Version 2.0 of the Cybersecurity Extension for SAP is now available, introducing major enhancements to protect business-critical SAP solutions. Key updates include support for SAP NetWeaver AS Java, powerful anomaly detection capabilities, over 400 new threat detection patterns, and updated compliance checks for the latest SAP security benchmarks.
Executive Summary
Layer Seven Security’s release of the Cybersecurity Extension for SAP version 2.0 significantly expands its protection capabilities for complex SAP landscapes. A primary enhancement is the introduction of full support for SAP NetWeaver AS Java systems, including vulnerability management and log monitoring for solutions like SAP Enterprise Portal, PO/PI, and SAP IdM. The NetWeaver Edition now incorporates anomaly detection, a feature previously exclusive to the Solution Manager Edition, to identify zero-day attacks, insider threats, and suspicious behavior that evades traditional signature-based methods. Furthermore, the update adds over 400 new threat detection patterns, bringing the total to more than 1500, which strengthens its ability to find Indicators of Compromise (IOCs) across various SAP logs. Finally, version 2.0 aligns its automated compliance audits with the latest standards, including the SAP Security Baseline 2.6, the S/4HANA 2025 Security Guide, and mandatory requirements for SAP RISE, now with extended coverage for HANA and AS Java systems.
Key Takeaways
- Expanded AS Java Support: Full coverage for SAP NetWeaver AS Java solutions, including vulnerability management and security note discovery.
- Anomaly Detection Enabled: The NetWeaver Edition now detects zero-day attacks, brute force attempts, and insider threats using behavioral analysis.
- 400+ New Threat Patterns: Total threat detection patterns now exceed 1500, detecting a wide range of Indicators of Compromise (IOCs).
- Updated Compliance Frameworks: Aligned with the latest SAP Security Baseline (v2.6), S/4HANA Security Guide (2025), and SAP RISE requirements.
- Broader RISE/Cloud ERP Checks: Compliance coverage for SAP RISE is now extended to include SAP HANA and AS Java solutions.
What New Coverage is Available for SAP NetWeaver AS Java?
Version 2.0 of the Cybersecurity Extension for SAP now provides comprehensive coverage for SAP NetWeaver AS Java solutions like SAP Enterprise Portal, Process Orchestration (PO) / Process Integration (PI), SAP Solution Manager, and SAP Identity Management (IdM). This includes vulnerability management for core components such as the Gateway Server, Message Server, and Internet Communication Manager (ICM). The release also adds automated discovery of relevant SAP Security Notes for AS Java, including Known Exploited Vulnerabilities (KEV) reported by CISA. Crucially, it supports deep log monitoring to detect security incidents like user/role changes, system modifications, and exploitation attempts against vulnerabilities like RECON, Log4J, and CVE-2025-31324.
What Anomaly Detection Capabilities Are Included?
Anomaly detection is now fully enabled in the NetWeaver Edition of the Cybersecurity Extension for SAP. This feature, previously only in the Solution Manager Edition, is a powerful method for identifying potential zero-day attacks that lack known signatures. It is also highly effective at detecting brute force attacks, advanced persistent threats (APTs), and insider threats such as privilege abuse, fraud, or suspicious user actions that deviate from established normal behavior.
How Has Threat Detection Been Improved?
Version 2.0 delivers a major increase in threat detection coverage, adding over 400 new patterns to identify Indicators of Compromise (IOCs) in SAP logs. These new patterns detect suspicious activities such as calls to vulnerable function modules, unauthorized file downloads, access to critical tables, directory traversal exploits, and the start of dangerous transactions.
This addition solidifies the Cybersecurity Extension for SAP’s position as the market leader in threat detection coverage.
Threat Detection Pattern Comparison
The table below compares the number of threat detection patterns available in the Cybersecurity Extension for SAP versus SAP Enterprise Threat Detection (ETD).
| Solution | Threat Detection Patterns |
|---|---|
| Cybersecurity Extension for SAP | 1500+ |
| SAP Enterprise Threat Detection (ETD) | ~200 |
Which SAP Compliance Frameworks Are Updated?
The Cybersecurity Extension for SAP automates compliance audits against numerous security frameworks, including GDPR, NIST, SOX, and PCI-DSS. Version 2.0 updates these checks to align with the latest SAP benchmarks, including version 2.6 of the SAP Security Baseline and the Security Guide for SAP S/4HANA 2025. In addition to updating checks for ABAP solutions from note 3250501, the new version extends compliance coverage for SAP RISE / Cloud ERP to include SAP HANA and AS Java, as defined in notes 3480723 and 3381209.
What’s Coming in Future Releases?
Layer Seven Security has outlined a roadmap for continued enhancements to align the NetWeaver Edition with the Solution Manager Edition and introduce new capabilities.
Planned for Version 3.0
- Support for SAP BTP and SAP Cloud Connector
- Support for SAProuter and Web Dispatcher
- OS monitoring for RHEL & SUSE, including vulnerability scanning
- Email notifications for security alerts
- Report automation, scheduling, and distribution
Planned for 2026
- Support for SAP SuccessFactors and SAP S/4HANA Public Edition
- Data Loss Protection (DLP) capabilities
- Extended checks for critical access and Segregation of Duties (SoD) in SAP S/4HANA
Frequently Asked Questions (FAQ)
What is the main benefit of anomaly detection?
Anomaly detection helps detect potential zero-day attacks, insider threats, and advanced persistent threats that don’t have known signatures, which conventional pattern-matching techniques would miss.
How many threat detection patterns does version 2.0 have?
Version 2.0 includes over 1500 threat detection patterns, with more than 400 new patterns added in this release. This is significantly more than the approximately 200 patterns in SAP Enterprise Threat Detection.
Which SAP solutions are now covered for SAP RISE compliance?
Version 2.0 extends the mandatory security requirement checks for SAP RISE / Cloud ERP to include not only ABAP systems but also SAP HANA and SAP AS Java solutions.
What is planned for the next release (version 3.0)?
Version 3.0 plans to add support for SAP BTP, SAP Cloud Connector, SAProuter, and Web Dispatcher, as well as OS-level monitoring, email alerts, and report automation.