The complete engineer's guide

5G Security Based on 3GPP

Architecture · Authentication · Key Management · Privacy · Roaming · SBA · Network Slicing · RAN Security · Core Security · Cloud-Native Security · Operational Protection — grounded in TS 33.501 v18.11.0 and the full 33-series family.

35CHAPTERS

5LABS

8PARTS

115Q&A

Every chapter: learning objectives · standards reference box · deep procedure walkthroughs · operator view · misconfigurations · threat tables · real network example · troubleshooting checklist · review questions · mini lab.

Part 1 — Foundations of 5G Security

CHAPTER 1Why 5G Security Matters2G→5G evolution, attack surface, six objectives, trust triangle CHAPTER 23GPP Security StandardizationSA3, the spec triangle, Rel-15→19, how to read TS 33.501, SCAS CHAPTER 35G Architecture — Security ViewEvery NF's security job, key placement, interfaces, SBA concept

Part 2 — Authentication and Access Security

CHAPTER 45G Identity & Subscription SecuritySUPI, SUCI, ECIES, SIDF, 5G-GUTI, USIM root of trust CHAPTER 5The 5G Authentication Framework5G-AKA vs EAP-AKA′, AVs, mutual auth, home control, AKMA CHAPTER 65G-AKA — Complete Message FlowRAND/AUTN/RES*/HXRES*, K_AUSF & K_SEAF, failure cases CHAPTER 7Key Hierarchy & Key ManagementThe full tree K→AS keys, KDF mechanics, NH/NCC, refresh CHAPTER 8NAS SecurityNAS SMC, NEA/NIA, NAS COUNT, replay & bidding-down defense CHAPTER 9AS, RRC & User-Plane SecurityAS SMC, PDCP crypto, UP integrity, UP security policy

Part 3 — Core Network and SBA Security

CHAPTER 10Service-Based Architecture SecuritymTLS, NRF, OAuth tokens, SCP models, certificate lifecycle CHAPTER 11Network Function SecurityPer-NF hardening: AMF, SMF, UPF, AUSF, UDM, NRF, NEF, SCAS CHAPTER 12NEF and API SecurityCAPIF, AF onboarding, API threats, rate limiting, privacy CHAPTER 13SEPP and 5G Roaming SecurityN32-c/f, TLS vs PRINS, IPX, topology hiding, filtering CHAPTER 14Network Domain SecurityNDS/IP, IPsec/IKEv2, SEGs, Za/Zb, backhaul, CMPv2

Part 4 — RAN, Mobility and Roaming Security

CHAPTER 15NG-RAN SecurityCU/DU split, F1/E1/Xn/NG protection, secure boot, site threats CHAPTER 16Handover SecurityKey chaining, NH/NCC, Xn & N2 handover, forward security CHAPTER 17Interworking with LTE/EPSN26, context mapping, key conversion, downgrade risks CHAPTER 18NSA and SA SecurityEN-DC, S-K_gNB, LTE anchor risks, migration security

Part 5 — Privacy, Slicing, Edge and Special Networks

CHAPTER 19User Privacy in 5GSUCI limits, GUTI discipline, paging & location privacy CHAPTER 20Network Slicing SecurityS-NSSAI, NSSF, NSSAA, isolation layers, tenant protection CHAPTER 21Non-Public Network SecuritySNPN, PNI-NPN/CAG, onboarding, credentials holder, OT CHAPTER 22MEC and Edge SecurityEdge UPF, local breakout, EDGEAPP, latency vs security CHAPTER 23IoT, RedCap & Massive Device SecurityBotnet economics, RedCap posture, URLLC integrity, fleets

Part 6 — Threats, Attacks and Operator Protection

CHAPTER 24The 5G Threat ModelFull-surface threat map, actors, MITRE FiGHT, risk matrix CHAPTER 25Common MisconfigurationsNEA0/NIA0, UP-IP off, cert sins, NRF gaps, SEPP bypasses CHAPTER 26Security Monitoring and KPIsTelemetry sources, auth funnel, SBA logs, KPI dashboard CHAPTER 27SOC/NOC ProceduresPlaybooks: auth anomaly, storms, DDoS, rogue gNB, API abuse CHAPTER 285G Security Audit ChecklistRAN/core/SBA/roaming/slice/cloud/cert/device audits

Part 7 — Advanced and Future Security

CHAPTER 29Cloud-Native 5G SecurityCNFs, K8s hardening, service mesh, secrets, CI/CD, NFVI CHAPTER 30Zero Trust Architecture for 5GZTA principles, least privilege, micro-segmentation, gaps CHAPTER 31AI/ML for 5G SecurityAnomaly detection, NWDAF, adversarial ML, governance CHAPTER 325G-Advanced and the Road to 6GRel-18/19, post-quantum, crypto agility, 6G trust preview

Part 8 — Practical Labs and Training Material

CHAPTER 33Practical 5G Security Lab DesignOpen5GS + UERANSIM, Wireshark NAS, SBA token lab, TLS lab CHAPTER 34Interview Questions & Trainer Notes115 questions beginner→advanced, scenarios, course maps CHAPTER 35The Final Master ChecklistEnd-to-end, deployment, design review, IR, compliance END MATTERGlossary · Spec Map · ReferencesFull acronym glossary, 3GPP spec map, prompt library

5G Security Based on 3GPP · verified against TS 33.501 v18.11.0 (Rel-18, 2026-04) · always verify against the latest 3GPP version
Markdown manuscript for KDP conversion: book.html