The report, released Tuesday, is based on an analysis of threat activity directed at SAP environments over the past several months and going back to mid-2020. Its conclusions prompted an advisory this week from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), urging SAP customers to review the report and apply security patches as needed. "There has been historically a belief that mission-critical apps are not being attacked or that they are obscure enough that the skill to exploit them is not widespread," says Mariano Nunez, CEO and co-founder of Onapsis. What the threat analysis shows is not only are cybercriminals attacking such apps, but they are doing so with considerable skill, planning, and motivation, he says.