Skip to content

SAP Systems in Mid-Market: Classical Security Monitoring Does Not Capture Them

The bottom line: Classical Managed Detection & Response cannot monitor SAP systems because proprietary data formats, missing connectors, and lack of contextual knowledge form three structural barriers.

SAP applications control critical business processes in mid-market companies ranging from financial accounting to production control, yet remain undetected by standard MDR solutions. Attackers deliberately exploit this security gap, while threats remain undiscovered for months.

Managed Detection & Response (MDR) was designed for Windows, Linux, and public cloud environments. The technical approach combines endpoint telemetry, network logs, and infrastructure signals with SOC analysts – an architecture that fails in the proprietary SAP world. Security-relevant events originate deep within the SAP application: in the Security Audit Log, in Change Documents, and in permission and table access. Classical OS or endpoint agents cannot reach this layer.

Three structural hurdles prevent SAP attacks from being detected: First, security-relevant data must be extracted from the core using SAP-specific means. Second, RFC calls, ABAP reports, and audit log entries follow proprietary formats that cannot be meaningfully ingested into the SIEM without SAP-specific connectors and parsers. Third, whether a posting is legitimate or an SAP_ALL permission is being abused can only be judged in the context of permission models and business processes – IT signatures are insufficient for this.

Effective SAP threat detection requires the interplay of three components: an SAP-capable data pipeline with specialized connectors, behavior-based analysis (UEBA) to detect atypical transaction patterns, and an SOC with SAP expertise. Only when these elements work together in an integrated manner do actionable security decisions emerge.

With the NIS2 Directive and the Law on the Federal Office for Information Security (BSIG), SAP security has become a management responsibility. Section 38 BSIG establishes personal liability of company management for effective cybersecurity – including oversight of the SAP landscape. Citing an existing MDR is insufficient if that MDR cannot see SAP. SAP systems are the most valuable and simultaneously the worst-monitored target in the mid-market.


Source: www.it-daily.net · Published 6 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.3.

Share on: