HackLab: SAP

Hands-on hacking of live SAP system in a controlled environment

Get familiar with the most common threats, vulnerabilities and mitigating controls in a typical SAP landscape. Experience hands-on how easy it is to gain unauthorized access to an SAP system. Deloitte facilitators will guide you through the process.

Course objectives

This one-day course provides insight into the vulnerabilities of an SAP application and the associated infrastructure, focusing on hands-on experience. After a brief introduction on SAP security and penetration testing in general, we will discuss a selection of known SAP vulnerabilities, and experience (hands-on) how easy it can be to gain unauthorized access to critical functions and data. We will also discuss how you can detect these vulnerabilities and properly secure your system against them.

The training is intended for technical audience interested in the concepts of SAP hacking and deeper understanding of the technical concepts underlying the SAP applications. We expect knowledge of the following concepts:

  •  Business & functional understanding of SAP 
  • Experience with SAP GUI
  • Basic understanding of network terminology (e.g. IP address, port, TCP, firewall)
  • Understanding of technical information security concepts (e.g. encryption, hacking, exploits)

Recommended preparation courses are the Deloitte Academy 5-day SAP Security foundation course, and HackLab: Hands-on Hacking (non-SAP).

Target group

  • Technical information security specialists
  • SAP security professionals (e.g. basis administrators, consultants )
  • Ethical hackers
  • IT auditors

Course outline

  1. Introduction & penetration testing methodology
  2. In-depth exploration of at least 6 high-risk technical areas of the SAP landscape
    - Tools and techniques for discovery of vulnerabilities
    - Hands on exercises by each participant on live SAP system
    - Demo by the facilitators
    - Discussion about remediation (preventative and detective controls)
  3. Snacks, lunch and networking breaks


The course will be given in English. The course material is also in English.

Date, location and time

Participants will be notified 4 weeks in advance of the definitive location. This course starts at 9.00 a.m. and ends at 5.00 p.m.


The costs of this course will be € 795 excl. VAT. Catering (lunch) and course materials are included in the price.

Permanent Education

Deloitte Academy is accredited by the NBA PE institution and has the NRTO label. This course qualifies for 6 PE hours. You can also register your PE-hours at the NOB or VRC.

For more information about our accreditation, we refer you to our Permanent Education page.


Until four weeks before the start of the course you may cancel your participation in writing free of charge, or you may propose to attend on another date. Should you cancel within four weeks before the start of the course you will have to pay the full registration fee. In the event of insufficient participants we reserve the right to cancel the course at any time or move the date of the event. If so, you will be informed in due time.


Vojtech Brtnik

Vojtech Brtnik

Junior Manager

I have over ten years of experience in information security. My specialization cludes technical topics such as hacking, vulnerability management and risk Advisory assessments. I have been teaching var... Meer

Hans Peersman

Hans Peersman


I work for Deloitte Netherlands as a manager in SAP security, which is part of our Assurance services within Operational Risk. I joined Deloitte in January 2012 and I focus on SAP security advisory as... Meer