
A veteran SAP security researcher released SAPMAP, an open-source AI tool that maps attack paths across an entire environment.
SAP cybersecurity researcher Joris van de Vis has built and released SAPMAP, an open-source AI tool designed to help organisations defend against sophisticated SAP system attacks.
Released under the OWASP Core Business Application Security (CBAS) project, the tool maps how one exposed SAP system can be used to gain control over an organisation’s entire SAP landscape, and it is being distributed on an invitation-only basis.
The release addresses a structural risk in SAP environments, which underpin much of the world’s payroll, finance, manufacturing, and supply chain operations, and are connected by trust relationships that let one system command another.
SAPMAP’s approach draws comparisons to BloodHound, the open-source penetration testing tool that maps relationships in Microsoft Active Directory environments and has materially changed how enterprises defend those systems. Van de Vis, who also serves as director of security research at SecurityBridge, built SAPMAP to give SAP security, operations, and audit teams rapid visibility into attack paths, aiming to help defenders discover and close exposures before attackers can exploit them.
SAPMAP automatically plots attack paths from an initial foothold to full system control, targeting 16 business-impact scenarios such as salary theft, vendor bank fraud, production sabotage, and customer data breaches. The tool catalogues 72 CVEs, runs 1,817 automated tests, and includes seven weaponised exploits, among them CVE-2025-31324, a flaw believed to have been exploited in real-world enterprise attacks, and CVE-2026-31431, a root-level privilege escalation vulnerability.
SAPMAP maps both on-premises SAP systems and SAP’s cloud platform (BTP) across trust boundaries in both directions, and it is being made available to vetted SAP security experts, enterprise security teams, and penetration testers under strict application terms ahead of a planned public release through OWASP.
Joris van de Vis said: “It’s a tool for defenders to help them better protect themselves and raise awareness for the important topic of SAP security.”
Waseem Ajrab and Julian Petersohn, OWASP Project Leaders, said: “SAPMAP shows what becomes possible when deep SAP expertise, open-source collaboration, and responsible security research come together.”
Stay updated on crypto and AI by following our socials.


