Management |
|
Application Security Monitoring |
|
|
Custom Code Security |
|
SAP Code Vulnerability Analyzer |
|
|
Security Patching |
|
Application Security Updates |
|
|
Threat Detection & Response |
|
SAP Enterprise Threat Detection Cloud Edition |
|
|
Security Dashboard |
|
SAP Analytics Cloud |
|
RISE customers are responsible for managing user permissions and ensuring access to critical roles is compliant with the principle of Segregation of Duties (SoD). While SAP offers an optional CAS to detect these risks using the standard GRC ruleset, the Cybersecurity Extension for SAP performs these checks using a ruleset benchmarked against SAP GRC, integrated directly into your S/4HANA Fiori environment.
| Access Risk Analysis | SAP RISE Standard | SAP RISE Optional CAS / Solution1 | Layer Seven Security |
|---|---|---|---|
|
Critical Access & SoD Checks for S/4HANA |
|
|
|
|
Scanning Interval |
None |
On Demand |
Daily |
|
Detailed Reporting including Risk Analysis & Recommendations |
|
|
|
|
Report Scheduling including Automatic Email Distribution |
|
|
|
|
Dashboard & Trend Analysis Integration |
|
|
|
|
Ruleset Customization |
|
|
|
|
Support for User Exclusions |
|
|
|
*1 Advanced Security & Compliance CAS (Segregation of Duties Check)
You are responsible for the secure configuration of applications in SAP RISE. SAP offers an additional CAS (not included in standard RISE) to perform security checks via SAP Solution Manager. The Cybersecurity Extension for SAP performs more extensive checks without the need for a Solution Manager installation, enabling you to detect compliance gaps with settings mandated by SAP Enterprise Cloud Services (ECS).
| Vulnerability & Compliance Management | SAP RISE Standard | SAP RISE Optional CAS / Solution1 | Layer Seven Security |
|---|---|---|---|
|
SAP Solution Manager Installation Required in Customer SAP Landscape |
|
|
|
|
Support for ABAP |
|
|
|
|
Support for HANA |
|
|
|
|
Support for Java |
|
|
|
|
Support for ASE Database |
|
|
|
|
Support for Linux OS |
|
|
|
|
Quantity of Security Checks |
None |
Low |
High2 |
|
Automated Compliance Gap Assessments for Security Frameworks including Custom Security Policies |
|
|
|
|
Report Scheduling including Automatic Email Distribution |
|
|
|
|
Dashboard & Trend Analysis Integration |
|
|
|
|
Alert Integration |
|
|
|
|
Integration with Custom Code Security Scanning |
|
|
|
|
Security Check Customization including Exclusions for Systems & Users |
|
|
|
|
Remediation Management |
|
|
|
*1 Advanced Security & Compliance CAS (Application Security Monitoring)
*2 4000+ system vulnerability checks in Cybersecurity Extension for SAP v5.1
*3. Supported frameworks include CIS, NIST, GDPR, ISO-27000, PCI-DSS, SOX, SAP S/4HANA Security Guide, SAP Security Baseline, and SAP RISE
Maintaining secure custom code—including programs migrated from ECC to S/4HANA—is a 100% customer responsibility in RISE. While you can license SAP Code Vulnerability Analyzer (CVA) as an add-on, it is restricted primarily to ABAP. Our extension includes a higher number of test cases and provides critical security scanning for SAPUI5 applications.
| Custom Code Security | SAP RISE Standard | SAP RISE Optional CAS / Solution | Layer Seven Security |
|---|---|---|---|
|
Support for ABAP Code |
|
|
|
|
Support for SAPUI5 Code |
|
|
|
|
Quantity of Security Code Checks |
None |
70+2 |
300+3 |
|
Support for Centralized Scanning |
|
|
|
|
Integration with ABAP Test Cockpit and SAP Code Inspector |
|
|
|
|
Report Scheduling including Automatic Email Distribution |
|
|
|
|
External Call Analysis for Custom Programs |
|
|
|
|
Dashboard & Trend Analysis Integration |
|
|
|
|
Support for Exclusions |
|
|
|
*1 SAP Code Vulnerability Analyzer (SAP CVA)
*2 SAP CVA for SAP Basis 757 SP02
*3 Cybersecurity Extension for SAP v5.1
Monitoring and investigating security incidents in SAP applications is a mandatory customer responsibility. SAP’s optional CAS uses ETD Cloud Edition but often excludes the monitoring of HANA logs. The Cybersecurity Extension for SAP includes 1,200+ detection patterns (compared to 100+ in CAS) and provides full visibility into your HANA database logs.
| Threat Detection & Response | SAP RISE Standard | SAP RISE Optional CAS / Solution1 | Layer Seven Security |
|---|---|---|---|
|
SAP Enterprise Threat Detection License Required |
|
|
|
|
Support for ABAP |
|
|
|
|
Support for HANA |
|
|
|
|
Support for Java |
|
|
|
|
Support for ASE Database |
|
|
|
|
Support for Linux OS |
|
|
|
|
Support for SAProuter & SAP Web Dispatcher |
|
|
|
|
Quantity of Patterns |
None |
100+ |
1000+2 |
|
Detection of Actively Exploited Vulnerabilities |
|
|
|
|
Forensic Analysis of SAP Logs |
|
|
|
|
Custom Threat Patterns and Alarms |
|
|
|
|
SIEM Integration |
|
|
|
|
Alert Tuning including Exclusions |
|
|
|
|
Incident Response |
|
|
|
|
Report Scheduling including Automatic Email Distribution |
|
|
|
|
Dashboard Integration |
|
|
|
|
Trend Analysis Integration |
|
|
|
*1 SAP Enterprise Threat Detection Cloud Edition & Advanced Security & Compliance CAS (SAP ETD)
*2 Cybersecurity Extension for SAP v5.1
*3 SAP Cloud Analytics LOB Business Content Package
Standard RISE covers the calculation of relevant notes, but customers are responsible for identifying and applying application-specific security notes. SAP offers a CAS for this, but it excludes support for manual corrections and testing. We automate the discovery of all security notes and provide full status tracking for the required patches.
| Security Patching | SAP RISE Standard | SAP RISE Optional CAS / Solution1 | Layer Seven Security |
|---|---|---|---|
|
Calculation of Relevant Security Notes |
|
|
|
|
Automatic Check for Implementation Status of Security Notes to Remove Installed Notes from Calculated Results |
|
|
|
|
Implementation of Security Notes for SAP Basis/ ABAP |
|
|
|
|
Implementation of Application-Level Security Notes |
|
|
|
|
Implementation of Security Notes with Manual Corrections |
|
|
|
|
Testing for Security Notes |
|
|
|
|
Report Scheduling including Automatic Email Distribution |
|
|
|
|
Dashboard & Trend Analysis Integration |
|
|
|
*1 Application Security Updates CAS
Standard RISE services do not include a security dashboard for KPI monitoring. While you can subscribe to an SAC-based dashboard from SAP, it requires multiple separate licenses (ETD, Focused Run, Risk Management) to function. Our extension provides an interactive dashboard, trend analysis, and threat maps as a native, all-in-one feature.
| Security Dashboard | SAP RISE Standard | SAP RISE Optional CAS / Solution1 | Layer Seven Security |
|---|---|---|---|
|
SAP Analytics Cloud Required |
|
|
|
|
SAP Enterprise Threat Detection Required |
|
|
|
|
SAP Focused Run Required |
|
|
|
|
SAP Risk Management Required |
|
|
|
|
Drilldown from Summarized Results to Detailed Risks, Alerts and Security Notes |
|
|
|
|
Interactive Stacked Cards for Viewing Critical Risks, Alerts and Security Notes |
|
|
|
|
Create and Publish Multiple Dashboards with Unique Filter Settings for Business Units and Security Domains |
|
|
|
|
Threat Map for Analyzing Results by Geographical Location |
|
|
|
|
Trend Analysis for Analyzing Changes in Security Results |
|
|
|
*1 SAP Analytics Cloud LOB Business Content Package
Layer Seven Security is the strategic choice for SAP RISE customers.
A unified alternative to multiple SAP RISE offerings.
Installs via standard SAP tools (SAINT) in hours, not weeks.
Built-in automation for mandatory security hardening required by SAP Enterprise Cloud Services (ECS).
Layer Seven Security enable organizations to secure application and data layers for solutions in SAP RISE as part of the shared model by through a unified, SAP-certified platform for access risk analysis, vulnerability and compliance management, custom code security, patch management, and threat detection. The Cybersecurity Extension for SAP supports critical access and segregation-of-duties analysis for SAP S/4HANA, automated vulnerability and compliance assessments across ABAP, HANA, and BTP, code vulnerability analysis for both custom ABAP and SAPUI5 applications, lifecycle support for identifying and managing relevant security notes, and threat detection across SAP application, HANA and cloud logs.
Yes. The solution is SAP-certified for integration with SAP S/4HANA and is fully optimized for SAP RISE and Cloud ERP environments managed by SAP Enterprise Cloud Services (ECS).
Firstly, Layer Seven Security consolidate capabilities that SAP offers separately, such as vulnerability management, compliance reporting, patch management, custom code security, access risk analysis, and threat detection, into one platform and one subscription, which provides a broader, more unified alternative to multiple SAP RISE offerings.
Secondly, the commercial model for Layer Seven Security provides a lower total cost of ownership. The Cybersecurity Extension for SAP delivers broader coverage at lower cost than equivalent SAP services and solutions in a competitively priced unified platform.
Thirdly, Layer Seven Security reduce operational complexity. Instead of managing separate SAP tools or service packages for different security functions, the Cybersecurity Extension for SAP provides a single integrated platform, which can simplify procurement, deployment, administration, and ongoing maintenance. The architecture avoids additional infrastructure to support faster rollout and easier maintenance compared to SAP offerings.
Overall, Layer Seven Security replace multiple SAP packages, services, and solutions with one SAP-certified platform that reduces cost, simplifies administration, and provides broader security coverage.
No. The Cybersecurity Extension for SAP is installed and maintained directly by SAP customers in RISE solutions. It does not require assistance from SAP ECS and there is no requirement for additional servers, connections or users.
Schedule a live demo of the Cybersecurity Extension for SAP to see how we can secure your RISE environments.
Download the free guide to the shared model of responsibility for security in SAP RISE and security-related packages and services.
3