What’s New in the Cybersecurity Extension for SAP Version 2.0
Building upon the successful release of the initial version of the NetWeaver Edition of the Cybersecurity Extension for SAP earlier this year, Layer Seven Security is pleased to announce the upcoming availability of version 2.0. The new release includes important enhancements including support for SAP NetWeaver AS Java, anomaly detection to identify unusual or suspicious activity, the addition of more than 400 new threat detection patterns, and updates for SAP compliance frameworks including the SAP Security Baseline, S/4HANA Security Guide, and mandatory security requirements for SAP RISE / Cloud ERP. The enhancements significantly improve protection for business-critical SAP solutions against advanced cyber threats.
SAP NetWeaver AS Java
The new release of the Cybersecurity Extension for SAP provides coverage for SAP NetWeaver AS Java solutions such as the SAP Enterprise Portal, Process Orchestration (PO) / Process Integration (PI), SAP Solution Manager, and SAP Identity Management (SAP IdM). Version 2.0 supports vulnerability management for AS Java systems including components such as the Gateway Server, Message Server, and Internet Communication Manager (ICM). It also supports the automated discovery of relevant SAP Security Notes for AS Java systems. This includes SAP Java notes for Known Exploited Vulnerabilities (KEV) reported by the U.S Cybersecurity and Infrastructure Security Agency (CISA). Finally, the new release supports monitoring for AS Java logs to detect and alert for security incidents such as user and role changes, system changes, calls for vulnerable servlets including the invoker servlet, and patterns to detect the potential exploitation of AS Java vulnerabilities such as RECON, Log4J and the recent vulnerability detailed in CVE-2025-31324, impacting the SAP NetWeaver Visual Composer Metadata Uploader.
Anomaly Detection
Anomaly detection is a powerful method for detecting potential zero-day attacks without known signatures, brute force attacks, and advanced persistent threats that are difficult to detect using conventional pattern matching techniques. It can also detect insider threats such as privilege abuse or escalation, fraud, and suspicious user actions that deviate from normalized patterns of behavior. Although the Solution Manager Edition of the Cybersecurity Extension for SAP supported anomaly detection for SAP solutions, this feature was not included in the initial release of the NetWeaver Edition. Version 2.0 includes full enablement of anomaly detection in the NetWeaver Edition.
Threat Detection
Version 2.0 of the Cybersecurity Extension for SAP includes a significant increase the volume of threat detection patterns for SAP solutions. It delivers more than 400 new patterns to detect Indicators of Compromise (IOC) in various SAP logs. This includes calls to vulnerable function modules and reports, suspicious file downloads, access to critical tables, directory traversal exploits, and dangerous transaction starts. The addition strengthens the position of the Cybersecurity Extension for SAP as the leading threat detection solution for SAP solutions in terms of coverage. The most recent version of the solution includes more than 1500 threat detection patterns. In comparison, the current version of SAP Enterprise Threat Detection (ETD) includes approximately 200 patterns.
SAP Security Compliance
The Cybersecurity Extension for SAP automates compliance audits for SAP solutions. The solution discovers compliance gaps against multiple security frameworks including GDPR, NIST, SOX and PCI-DSS. It also monitors compliance with SAP security standards such as the SAP Security Baseline, the Security Guide for SAP S/4HANA, and mandatory security requirements for SAP RISE / Cloud ERP solutions defined by SAP Enterprise Cloud Services (ECS). Version 2.0 aligns compliance checks with the latest SAP benchmarks. This includes version 2.6 of the SAP Security Baseline and the Security Guide for SAP S/4HANA 2025. In addition to updating checks for ABAP solutions defined in the latest version of note 3250501, the new version extends coverage for SAP RISE / Cloud ERP checks to include SAP HANA and SAP AS Java solutions. The requirements for these areas are defined in SAP notes 3480723 and 3381209.
What to Expect in Version 3.0
Key updates for the next release of the NetWeaver Edition of the Cybersecurity Extension for SAP include:
- Support for SAP BTP and SAP Cloud Connector
- Support for SAProuter and Web Dispatcher
- Support for RHEL & SUSE OS monitoring including vulnerability scanning and log monitoring
- Email notifications for security alerts
- Report automation including scheduling and distribution
The updates will align the capabilities of the NetWeaver Edition with the Solution Manager Edition, enabling existing customers to transition smoothly to the latest platform without any loss in coverage or functionality.
Looking Ahead to 2026
Next year’s roadmap for the Cybersecurity for SAP includes planned enhancements that will improve the user experience and reinforce it’s standing as the leading cybersecurity solution for SAP systems. This includes:
- Support for SAP SuccessFactors
- Support for SAP S/4HANA Public Edition
- Data Loss Protection (DLP) including threat detection patterns and alerts for unauthorized access to sensitive data in SAP solutions
- Extended checks for critical access and segregation of duties in SAP S/4HANA including a dedicated application to support cross-application user access and role analysis
We extend our best wishes for a Happy Thanksgiving to our customers in the United States and look forward to supporting you in the months ahead.