EN ID TH
Other Compliance → COTS Platforms

COTS Enterprise Platforms

Security review of commercial off-the-shelf enterprise platforms, Salesforce, SAP, Microsoft Dynamics, including configuration, customisation, and integration risk.

Enterprise COTS platforms, Salesforce, SAP, Microsoft Dynamics, concentrate vast amounts of organisational data and process. Their security depends almost entirely on how they are configured, what custom code has been layered on top, and how they integrate with the rest of the environment. Penetration testing against the vendor product itself is rarely the right question; testing your specific configuration is.

Our COTS engagements review platform-specific security primitives, Salesforce sharing rules and profiles, SAP authorisation objects and S_RFC, Dynamics security roles and field-level security, alongside the custom Apex / ABAP / plugin code that often quietly bypasses them. Findings map to vendor security baselines, ISO 27001:2022 access-control requirements, and any regulator requirements for the data the platform holds.

Why it matters

What's at stake.

COTS platforms concentrate data

A misconfigured Salesforce org, SAP system, or Dynamics tenant can expose more data than most application-layer breaches, and the controls that protect them are usually invisible to traditional penetration testing.

Custom code routinely bypasses platform controls

Apex without "with sharing", ABAP without authorisation checks, plugins running with elevated security, every COTS platform has its own version of "the customisation that defeated the security model".

Engagement Model

A structured, intelligence-led path through every engagement.

Every engagement follows the same disciplined path through the Velocity platform, so quality, traceability, and reporting are consistent across teams.

Scoping

Define assets, environments, Rules of Engagement, and acceptance criteria with the technical and security stakeholders.

Execution

Manual and tool-assisted testing by CREST-accredited consultants, with evidence captured at each step.

Validation

Every finding is reproduced, risk-rated under CVSS, and confirmed by a second consultant before reporting.

Reporting

Cryptographically signed reports with test-case traceability, severity ratings, reproduction steps, and remediation guidance.

Debrief & Retest

Stakeholder walk-through of findings, prioritisation support, and a retest cycle on remediated issues.

Standards & Frameworks

Mapped to recognised baselines.

Salesforce Security Baseline
SAP Cyber Security guidance
Microsoft Dynamics security best practices
ISO 27001:2022
PCI DSS (where applicable)

Test Your Defences Against Adversarial Expertise

Talk to a CREST-accredited consultant about your next penetration testing engagement.

Speak to an Expert