Layer Seven Security Announces Cybersecurity Extension for SAP Version 2.0 with Major Advancements in Threat Detection and Compliance
Meet the Authors
Key Takeaways
Version 2.0 of the Cybersecurity Extension for SAP expands platform coverage, enhancing protection for SAP NetWeaver AS Java systems and introducing advanced log monitoring and vulnerability management.
The update features AI-driven anomaly detection and over 400 new Indicators of Compromise, enabling early identification of zero-day attacks and increasing the overall threat coverage across various SAP environments.
The release strengthens automated compliance auditing for multiple frameworks, offering organizations improved monitoring and reduced audit preparation efforts, while also setting new evaluation criteria for SAP security tools.
Layer Seven Security is preparing to release Version 2.0 of the Cybersecurity Extension for SAP, building on the initial NetWeaver Edition launched earlier this year. The new release introduces expanded platform coverage, deeper threat detection capabilities, anomaly detection for zero-day and insider threats, and updated controls aligned with the latest SAP security standards. Together, these enhancements are designed to strengthen the defense posture of organizations running SAP NetWeaver, SAP S/4HANA, and SAP RISE / Cloud ERP environments.
Expanded Coverage for SAP NetWeaver AS Java
A key addition in Version 2.0 is full support for SAP NetWeaver Application Server (AS) Java, extending protection to systems such as SAP Enterprise Portal, SAP Process Orchestration/Process Integration, SAP Solution Manager, and SAP Identity Management. The solution now provides vulnerability management for critical Java stack components including the Gateway Server, Message Server, and Internet Communication Manager (ICM), as well as automated discovery of relevant SAP Security Notes.
The release also includes advanced log monitoring to detect malicious or anomalous actions within AS Java. This includes alerts for user and role changes, system configuration changes, calls to vulnerable servlets such as the invoker servlet, and detection patterns for major exploitation paths including RECON, Log4J, and CVE-2025-31324 affecting the SAP NetWeaver Visual Composer Metadata Uploader. Collectively, these capabilities close long-standing monitoring gaps for Java-based SAP systems that historically required separate tools or manual analysis.
Explore related questions
AI-Driven Anomaly Detection and Expanded Threat Coverage
Version 2.0 reintroduces anomaly detection for the NetWeaver Edition, a feature previously available only for the Solution Manager Edition. This capability uses behavioral baselining to detect unusual or suspicious activity without relying solely on known signatures. According to Layer Seven Security, it enables early identification of zero-day attacks, brute-force attempts, insider threats, privilege escalation, and fraud by highlighting deviations from normal user or system behavior.
The release also significantly expands rule-based detection with more than 400 new Indicators of Compromise (IOC) patterns across SAP logs, bringing the total library to more than 1,500 patterns. These extend coverage to vulnerable function module calls, dangerous transaction starts, directory traversal behavior, access to critical tables, and suspicious file downloads.
Updated Compliance Frameworks for SAP S/4HANA and SAP RISE / Cloud ERP
The Cybersecurity Extension for SAP also strengthens automated compliance auditing across GDPR, NIST, SOX, PCI-DSS, and multiple SAP security frameworks. Version 2.0 aligns with SAP Security Baseline Version 2.6, the SAP S/4HANA 2025 Security Guide, and updated requirements for SAP RISE / Cloud ERP defined by SAP Enterprise Cloud Services. The update also incorporates SAP Notes 3250501, 3480723, and 3381209, extending compliance checks to SAP HANA and SAP AS Java systems in addition to ABAP-based landscapes.
Looking ahead, planned Version 3.0 enhancements include support for SAP BTP, SAProuter, Web Dispatcher, and OS-level vulnerability scanning, aligning the NetWeaver Edition closer to the Solution Manager Edition. The 2026 roadmap adds coverage for SAP SuccessFactors, SAP S/4HANA Public Edition, Data Loss Protection (DLP), and expanded segregation-of-duties analysis—further broadening the solution’s applicability to cloud-forward SAP customers.
What This Means for SAPinsiders
Expands your defensive visibility. Technology leaders can expect materially improved monitoring across SAP ABAP, Java, and cloud-hosted environments, reducing blind spots that previously required manual correlation. Customers in sectors such as retail and manufacturing that have adopted behavioral analytics in adjacent security tooling report faster incident detection cycles and reduced time-to-resolution, benefits SAP teams can now replicate within core ERP landscapes.
Accelerates compliance readiness. The alignment with the latest SAP Security Baseline, SAP S/4HANA 2025 Security Guide, and SAP RISE requirements gives compliance owners stronger automated controls tied directly to SAP’s evolving standards. Organizations that implemented earlier versions of the Cybersecurity Extension have documented significant reductions in audit preparation effort by centralizing checks across GDPR, SOX, and PCI-DSS—efficiencies that Version 2.0 extends into Java and HANA systems.
Reframes evaluation criteria for SAP security tools. Day-to-day operations teams should now prioritize breadth of threat-detection patterns, native support for both ABAP and Java stacks, anomaly detection maturity, and alignment with SAP cloud services when selecting providers. Enterprises that overcame early adoption challenges did so by standardizing data collection and integrating outputs with SOC workflows, demonstrating best-practice approaches SAP customers can emulate as they modernize their security programs.
