Product Overview & Competitive Analysis
The smarter way to detect
SAP access risk
Zero-install, upload-based SOD analysis for SAP. 410 pre-built rules covering S/4HANA base & 4 industry-specific solutions (including ECC legacy) — instantly deployable, no consultants required.
410
Pre-Built Rules
398
SAP TCodes Mapped
129
Auth Objects Covered
24
S/4HANA Modules
12
Industry Risk Profiles
124
Critical Risk Rules
Why SODPulse
Built different. Deployed in minutes.
No SAP system access needed. No professional services. No annual license negotiation.
Zero-Install Analysis
Upload your SAP authorization export via browser. No agents, no connectors, no SAP system access required. Analysis runs in seconds — not days.
410 Pre-Built Rules
Every rule hand-engineered against real SAP S/4HANA auth objects and field values. Not generic policy templates — precise tCode + auth object + field + value combinations. Industry-specific rules are packaged as separate IS Solution packs applied per org. Oil & Gas (25), IS Retail (30), Fiori/S4 (31) and ECC Classic (24) packs are live. Utilities, Pharma, and more are in development.
PREMIUMAudit Workbench
Six-pillar deep audit module: SOD Violations Summary, Sensitive Access Review, Privileged Access Review, Direct Profile Assignment Detection, Composite Role Escalation, and ITGC Workpaper with sign-off workflows. Downloadable PDF reports for management letters and audit files.
Multi-Tenant SaaS
Serve multiple client organisations from a single platform. Tenant isolation, tiered subscriptions, custom branding per organisation — ready for reseller models.
Auth-Object Precision
Checks not just tCodes but 129 distinct SAP authorization objects, specific fields (ACTVT, BWART, BEWTP, RLTYP, INFTY…), and risky value combinations — eliminating false positives.
Instant Executive Reports
One-click reports for Board, CISO, and Audit Committee. Risk heat maps, user violation summaries, process-level breakdowns — all formatted for non-technical stakeholders.
Market Comparison
SODPulse vs. the alternatives
How we compare against leading GRC, advisory, and identity governance solutions.
| Feature / Criterion |
SODPulse
SODPulse
|
ERP Vendor
Native GRC Module
|
Big 4 Firm
Advisory Tool
|
GRC Vendor A
Cloud Platform
|
GRC Vendor B
GRC Automation
|
IGA Vendor
IGA Platform
|
|---|---|---|---|---|---|---|
| Deployment & Setup | ||||||
| Time to First ResultsFrom procurement to live analysis | Minutes | 6–18 months | Weeks (engagement) | 2–6 months | Weeks–months | 6–12 months |
| SAP System Connectivity RequiredLive RFC / API connection to SAP | Not Required | Mandatory | Required for live | Mandatory | Required | Mandatory |
| Professional Services RequiredImplementation / consulting fees | None | $200K–$800K+ | Engagement-based | $50K–$200K | Moderate | $150K–$500K+ |
| On-Premise FootprintServer / agent installation | Zero | Heavy on-prem | Client-side | Cloud hybrid | Cloud | Cloud |
| SOD Ruleset Quality | ||||||
| Pre-Built SOD RulesOut-of-box, no customisation needed | 410 Rules | ~180 (generic) | Varies by engagement | Large library (generic) | ~150+ | Policy-based |
| Auth Object + Field PrecisionRules check specific SAP auth fields & values | ✓129 objects | ✓ | Partial | ✓ | Partial | Role-based |
| Custom Z/Y-TCode MappingMap org-specific Z/Y transaction codes to standard SAP equivalents | ✓ | Config-heavy | ✗ | Limited | ✗ | ✗ |
| S/4HANA-Specific RulesNot ECC rules reused for S/4HANA | S/4HANA Native | Mixed ECC+S4 | Client-defined | Mixed | Mixed | IGA-focused |
| Industry-Specific RulesO&G (25 rules) & IS Retail (30 rules) live · Utilities, Pharma in development | 4 Live Industry Packs | Generic + IS add-ons | Engagement scope | Add-on packs | Limited | Limited |
| EHS / PS / Kanban / EDI CoverageNon-core modules often missed | ✓ | Partial | ✗ | Partial | ✗ | ✗ |
| Platform Capabilities | ||||||
| Multi-Tenant ArchitectureServe multiple clients from one platform | ✓ | ✗ | ✗ | ✓ | Limited | ✓ |
| Subscription Tier ManagementDemo / Full / Expired tiers per tenant | ✓ | ✗ | ✗ | Enterprise-only | ✗ | Enterprise-only |
| Executive / Board ReportsNon-technical stakeholder output | ✓ | Configurable | ✓ | ✓ | Basic | ✓ |
| User-Level Violation Drill-DownPer-user, per-rule, per-transaction detail | ✓ | ✓ | Report-based | ✓ | ✓ | ✓ |
| Data Isolation & Tenant PrivacyEach client's data is fully isolated — no cross-tenant visibility, no third-party data sharing | ✓ Full isolation | Depends on config | Advisory model | Shared cloud | Shared cloud | Shared cloud |
| Role-Based Access Control (RBAC)Admin, org admin, user tiers | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ |
| Commercial Model | ||||||
| Total Cost of Ownership (3-year)License + implementation + services | Low | $500K–$2M+ | Engagement-based | $150K–$500K | $80K–$250K | $300K–$1M+ |
| SaaS / Subscription ModelPredictable recurring pricing | ✓ | Perpetual + maint. | Project fees | ✓ | ✓ | ✓ |
| SME / Mid-Market AccessibleUnder $50K total cost realistic | ✓ | ✗ | ✗ | ✗ | Emerging | ✗ |
* Competitor data based on publicly available information, analyst reports, and vendor documentation as of Q1 2026. Pricing and features subject to change.
SAP Module Coverage
24 modules. Deep process coverage.
410 rules across base pack plus 4 industry packs (Oil & Gas, IS Retail, Fiori/S4, ECC Classic) — spanning 15+ SAP process areas with vertical-specific compliance controls.
Financial Accounting (FI)
GL · AP · AR · Bank · Period Close
32
Controlling (CO)
CCA · IO · CO-PC · CO-PA
25
Project Systems (PS)
WBS · Budgets · Settlement · Networks
5
Treasury (TR)
Cash · Deals · Money Markets
15
Asset Accounting (FI-AA)
Acquisition · Depreciation · Retirement
15
Procure-to-Pay (P2P)
PR · PO · GR · Invoice · Payment
19
Materials Management (MM)
Inventory · Valuation · Batch · EDI
15
Logistics Execution (LE / WM)
Outbound Delivery · WM · Shipping
12
Production Planning (PP)
Discrete · Repetitive · Process · Kanban
24
Process Industries (PP-PI)
Process Orders · COGI · Backflush
5
Quality Management (QM)
Inspection · Usage Decision · Notification
11
Plant Maintenance (PM)
Work Orders · Equipment · Costs
10
Sales & Distribution (SD)
Orders · Billing · Rebates · Warranty
17
Order-to-Cash (O2C)
Revenue · Contracts · Collections
12
Human Capital Mgmt (HCM)
Payroll · HR Master · Leave · Benefits
20
Basis / Security (BC)
User Admin · Transport · Debug · HANA
21
EHS (Environment Health & Safety)
Incidents · Dangerous Goods
2
IS-Auto (Automotive)
JIT · Kanban · Recall · Warranty · EDI
Roadmap
IS-OG (Oil & Gas) INDUSTRY PACK
IS-OIL · JVA · Excise · HSE · Pipeline
25
IS Retail INDUSTRY PACK
POS · MM/Retail · Inventory · Pricing · Loyalty
30
Variant Configuration (VC)
Characteristics · Classes · BOM · Config Profile
Roadmap
RE-FX (Real Estate)
Lease contracts · Property management
3
Transportation Mgmt (TM)
Freight orders · Carrier selection
Roadmap
Global Trade Services (GTS)
Export compliance · Sanctions screening
Roadmap
Service Management (SM)
Service orders · Contracts · Billing
Roadmap
🔴 Roadmap modules: scheduled for v2.0 release. All currently covered modules are production-ready and validated.
Industry Applicability
Built for your client portfolio
SODPulse includes two live IS Solution packs: Oil & Gas (25 rules, covering IS-OIL, JVA, Excise, HSE, Pipeline) and IS Retail (30 rules, covering POS, MM/Retail, inventory, pricing). Utilities, Pharma, and more are in development.
Discrete Manufacturing
Full Coverage
FIPPMMQM
PMSDCOPSVC
Key risks: production order fraud, BOM cost manipulation, QC bypass, phantom GR
Oil & Gas / Refining
Full Coverage
FIPP-PIMMPS
PMCOEHSIS-OGQM
Key risks: process order yield fraud, excise duty evasion, CAPEX project inflation, batch reclassification
Automotive
Full Coverage
PPSDMMLE
QMSDEDIPP
Key risks: JIT call fraud, warranty claim inflation, recall settlement abuse, scheduling agreement manipulation
Pharmaceuticals
IS Pack: Roadmap
FIPP-PIQMMM
SDEHSCO
Key risks: batch release bypass, inspection plan manipulation, usage decision fraud, GDP non-compliance
Utilities & Energy
IS Pack: Roadmap
FIPMMMPS
COEHSTR
Key risks: CAPEX project fraud, maintenance order manipulation, EHS incident suppression, asset retirement
Construction / EPC
Core Rules Apply
FIPSMMPM
COHCM
Key risks: WBS cost inflation, project budget manipulation, phantom contractor payments, subcontractor PO fraud
Retail / Consumer Goods
IS Pack: Roadmap
FIMMSDLE
WMCO
Key risks: vendor invoice fraud, pricing manipulation, delivery-billing bypass, markdown abuse
Financial Services
Core Rules Apply
FITRCOHCM
BC
Key risks: payment fraud, treasury deal manipulation, intercompany posting abuse, payroll ghost employees
Public Sector / Government
Core Rules Apply
FIMMHCMBC
PSCO
Key risks: procurement fraud, ghost employee payroll, budget manipulation, vendor bank account changes
Chemicals
Core Rules Apply
FIPP-PIQMMM
EHSCOIS-OG
Key risks: dangerous goods classification fraud, batch characteristic manipulation, REACH compliance bypass
Healthcare
Core Rules Apply
FIMMHCMQM
COBC
Key risks: procurement fraud, medical supply diversion, payroll fraud, patient data access (BC)
Professional Services
Core Rules Apply
FIPSCOHCM
SDBC
Key risks: project cost padding, revenue recognition fraud, timesheet manipulation, billing rate override
Rule Breakdown
300 base rules (410 total across 5 packs)
Mapped to SAP process areas for structured audit reporting.
Financial Accounting (FI)
32
Production Planning (PP)
20
Human Capital Mgmt (HCM)
20
Procure-to-Pay (P2P)
19
Controlling (CO)
16
Materials Mgmt (MM)
15
Order-to-Cash (O2C)
12
Basis / Security (BC)
12
Sales & Distribution (SD)
12
Plant Maintenance (PM)
10
Logistics Execution (LE)
8
Quality Management (QM)
8
Project Systems (PS)
5
Asset Accounting (FI-AA)
5
Treasury (TR)
5
Risk Distribution
124 Critical. 130 High. 46 Medium.
Every rule classified by financial and compliance impact.
Critical
124
41%
High
130
43%
Medium
46
15%
Compliance Framework Alignment
SODPulse rule classifications incorporate principles from SOX Section 302 & 404, COSO Internal Controls Framework, SECP Listed Companies regulations, NBFI guidelines, and ISO 27001 access control requirements — The application is not independently certified against these standards.
Technical Precision: What Others Miss
SODPulse checks 12 distinct authorization fields beyond just ACTVT — including BWART (movement type), BEWTP (valuation), RLTYP (BP role type), INFTY (HR infotype), AUART (order type), and more. Most tools only check activity codes, missing 38+ rule conditions that require field-level specificity.
Premium Audit Module
PREMIUMSix-Pillar Workbench for Deep SOD Analysis
Beyond standard SOD detection — comprehensive audit module with ITGC workpaper and sign-off workflows.
SOD Summary Dashboard
Executive overview with risk heat maps, process-level breakdown, user risk profiles. Creator/Reviewer/Approver sign-off blocks for audit trail.
Sensitive Data Access Review
Detects read-level access to HR Payroll (P_ORGIN, P_PERNR), Compensation (C_STUE_BER), Pricing (M_EINF_EKG), Table Maintenance (S_TABU_DIS), and Development Objects (S_DEVELOP). Wildcard detection (ACTVT=*) with user-by-user findings.
Privileged Access Control
Flags SAP_ALL, SAP_NEW, S_TCODE:*, Basis roles (S_A.*, SAP_BASIS_*), and critical write-level authorizations across FI/MM/PP/SD/HR modules.
Direct Assignment Analysis
Detects direct auth-object assignments bypassing role-based controls. Proxy pattern identification for shadow authorization structures.
Composite Role Detection
Cross-role SOD analysis. Flags toxic role combinations (harmless alone, conflicting together). Root-cause attribution for remediation planning.
ITGC Workpaper Generator
16 controls across 4 COBIT domains (Access Controls, Security Design, Change Management, Monitoring & Logging). Auto-populated from analysis data. Manual fields for auditor notes. Firestore-backed persistence. Print-to-PDF with SODPulse + org logos.
💡
Premium Extract Required
Sensitive Access and Direct Assignment pillars require Premium ABAP Extract which retains display-only (ACTVT=03) rows for sensitive authorization objects. Standard extract filters these at source. Use the ABAP Generator Generator 1 (sensitive access mode) for premium extraction code.
Industry Packs — Live & Ready to Deploy
410 Rules Across 5 Specialized Packs
Base generic rules + vertical-specific controls for SAP IS solutions and compliance frameworks.
Base Pack (LIVE)
300 rules covering FI, MM, SD, PP, HR, Basis, CO, PM, QM, LE, PS, TR, FI-AA across S/4HANA and ECC. Prefix: SOD-001 to SOD-305. Risk-classified: 124 Critical, 130 High, 46 Medium.
Oil & Gas IS-OIL (LIVE)
25 rules for IS-OIL module conflicts. Joint interest billing, volumetric pricing, royalty accounting, product allocations. Prefix: OG-001 to OG-025.
IS Retail (LIVE)
30 rules for Retail-specific transactions. Article master creation/pricing, store replenishment, markdown/promotion conflicts. Prefix: IR-001 to IR-030.
Fiori / S/4HANA Apps (LIVE)
31 rules for Fiori Launchpad apps and S/4HANA-specific T-codes not in ECC. Universal Journal, Central Finance, embedded analytics conflicts. Prefix: FI-001 to FI-031.
ECC Classic (LIVE)
24 rules for ECC-only T-codes deprecated in S/4HANA. Legacy FI posting paths, classic WM transactions. Prefix: EC-001 to EC-024.
Roadmap Packs
Pharma/Life Sciences (GxP compliance, batch release, QM) · Financial Services (Basel III, IFRS 9, Treasury) · Utilities (IS-U billing, CCS) · FMCG/CPG (Trade Promotions, Rebates) · Construction/EPC (PS-focused, project accounting).
Free Tools
ABAP Code Generator — Public, No Login Required
Production-ready ABAP extraction reports. Copy. Paste into SE38. Execute. Download CSV.
Generator 1 — Comprehensive Extract
Canonical extraction report
ZBS_USER_ROLE_AUTH v4.2. Combines standard SOD and sensitive access extraction in a single report. Public access for standard mode; full-client access for sensitive access mode.Generator 2 — Z-TCode Audit
Two-column extract: custom T-code (TCODE) + child T-code (CCODE). Maps Z/Y-prefix codes to underlying standard transactions via TSTCA. Demo-approved access and above.
Generator 3 — Delta / Incremental
Same as Gen1 with AGR_USERS.FROM_DAT and TO_DAT date filters. For periodic re-audits tracking authorization changes since last review. Demo-approved access and above.
🔗
Public URL: sodpulse.com/abap-generator.html — Syntax-highlighted ABAP output. Split-by-row-count mode with user-boundary-aware splitting. Timestamped filenames. No authentication required for Gen1.
Security & Privacy
68-Point Security Checklist — Public Disclosure
Detailed security controls documentation for enterprise due diligence and FSI compliance reviews.
☁️
Infrastructure
Firebase/GCP SOC 2 Type II. Multi-region replication. 99.95% SLA. DDoS protection.
🔐
Encryption
TLS 1.3 in-transit. AES-256 at-rest. HSTS enforced. SHA-256 hashing. Key rotation automated.
👥
Access Control
Role-based auth. MFA available. Admin SDK provisioning. Firestore security rules per org. Session timeout enforced.
📄
Full Checklist: sodpulse.com/security.html — 12 control domains including Data Handling, Sub-Processors, Compliance Certifications, Incident Response, Business Continuity, and Vulnerability Management. Updated quarterly.
Technical Architecture
Built on Firebase. Deployed globally.
Enterprise-grade infrastructure with zero on-premise footprint.
Firebase / GCP Infrastructure
Hosted on Firebase Hosting + Firestore + Cloud Functions. Built on SOC 2 compliant GCP/Firebase infrastructure. 99.95% SLA. Globally distributed CDN with sub-100ms load times.
Data Security Model
Authorization data is processed in the browser. Optional file retention available for audit trail (opt-in per organization). Tenant isolation enforced at Firestore security rule level. Admin SDK-controlled user provisioning.
Input Format Flexibility
Accepts CSV exports from SAP SE16N or any AGR_1251-based extract. Handles UTF-8 BOM, missing columns, and non-standard field orders gracefully. Custom Z/Y-TCode mapping is supported at the org level — administrators map organisation-specific transaction codes (e.g.
ZMM01 → MM01) so custom T-Codes are correctly evaluated against the full rule set. Exact-match substitution; wildcard matching not supported.Multi-Tenant Management
Separate organisations per client. Admin portal for user management, subscription tiers, custom branding, org settings. Org registration supports flagging of SAP IS Solutions (Oil & Gas, Automotive, etc.) to apply relevant rule packs. Demo, Full, and Expired access tiers with configurable durations.
Report Outputs
Executive summary, user violation detail, process-level breakdown, risk heat map. Print-to-PDF for audit trail and management letters. All reports printable to PDF. Embeddable charts for board packs.
Roadmap — v2.0
Planned: Multi-Regional Data Residency (GCC, EU, US regions) · Supreme Analytics Module (5 advanced views) · Collaborative Remediation Tracker · IS Packs for Utilities, Pharma, FMCG, Financial Services · Scale Architecture (Firestore process-and-store for 10,000+ users) · Additional SAP modules (TM, GTS, SM) · Compliance tagging.