AI SOC for SAP · An Xiting product

Your SIEM sees logs.
Falcora sees business risk.

Falcora is the AI SOC for SAP — a Human-in-the-Loop Security Operations Center and SOAR platform built specifically for SAP. It translates technical SAP events into business impact, triages alerts with AI, maps every finding to SAP MITRE ATT&CK, and orchestrates remediation across your SAP estate — so your analysts spend their time on the threats that actually matter.

Request a demo → Explore features

Built by Xiting — SAP security specialists since 2008 · Hosted on Microsoft Azure · EU data residency · global availability

70%

reduction in SAP investigation effort

100%

AI alert classification rate

MTTD ↓

massively faster threat detection

MTTR ↓

dramatically faster incident response

Plays nicely with

Specialized SOC & SOAR intelligence for SAP

Falcora is not a SIEM. It's the layer that finally makes SAP make sense to your SOC.

SAP systems are the backbone of business-critical operations — yet they're invisible to generic SIEMs, where SAP signals get lost in millions of log lines. Falcora adds the business context, the SAP know-how and the AI triage that turn noisy events into prioritized, actionable risk.

Request a demo →

Capabilities

Built for SAP. Trusted by SOC.

Six capabilities working together to turn SAP noise into business-aligned action — without taking the human out of the loop.

01 — HUMAN-CENTERED AI

AI does the heavy lifting. Analysts stay in control.

Artificial intelligence plays a central role across Falcora — always as a supporting capability, never an autonomous decision-maker. Our Human-in-the-Loop model ensures analysts validate every consequential step, so AI accelerates the work without replacing the judgment.

AI-supported investigation guidance, not black-box verdicts
Every prompt, decision and action is logged and reproducible
Standardized, auditable workflows your auditors will recognize

02 — SAP SECURITY OPERATIONS DASHBOARD

One pane of glass — for SAP-aware SOC.

The Falcora dashboard visualizes active alerts with prioritization, SLA tracking, AI-generated insights and operational KPIs in a single interface. Risk heatmaps highlight business-critical areas, so you spend your time where exposure is highest — not where logs are loudest.

Risk-based prioritization aligned with business impact
SLA tracking + AI insights for every active case
Operational KPIs your CISO can actually read

03 — AI-ASSISTED ALERT PROCESSING

End-to-end triage that filters noise before your team ever sees it.

Falcora analyzes and filters alerts for false positives using AI-assisted evaluation, then enriches the real ones with contextual information before they ever reach an investigator. The result: massive reductions in MTTD and MTTR, and an analyst experience that scales beyond the supply of SAP experts.

Up to 70% reduction in SAP investigation effort
Improved detection accuracy with fewer false positives
Reduced dependency on scarce SAP security specialists

04 — SAP MITRE ATT&CK MAPPING

SAP attack patterns, mapped to the framework your team already speaks.

Falcora maps SAP-specific attack patterns to the MITRE ATT&CK framework, correlating SAP transactions and behavioral indicators with tactics and techniques. Coverage is transparent, growing, and finally puts SAP signals on the same map as the rest of your enterprise security telemetry.

SAP-specific detections mapped to MITRE ATT&CK — coverage grows continuously
SAP activities, transactions & behavioral indicators correlated to tactics and techniques
Transparent coverage map — know exactly what's covered and where the gaps are

05 — FALCORA RESPOND · SOAR

Orchestrate response across your entire SAP estate.

Run security-response playbooks natively against your enterprise applications — GRC, IAM, IGA and more — or in combination with your existing SOAR like FortiSOAR. AI agents propose the next action; humans approve it; every step is queued, audited, and reversible.

Native connectors into GRC, IAM, IGA & enterprise apps
Or orchestrate through your existing SOAR (FortiSOAR & others)
AI agents with immutable, role-gated prompt versioning
Per-tenant kill switch & full execution audit log

Playbook · Suspicious privileged access Running

✓
Identify user & recent activityFalcora · SAP ETD
✓
Lookup role assignmentsSAP GRC
⟳
Trigger access reviewIGA · SailPoint
·
Suspend in IAM if confirmedEntra ID
·
Create incident & notify SOCJIRA · MS Teams

06 — SAP SECURITY NOTES

Every SAP Note. Every system. One source of truth.

Falcora pulls every SAP Security Note into one place, enriches each with CVE / CWE / CVSS context, and connects to your SAP landscape to show live per-system implementation status — so you finally know what's patched, where, and what isn't.

Continuously synced SAP Security Note catalog
CVE enrichment with CWE, CVSS breakdown & references
Live per System × Client implementation status — workbench & customizing
Audit log of every status change & implementation event

SAP Security Note · 3001234 High · CVSS 8.7

RFC code injection vulnerability in SAP NetWeaver AS ABAP

CVE: CVE-2025-12847 CWE: CWE-94 Component: SAP_BASIS 7.50+

Implementation across landscape

12 of 15 systems · 28 of 32 clients

PRD-100 ✓ PRD-200 ✓ QAS-100 ! DEV-100 ✓ QAS-200 ! + 10 more

Model Context Protocol

Bring your favorite AI into the SOC.

Falcora ships with a production-grade MCP server over Streamable HTTP. Authorization, tenant scoping, audit logging and PII masking all run through the same services as the HTTP API — MCP is just a new transport, not a back-door.

Microsoft Copilot SAP Joule Claude (claude.ai & Claude Code) Cursor mcp-inspector Your own agent

✓ Ask, act, decide — query cases, kick off AI analysis, add notes, submit feedback and finalize verdicts, all in natural language
✓ Same security model as the rest of Falcora — every call is role-gated, PII-masked and audit-logged. MCP is a transport, not a back-door.
✓ Tied to a real identity — your analyst signs in with Entra; rate-limited per user and never anonymous
✓ No vendor lock-in — works with any MCP-compatible agent, today and tomorrow

SOC analyst · in Microsoft Copilot

Hey Joule, what's the status on case FAL-2487?

Joule · via Falcora MCP

Here's case FAL-2487:

Case · falcora://case/…

Suspicious privileged RFC access on PRD-100

Priority: High Status: Investigating MITRE: T1078.004

Owner: alice@… 3 alerts · last update 2h ago

SOP P-014 was applied automatically. Awaiting system-owner feedback before triggering deeper analysis.

Also try "Trigger AI analysis on FAL-2487" "Find the SOP for SAP RFC callback abuse" "List my open cases"

Architecture

From SAP event to closed case — in one auditable pipeline.

Azure Function Apps with strict privilege separation, hardened for the realities of SAP estates. Every step is logged, every LLM prompt is reproducible, every action is role-gated.

Ingest

SIEM connector POSTs alerts to a dedicated endpoint. OAuth or Basic Auth.

Triage

Worker masks PII, retrieves the matching SOP, asks the LLM for a verdict.

Case

Real threats become cases; false positives are closed and learned from.

Respond

JIRA incident + Teams notification + playbook actions, fully role-gated.

Audit

Every prompt, decision and action lands in the tenant audit log.

Security & compliance

Built for the people who get audited.

Falcora was designed by SAP security specialists for SAP security teams — and it shows in every default.

SAP IAS federation via Workforce Entra. Customers don't configure Falcora in their own Entra. We broker the trust.
GDPR Article 4(5) pseudonymization. PII is salted and hashed per-tenant before any LLM call.
36 granular RBAC roles. No umbrella "admin" — every capability is granted per resource.
Per-tenant Cosmos DB + Key Vault. Data isolation is physical, not just logical.
EU data residency, global availability. Defaults to Azure Switzerland-North / West-Europe; Falcora can run in any Azure region on request.
Full audit trail. Every prompt, verdict and action is logged at tenant scope.
Fail-early startup. Misconfigured environments refuse to boot — silent drift can't happen.
Reproducible LLM reasoning. SOP + prompt + model version + output are stored together.

ISO/IEC 27001 certified

Information security management aligned with ISO 27001 — 93 controls across organizational, technological, physical and personnel security. Certified at the Xiting organization level.

View full Trust Center →

An Xiting product

Made by the team that has secured SAP for two decades.

Xiting is a global specialist in SAP authorization, identity and security, headquartered in Switzerland and trusted by 850+ international customers worldwide. Our consultants have shipped authorization and security concepts, IAM integrations and security automation for some of the largest SAP estates in the world. Falcora is what happens when that operational expertise meets modern AI — productized, multi-tenant, and built to scale.

Visit xiting.com → Talk to the team

Request a demo

Ready to elevate your SAP security operations?

30-minute demo with the team that built Falcora. We'll bring sample SAP alerts and the dashboard live — you bring your hardest false-positive backlog.

See Falcora triage real SAP alerts in real time
Walk through the MITRE ATT&CK mapping for your stack
Try the MCP server from Microsoft Copilot or Claude
Get a tailored rollout estimate for your environment

Prefer email? falcora@xiting.com Falcora is a product of Xiting · EU data residency · global availability

JavaScript is required to display the form. Please email us at falcora@xiting.com.

Your SIEM sees logs. Falcora sees business risk.