BREAKING Onapsis Research Labs surpasses 1,000+ disclosed ERP zero-days Mariano Nunez named EY Entrepreneur of the Year MIT Top 35 Innovator Under 35 Onapsis is the SAP-endorsed application security solution First to demo SAP attacks at RSA and Black Hat BREAKING Onapsis Research Labs surpasses 1,000+ disclosed ERP zero-days Mariano Nunez named EY Entrepreneur of the Year MIT Top 35 Innovator Under 35 Onapsis is the SAP-endorsed application security solution First to demo SAP attacks at RSA and Black Hat
Profile • Cybersecurity • Boston

Mariano Nunez

The security researcher who turned an overlooked corner of enterprise software into a global category, and now runs the company defending it: Onapsis.

Mariano Nunez, CEO and co-founder of Onapsis
Mariano Nunez • CEO & Co-Founder, Onapsis
1,000+
ERP zero-days disclosed
2009
Onapsis founded
20+
Years in cybersecurity
380
Employees at Onapsis

Guarding the machinery of business

Mariano Nunez spends his days on a problem most people never think about and most companies cannot function without. The enterprise resource planning systems sold by SAP and Oracle sit underneath payroll, supply chains, financials, and manufacturing lines for a large share of the world's biggest organizations. They are old, deeply customized, and rarely rebuilt. For two decades they were also, in security terms, a blind spot. Nunez built his career, and then his company, on closing it.

As CEO and co-founder of Onapsis, the Boston company headquartered at 101 Federal Street, Nunez leads what is now the recognized market leader in protecting business-critical applications. The pitch is straightforward: the software running the global economy deserves the same scrutiny as the laptop on your desk or the website in your browser. For years, it did not get it. Attackers eventually noticed the same gap Nunez did. His answer was to get there first, and stay ahead.

The nature of the threat has shifted, and Nunez is candid about it. Early ERP security worried mostly about who had access to what. Now, he says, attackers increasingly skip the front door entirely, going after unpatched vulnerabilities and insecure configurations that let them bypass traditional controls. That change is why Onapsis leans so heavily on its research arm. Onapsis Research Labs has discovered and responsibly disclosed more than 1,000 zero-day vulnerabilities across SAP and ERP environments, feeding fixes back to vendors before criminals can weaponize them.

“In cybersecurity, it is not about competition; it is about collective defense.”

Mariano Nunez — CEO, Onapsis

From a movie to a mission

The origin story is unusually specific. Nunez traces his obsession to watching the 1995 film Hackers as a pre-teen, then to an 800-page security book he bought from a street vendor's table in New York. He barely understood it at the time. He read it anyway, and taught himself the field. By 15 he had built a community news website and was carrying his laptop into local shops to sell advertising space. At 16 he sought out a well-known Argentine security researcher for mentorship. That researcher hired him at 18, while he was still studying computer science and already doing offensive penetration testing, breaking into client systems legally to show where they were exposed.

One of those tests changed everything. Assigned to probe an SAP application, Nunez realized that a system running an enormous share of global business transactions had almost no independent security research behind it. The systems were highly valuable, highly vulnerable, and largely undefended. Most people would file that away as an interesting observation. Nunez treated it as a market. In 2009 he co-founded Onapsis to proactively protect the world's most critical business systems.

“Being an entrepreneur is like being on an emotional rollercoaster. There are frequent highs and lows.”

Mariano Nunez

The bedroom years

Onapsis did not begin in a gleaming office. It began, by Nunez's own account, in a co-founder's bedroom with no air conditioning and no heating. He was not raising money on the strength of a category that existed; he was building the category itself. That meant standing on stage at conferences like RSA, Black Hat, and SANS as the first person to publicly present cybersecurity risks affecting SAP and ERP platforms, and how to mitigate them. It also meant giving the community tools, including the first open-source ERP penetration testing framework. Over the years his teams uncovered critical vulnerabilities not just in SAP but in Oracle, IBM, and Microsoft applications.

Publicly demonstrating how to attack the systems of some of the largest software vendors in the world took a certain nerve. The harder and slower work was building the company that helps organizations defend them, and eventually earning the trust of the vendors themselves. Onapsis today is the SAP-endorsed application security solution and runs the SAP Defenders Community, a practitioner group built around the collective-defense idea Nunez keeps returning to. The company raised a Series D in 2020, bringing total funding past $115 million, and now employs roughly 380 people.

The way he leads

Nunez has little patience for one of startup culture's favorite slogans. “Fake it till you make it,” he has said plainly, is shallow advice. In a field where faking competence gets you breached, he treats authenticity as the product, not a soft value. He is also unusually honest about luck, telling interviewers that success depends partly on circumstance and not on effort alone. That belief shapes what he says he wants to do beyond Onapsis: create opportunities for underserved people through mentorship, education, and access to jobs, on the theory that the right opening can genuinely change a life's trajectory.

To survive the rollercoaster he describes, he keeps a steadying routine. He meditates. He exercises for mental clarity. He takes real vacations with email switched off. For a founder who spends his professional life anticipating worst-case scenarios inside other companies' most important systems, the discipline of disconnecting is its own kind of security control.

The recognition has accumulated along the way: EY Entrepreneur of the Year 2018 in New England, an MIT Technology Review Top 35 Innovators Under 35 nod, a Boston Business Journal 40 Under 40, and selection as an Endeavor entrepreneur. He has completed executive programs at Harvard Business School and Stanford's Graduate School of Business, layering business training on top of the engineering foundation. But ask what the real scoreboard is, and the honest answer is not a trophy. It is the count of vulnerabilities his teams have found and quietly helped patch before anyone got hurt, a number that keeps climbing past a thousand.

Career timeline

Age ~12

Discovers cybersecurity through the film Hackers and an 800-page security book bought from a New York street vendor.

Age 15

Builds a community news website and sells ad space to local shops.

Age 18

Studies computer science while working in offensive penetration testing.

2000s

First to publicly present SAP/ERP attack risks at RSA, Black Hat and SANS; releases the first open-source ERP pen-testing framework.

2009

Co-founds Onapsis after spotting a massive security blind spot in SAP systems.

2018

Named EY Entrepreneur of the Year New England semifinalist.

2020

Onapsis raises a $55M Series D; total funding passes $115M.

2021–2025

Onapsis Research Labs passes 1,000 disclosed zero-days; becomes SAP-endorsed and launches the SAP Defenders Community.

EY Entrepreneur of the Year 2018 MIT Top 35 Innovator Under 35 BBJ 40 Under 40 Endeavor Entrepreneur RSA / Black Hat / SANS speaker

Things you might not know

01 / Origin

His entire career traces back to watching the 1995 film Hackers as a kid.

02 / Hustle

As a teenager he built a news website and carried his laptop into shops to sell ads.

03 / Name

His full name is Mariano Nunez Di Croce; conference listings sometimes use “Di Croce.”

04 / Classroom

Executive programs at both Harvard Business School and Stanford GSB.

05 / Reset

Meditates and turns email fully off on vacation to manage founder stress.

06 / Humility

Believes success depends on circumstance as much as effort, and wants to widen access for others.

Frequently asked

Who is Mariano Nunez?
He is the CEO and co-founder of Onapsis, a Boston-based cybersecurity company that protects business-critical ERP applications like SAP and Oracle. He is a former security researcher known for pioneering SAP security.
What is Onapsis?
Onapsis is a cybersecurity company founded in 2009 that secures business-critical applications such as SAP and Oracle ERP. It has discovered and helped patch more than 1,000 zero-day vulnerabilities and is an SAP-endorsed security solution.
What is Mariano Nunez known for in security research?
He was among the first to publicly present cyberattacks against SAP and ERP systems at conferences like RSA and Black Hat, and he built the first open-source ERP penetration testing framework.
What awards has he received?
He has been named EY Entrepreneur of the Year 2018 (New England), an MIT Top 35 Innovator Under 35, a Boston Business Journal 40 Under 40, and an Endeavor entrepreneur.
Where is he from and where is Onapsis based?
Nunez is originally from Argentina, where he began his security career. Onapsis is headquartered at 101 Federal Street in Boston, Massachusetts.