Enterprise security conversations often start at the perimeter. However, for many CIOs, the unease begins somewhere else. It sits in the systems that run finance, payroll, procurement, and supply chains. These platforms attract less attention until something breaks. When they do, the consequences seem troublesome.

SAP and other enterprise applications occupy a peculiar position. They are mission-critical, deeply customised, and connected to almost everything else. Over time, they accumulate integrations, access rights, and business logic that few people fully map anymore. Security teams monitor the environment. However, visibility into how threats could move through application logic remains limited. This is where Onapsis built its relevance.

The company grew from a simple yet often-overlooked observation. Enterprise applications were treated as trusted systems, even though they exposed enormous attack surfaces. Traditional security tools focused on networks and endpoints. Vulnerability scanners barely understood SAP configurations. Likewise, compliance teams audited controls, but rarely tested how business processes could be manipulated. The result was a blind spot, which sat at the centre of enterprise operations.

Onapsis approached the problem from inside the application layer. Instead of looking at traffic patterns or generic vulnerabilities, it focused on how enterprise systems are actually built and run. Custom code, misconfigurations, excessive privileges, unpatched components, it considered everything that accumulated in long-running SAP landscapes.

This distinction is pretty important. A vulnerability in an ERP system is not just a technical issue. It can affect invoice generation, supplier payments and financial statements are closed. When attackers target enterprise applications, they are not looking for disruption alone. They are looking for control.

Across industries, the same pattern appears. Financial institutions worry about audit exposure and regulatory fallout. Manufacturers focus on production continuity and supply chain integrity. Life sciences organizations think about intellectual property and compliance. In each case, the application layer represents a concentration of risk that standard security tools struggle to interpret.

Onapsis operates in that space by making enterprise application risk visible in operational terms. It helps identify weaknesses specific to platforms like SAP and assess how those weaknesses could be exploited.

This approach changes internal conversations. Security teams move away from volume-driven reporting. CIOs gain clearer insight into which issues demand immediate attention and which can be managed over time. Audit discussions move from reactive explanations to structured evidence. The organization becomes less dependent on individual expertise and more reliant on repeatable controls.

Research plays a central role here. Onapsis maintains a dedicated research function focused on enterprise application threats. That work informs how risks are prioritised and how vulnerabilities are understood before they become incidents.

“Enterprise applications were never designed to operate in today’s threat environment. When the systems that run finance and supply chains are treated as black boxes from a security perspective, organizations accept risk without realising it. Our focus has always been on making that risk visible and actionable.” — Mariano Nunez, CEO

Onapsis frames security as an exercise in clarity. When organizations modernize SAP environments and adopt hybrid or cloud-based deployments, the application layer becomes more distributed. That distribution increases the need for coherence.

Onapsis’s work suggests an important point. Enterprise security does not fail because organizations ignore risk. It fails when risk lives in places no one is clearly responsible for. Making those places visible may not sound like a dramatic work, but it is foundational. And in environments where a single system outage or manipulation can ripple across the entire enterprise, foundations are crucial.