SecurityBrief Ireland - Technology news for CISOs & cybersecurity decision-makers
Ireland
SecurityBridge launches SAPMAP to map attack paths

SecurityBridge launches SAPMAP to map attack paths

Thu, 16th Jul 2026 (Today)
Joseph Gabriel Lagonsin
JOSEPH GABRIEL LAGONSIN News Editor

SecurityBridge Director of Security Research Joris van de Vis has launched SAPMAP, an open-source AI tool designed to map attack paths across SAP environments. It is being made available on an invitation-only basis through the OWASP Core Business Application Security project.

SAPMAP is designed to show how a weakness in one SAP system could provide a route into other connected systems across the same landscape. It maps relationships between systems and identifies possible paths from an initial compromise to broader control of business processes.

SAP environments sit at the centre of many companies' finance, payroll, manufacturing and supply chain operations. SAP customers account for 84% of global commerce, or about USD $46 trillion, according to SAP figures cited by SecurityBridge, helping explain why a security issue in one connected system can have wider consequences.

How it works

The software maps an organisation's SAP environment and automatically plots attack routes tied to 16 business impact scenarios, including salary theft, vendor bank fraud, production sabotage and customer data breaches.

It also catalogues 72 CVEs and runs 1,817 automated tests, according to details released with the launch. The tool covers both on-premises SAP systems and SAP cloud environments on SAP BTP, tracing relationships across the trust boundary in both directions.

The release includes seven exploits, including CVE-2025-31324 and CVE-2026-31431. The first was described as a flaw assumed to have been exploited in recent enterprise attacks, while the second was identified as a root-level privilege escalation issue.

Controlled access

Access to SAPMAP is restricted because the same mapping and testing approach that could help defenders assess weak points could also be used by attackers. Enterprise security teams, vetted penetration testers and SAP security researchers can apply for access under strict terms, with a broader public release planned later through the OWASP project.

Van de Vis built the tool in his spare time and released it under the OWASP Core Business Application Security project. He has more than 25 years of experience in SAP security and leads security research at SecurityBridge.

"It's a tool for defenders to help them better protect themselves and raise awareness for the important topic of SAP security," said Joris van de Vis, Director of Security Research at SecurityBridge.

The launch has been compared with BloodHound, the open-source tool used to map attack paths through Microsoft Active Directory environments. In that model, defenders use the same visibility into trust relationships that attackers might exploit, allowing security teams to identify high-risk paths before they are abused.

For SAP users, the issue is similar in principle but tied to business application estates rather than directory services. Trust relationships between ERP systems, cloud services and connected business applications can allow one compromised system to issue commands or gain access elsewhere.

Open-source backing

OWASP's Core Business Application Security project is sponsoring the release. Its involvement places SAPMAP within a broader open-source security community focused on business applications rather than the more commonly scrutinised operating systems, browsers or network tools.

In a joint comment, the OWASP project leaders underlined both the software's defensive purpose and the need to limit distribution. "SAPMAP shows what becomes possible when deep SAP expertise, open-source collaboration, and responsible security research come together," said Waseem Ajrab and Julian Petersohn, OWASP Project Leaders.

"The OWASP Core Business Application Security project is proud to sponsor this project to give defenders a clearer view of complex attack paths while treating its powerful capabilities with the caution they deserve," Ajrab and Petersohn said.

The launch reflects a broader shift in cyber security towards tools that model relationships across complex technology estates rather than flag isolated vulnerabilities. In large SAP environments, where core applications often span cloud and on-premises systems, the key question is not only whether a flaw exists, but whether it opens a path to critical finance, payroll or operational systems.

That is the problem SAPMAP is intended to surface before an intruder does, combining system mapping, known vulnerabilities and business impact scenarios into a single view.