The cat-and-mouse game between attackers and defenders sparked his curiosity, but it was an 800-page book, Maximum Security, found on a street vendor’s table in New York, that truly set him on his path. While barely grasping its complexities, Mariano Nunez, the CEO of Onapsis, knew he had found his calling. By 18, he was studying computer science while working in offensive penetration testing, exposing vulnerabilities in customer’s systems before real attackers could. What started as childhood fascination became a mission—one that led him to co-found Onapsis and redefine cybersecurity for business applications—safeguarding the systems that power the global economy.
The dream started with a movie—Hackers.
Nunez’s journey into ERP security began with a penetration test on an SAP application, where he discovered a massive security blind spot—business-critical ERP systems from major vendors were highly vulnerable to attacks yet were largely unprotected. Unlike traditional security approaches, like user access and segregation of duties controls, he examined these systems from a threat actor’s perspective and uncovered attack vectors that allowed unauthorized access even without credentials. As ERP systems moved to the cloud, the risks intensified, yet defenders lacked the expertise to secure them while cybercriminals were already exploiting these weaknesses. Recognizing this gap, Nunez founded Onapsis in 2009 to proactively protect the world’s most critical business systems. Today, Onapsis is a leader in ERP security, helping enterprises safeguard their most valuable assets against an evolving threat landscape.
Explore related questions
Since its founding, Onapsis has tracked a dramatic shift in threats targeting ERP systems. Traditionally, ERP security ensured employees had appropriate access to business data and functions. However, attackers have now shifted to exploit unpatched vulnerabilities, insecure configurations, and flaws in custom code. These attacks bypass traditional security controls, leaving no traces in audit logs and creating a dangerous blind spot. The consequences are severe, ranging from payroll fraud and financial theft to ransomware attacks that cripple manufacturing and supply chains. Beyond financial losses, regulatory penalties and reputational damage further compound the risks. In this environment, ERP security is about protecting the foundation of business operations. Organizations must adopt proactive, modern security strategies to stay ahead of increasingly sophisticated threats.
Traditional Security Measures Fall Short
A common misconception among ERP users is that traditional security, such as firewalls and segregation of duties controls, is sufficient. While these controls are necessary, they are not designed to detect or prevent cyberattacks targeting application layers. Many organizations that have experienced breaches had these security measures in place yet still fell victim to attacks because they lacked visibility into application-level threats.
Cybercriminals have become highly sophisticated, often targeting ERP systems directly. The transition of ERP systems to the cloud has significantly increased exposure to cyber threats, presenting a growing risk. Threat actors are acutely aware of this shift and are actively exploiting vulnerabilities in cloud-based environments. Recent findings from the Onapsis Research Labs highlight a 400% increase in ransomware attacks targeting SAP systems and data, alongside a 490% surge in discussions on criminal forums regarding SAP vulnerabilities and exploits. This sharp escalation in threat activity underscores the urgent need for organizations to strengthen their cybersecurity posture.
As organizations transition to the cloud, they must move beyond perimeter defense and adopt a more proactive security approach. One of the key priorities is application-layer security, ensuring that ERP systems are properly hardened against attacks. Equally important is continuous monitoring, which enables real-time threat detection tailored specifically for ERP systems. Organizations must also focus on custom code security, regularly assessing code for vulnerabilities that attackers could exploit.
In cybersecurity, it is not about competition; it is about collective defense.
While ERP vendors such as SAP typically secure the underlying cloud infrastructure, including the network, hypervisor, and operating system layers, customers remain accountable for securing their applications and data. Nunez emphasizes, “Early cloud transitions often led to misconceptions that SAP would handle all security aspects, leaving organizations exposed to unaddressed vulnerabilities. However, SAP has further clarified the shared security responsibility model, emphasizing that while it safeguards the cloud infrastructure, customers are responsible for their application configurations, patches, secure integrations, and custom code security. Additionally, application threat monitoring is essential—not just to track access but to proactively identify incidents.”
Rather than treating security as a one-time implementation, companies must integrate it into continuous compliance and risk management frameworks. Cloud migration enhances ERP security, but only if businesses take a proactive stance in safeguarding their most critical assets. A robust security posture requires a multi-layered approach, emphasizing application-layer defenses. Nunez asserts, “This risk is not SAP-specific, affecting all business-critical applications, including supply chain, HR, and treasury systems. Cybercriminals are exploiting these gaps, bypassing basic cloud and legacy security approaches. We’re working to expand beyond SAP, bringing the same level of security and compliance protection to other essential business applications from various vendors and manufacturers.”
Cracking the Code: How Onapsis is Redefining ERP Security
Onapsis was founded to fill a critical technology gap with protecting SAP and ERP systems. Recognizing this vulnerability, the company developed the Onapsis Platform, a purpose-built solution that integrates advanced security capabilities to safeguard these essential systems from evolving cyber threats. At its core, Onapsis provides a comprehensive, three-pronged approach to securing ERP environments.
First, organizations need visibility into vulnerabilities before they become breaches. With Onapsis Assess, businesses can identify ERP application-level risks, prioritize threats, and remediate security issues. By taking a proactive stance, companies can reduce their attack surface and strengthen overall security posture. Second, cyber threats are persistent and increasingly sophisticated. Onapsis Defend provides real-time monitoring, detection, and response capabilities, ensuring that both insider threats and external attacks are quickly identified and mitigated. With automation-driven incident response, organizations can stay ahead of potential breaches while maintaining the integrity of environments. Third, as companies expand their landscapes, customizations can introduce hidden security gaps. Onapsis Control addresses this by allowing businesses to identify and remediate vulnerabilities early in the development cycle. It also automates fixes for legacy code security risks, ensuring compliance and resilience.
Nunez emphasizes, “Onapsis serves leading enterprises where security is mission critical. Our platform is especially vital for highly regulated industries such as energy, utilities, pharmaceuticals, and manufacturing. In organizations where SAP manages critical business data and processes, and SAP underpins essential operations, Onapsis ensures they can maintain resilience, security, and compliance at scale across cloud and on-prem environments.”
Going Beyond Technology
Beyond the technology itself, Onapsis has established a robust approach to cybersecurity. Onapsis is the SAP application cybersecurity solution officially endorsed by SAP, underscoring its critical role in securing enterprise systems against evolving threats. To enhance cyber resilience, SAP and Onapsis have also recently partnered to strengthen incident preparedness and response for SAP environments. This collaboration equips organizations with advanced threat intelligence and proactive defense mechanisms, ensuring they can detect, mitigate, and recover from security incidents with greater speed and efficiency.
The company’s in-house Onapsis Research Labs also plays a crucial role in staying ahead of cyber threats. By continuously analyzing attack vectors and emerging risks, vital intelligence is provided on how ERP systems are targeted. This research is embedded directly into the platform, equipping organizations with proactive defense mechanisms. To further strengthen the security ecosystem, Onapsis launched the SAP Defenders Community, a network bringing together some of the world’s largest SAP customers. This initiative fosters a confidential environment where members can collectively enhance their defense capabilities. By facilitating knowledge-sharing, the community empowers organizations to build more resilient security programs.
Nunez reinforces, “Cybersecurity is about staying ahead of threats, and our research labs make that possible. We work with business application vendors to uncover and mitigate zero-day vulnerabilities, having discovered and mitigated over 1,000 critical issues to date. Our threat intelligence provides real-time visibility into attacker tactics, helping customers strengthen defenses before an attack occurs. Beyond technology, our SAP Defenders Community fosters collaboration among the world’s largest SAP customers—sharing intelligence, best practices, and mitigation strategies. In cybersecurity, it is not about competition; it is about collective defense.”
Nunez also recognizes that cybersecurity is about expertise and process optimization. The company, with its certified partners including many of the world’s leading system integrators, helps companies bridge the gap between traditional information security teams and ERP administrators. This support is particularly crucial during transformation projects, where different teams must work together to implement security effectively. By fostering collaboration between audit, application, and compliance teams with cybersecurity professionals, Onapsis ensures that security measures are clearly defined, operationalized, and sustainable.
The Future of ERP Security: Integrating Security from the Start
Onapsis helps organizations secure their environments, prevent financial losses, and enhance operational efficiency. Under the leadership of CEO Mariano Nunez, the company has proven that proactive security accelerates transformation as well as mitigating risk. A major retailer with $6 billion in revenue used Onapsis to integrate security controls from the start of their ERP migration, enabling them to finish six months early and under budget. In another case, a chemical manufacturer uncovered a long-hidden insider fraud where a former developer had siphoned confidential financial reports for stock trading advantages—an issue only detected thanks to Onapsis’ advanced monitoring when it was deployed years later. These success stories highlight how Onapsis goes beyond traditional cybersecurity, empowering businesses to move faster, operate securely, and protect their most valuable assets.
A critical aspect of cloud security is understanding the shared security responsibility model.
Nunez emphasizes, “In the cloud, customers are still responsible for securing their applications and data. A key part of cloud security is understanding the shared responsibility model—the distinction between what ERP vendors secure in cloud environments and what remains the customer’s responsibility. While cloud hyperscalers have long followed this model, the ERP space has historically been more ambiguous. Still, many customers only fully grasp these security gaps after experiencing an incident or audit finding. Proactively educating organizations on these responsibilities and ensuring security controls are designed with them in mind is essential to preventing costly security breaches. As cloud and AI adoption accelerate, organizations must recognize that cybersecurity is not inherently ‘baked in’ but requires a proactive strategy. Security teams must go beyond default protection, ensuring comprehensive risk management, compliance, and governance frameworks are in place to safeguard ERP environments effectively.”
In 2025 and beyond, cloud adoption continues to shape the enterprise landscape. While cloud solutions continue to drive transformation, security concerns remain a primary obstacle, particularly for large enterprises moving their ERP systems to the cloud. AI is also gaining traction, with organizations increasingly focused on leveraging it securely and ensuring critical data is not compromised. The challenge lies in balancing AI innovation with strong security measures, making confidence in AI-driven processes a key priority for businesses. Onapsis is eliminating these barriers, empowering organizations to securely accelerate and de-risk their ERP cloud and AI transformations.
