
The Boston company guarding the software layer nobody watched - the SAP and Oracle systems that quietly run payroll, supply chains and financials for the world’s largest enterprises.
In 2009, a small group of ethical hackers noticed something odd. The software that ran the Fortune 500 - the enterprise resource planning systems handling money, inventory, employees and manufacturing - was among the least examined by corporate security teams. Firewalls, endpoints and email got attention. The SAP box quietly running the whole business did not. That gap became Onapsis.
Onapsis protects business-critical applications: the ERP, CRM, PLM, HCM, SCM and BI systems from SAP, Oracle and leading SaaS providers. These are the platforms where a company’s crown jewels actually live. A single misconfigured interface or unpatched vulnerability inside them can expose an entire financial backbone or halt a factory floor. Onapsis gives security and SAP teams one place to find those weaknesses, watch for attacks in real time, and prove compliance.
The company is headquartered at 101 Federal Street in Boston, employs roughly 380 people, and is led by co-founder and CEO Mariano Nunez, who was among the first researchers to publicly present ERP cybersecurity risks at conferences including RSA, Black Hat and SANS. What began as a niche concern has, over fifteen years, become a recognized category - and in 2025, a front-page one.
Onapsis is the only SAP security and compliance platform certified as a Premium Certified SAP Endorsed App - a distinction that reflects how narrow and how deep its focus runs.
The Onapsis Platform is organized around three jobs, wrapped in threat intelligence from its own research lab.
Continuously scans the entire SAP landscape for vulnerabilities, misconfigurations, dangerous interfaces and risky user authorizations - then prioritizes what to fix first.
A real-time early-warning system that monitors SAP for unauthorized changes, zero-day exploitation and malicious activity, so teams can detect and respond as attacks happen.
Secure development and code security testing for custom SAP (ABAP) code, embedding application security directly into DevSecOps pipelines.
A dedicated threat-research team that discovers SAP and Oracle zero-day vulnerabilities, publishes intelligence, and coordinates disclosure directly with SAP and CISA - the engine that keeps the platform current.
Security assessments, penetration testing and incident response for SAP - including a joint incident-response offering with SAP for RISE with SAP customers.
Plenty of vendors sell scanners. Fewer run a research operation whose only job is to find what attackers will use next. In 2025, that distinction stopped being academic. A wave of SAP zero-days swept through manufacturing and other industries, and Onapsis Research Labs was in the middle of it.
The lab surfaced CVE-2025-31324, a critical flaw that let unauthenticated attackers upload arbitrary files and take full control of SAP systems. Threat actors used it to plant persistent webshells across hundreds of systems worldwide. CISA added it to its Known Exploited Vulnerabilities catalog in April 2025, and Onapsis released an open-source scanner so anyone could check exposure. When the lab reconstructed the attacks, its findings led SAP to issue Security Note 3604119, fixing the root cause.
— ONAPSIS, ON THE ROLE OF RESEARCH LABS
Disclosed rounds. Investors include .406 Ventures, Evolution Equity Partners, LLR Partners and NightDragon. Total raised: $115M+.
Onapsis sells to large enterprises and highly regulated organizations - the kind whose operations stop, or whose ledgers leak, when core applications fail. That spans manufacturing, financial services, healthcare, energy and utilities, retail and government. Publicly referenced customers include Colgate, Dow, Roche, Levi’s, Hudbay, IPG, OGE and Spartan Controls.
The business model is B2B SaaS: recurring platform subscriptions covering an organization’s SAP and business-application estate, complemented by professional services and an increasingly partner-led go-to-market with SAP, Deloitte and other integrators. It sits at the application layer - a slice of the security market distinct from network, endpoint or identity tooling, and one where alternatives include SAP’s own GRC tools, SecurityBridge, Layer Seven Security and Pathlock.
20+ years in cybersecurity; among the first to publicly present ERP security risks at RSA, Black Hat and SANS. Emails from mnunez@onapsis.com.
Leads Onapsis Research Labs’ work on SAP and Oracle threat research and coordinated vulnerability disclosure.
Part of the founding team that turned SAP’s security blind spot into a venture-backed company.
Mariano Nunez, Victor Montero and Juan Perez-Etchegoyen launch Onapsis to secure SAP and other business-critical applications.
Raises about $9.5M led by .406 Ventures to scale the ERP security platform.
Raises roughly $17M and expands into real-time SAP threat monitoring.
Secures $31M to accelerate ERP cybersecurity growth.
Raises $55M and deepens threat intelligence and incident-response capabilities.
Marks the anniversary with major platform innovation and an expanded SAP partnership.
Discloses CVE-2025-31324, ships an open-source scanner, and delivers deep new platform capabilities.
Expands go-to-market leadership to accelerate alliances and international growth.
Three executive appointments across partners, North America sales and international GTM to drive partner-led growth.
Broadened SAP DevSecOps coverage with deeper visibility and automated defenses across SAP landscapes.
Launched SAP Notes Command Center, Rapid Controls for Dangerous Exploits, and Alert on Anything for SAP BTP.
Disclosed the actively exploited SAP zero-day, released an open-source scanner, and helped SAP fix the root cause.
Onapsis secures business-critical applications - the SAP, Oracle and SaaS ERP systems that run large enterprises - with a platform for vulnerability management, threat detection, compliance automation and secure development, backed by its own threat-research lab.
It was founded in 2009 by Mariano Nunez (CEO), Victor Montero and Juan Perez-Etchegoyen (CTO), a team with a background in ethical hacking and ERP security research.
The Onapsis Platform is organized around Assess (vulnerability management), Defend (threat detection and response) and Control (secure custom-code development), supported by Onapsis Research Labs and professional services.
More than $115M across four rounds, most recently a $55M Series D in October 2020 led by NightDragon, with earlier backing from .406 Ventures, Evolution Equity and LLR Partners.
It focuses specifically on the application layer of ERP systems, pairs product with a dedicated SAP/Oracle threat-research lab that finds zero-days, and is the only platform certified as a Premium Certified SAP Endorsed App.