Open-source AI tool is available via invitation only under OWASP
INGOLSTADT, Germany--(BUSINESS WIRE)--A prominent SAP cybersecurity researcher has built an open-source AI tool that can help organizations defend against sophisticated SAP system attacks. The flipside is that the tool can also be used to infiltrate one exposed system, enabling the threat actor to control an organization’s entire SAP environment.


To exercise caution, SAPMAP is available by invitation only, according to Joris van de Vis, who built the tool during his spare time and released it under the OWASP Core Business Application Security (CBAS) project.
“It’s a tool for defenders to help them better protect themselves and raise awareness for the important topic of SAP security,” said Joris van de Vis, who has more than 25 years of experience in SAP security.
The restraint exercised in releasing SAPMAP follows a playbook from Anthropic, which announced its Claude Mythos Preview frontier model in April only to withhold it from general release, given its powerful capabilities and potential for abuse.
SAPMAP: like BloodHound for SAP environments
SAP systems, which support much of the world’s payroll, finance, manufacturing and supply chain operations, are connected by trust relationships that let one system command another. By mapping a system’s relationships and identifying weak points, attackers can grab a single foothold, yielding total control over everything a company runs.
SAPMAP shares similarities with BloodHound, an open-source penetration testing tool that also uses a mapping approach to exploit relationships in Microsoft Active Directory environments. Given the sheer scope of BloodHound’s influence, the tool permanently changing how enterprises defend themselves.
But Van de Vis, who also works as director of security research at SecurityBridge, a leading provider of SAP security solutions, said SAPMAP helps the SAP security community get rapid visibility into attack paths to give defenders a head start. He created the software to help security, operations and audit teams discover and map the attack surface of their SAP landscape, identify exposures and improve detection before an attacker does.
“SAPMAP shows what becomes possible when deep SAP expertise, open-source collaboration, and responsible security research come together,” said Waseem Ajrab and Julian Petersohn, OWASP Project Leaders. “The OWASP Core Business Application Security project is proud to sponsor this project to give defenders a clearer view of complex attack paths while treating its powerful capabilities with the caution they deserve.”
More about how SAPMAP works
SAPMAP maps an organization’s entire SAP environment. The tool automatically plots the attack from first foothold to full control, targeting 16 business impact scenarios. These include salary theft, vendor bank fraud, production sabotage and customer data breaches. Other attributes of SAPMAP include:
- 7 weaponized exploits, including CVE-2025-31324, the SAP flaw assumed to be exploited in recent real-world enterprise attacks, and a known root-level privilege escalation, CVE-2026-31431
- 72 CVEs cataloged, 1,817 automated tests, 16 business-impact scenarios
- Maps both on-premises SAP and SAP cloud (BTP), across the trust boundary, in both directions
SAPMAP is going out on a gated, invitation-only basis to SAP security experts. Enterprise security teams, vetted penetration testers and SAP security researchers can apply for access under strict terms. A public release will come later through the OWASP project.
Developers may register for early access to SAPMAP here.
About SecurityBridge
SecurityBridge is the leading provider of a comprehensive, SAP-native cybersecurity platform. Trusted by organizations worldwide to safeguard their most critical business systems. Our platform seamlessly integrates real-time threat monitoring, vulnerability management, and compliance capabilities directly into the SAP environment, empowering organizations to protect their data’s integrity, confidentiality, and availability with minimal manual effort. With a proven track record, including a stellar customer success rating and over 8,000 SAP systems secured globally. SecurityBridge stands out for its ability to accurately provide a 360° view of the SAP security posture, ease of use, rapid implementation, and transparent licensing. We are committed to innovation, transparency, and customer-centricity, ensuring businesses can confidently navigate the evolving landscape of SAP security threats.
Contacts
Media Contact:
Smriti Shakargaye
prforsecuritybridge@bospar.com





