Ciphering and Integrity Enforcement: Is RRC control-plane traffic protected using EEA1/EEA2/EEA3 algorithms? Is NAS (Non-Access Stratum) signaling integrity-protected (EIA1/EIA2/EIA3)?

AS Security Context: Audit the Key Derivation Function (KDF) for KeNB generation. Is a fresh AS (Access Stratum) key set generated upon every handover?

UE Capability Integrity: Verify that UE capability exchange is protected to prevent "Bidding Down" attacks.

RRC-Connection Rejection Handling: Does the eNodeB mitigate "RRC Redirection" attacks (Fake Base Station)? Is there a mechanism to detect and block "IMSI Catchers" (False eNodeBs)?

Interference & Jamming Resilience: Audit the noise floor at the eNodeB for potential pilot signal jamming. Is there frequency monitoring to detect selective PSS/SSS (Primary/Secondary Sync Signal) jamming?

IPsec/DTLS Tunneling: Is all S1/X2 control-plane traffic encapsulated in an IPsec tunnel between the eNodeB and MME/PGW?

Handover Key Handling: Verify the "Next Hop" (NH) and Chaining Counter (NCC) forward-security mechanism during X2/S1 handovers.

Security Gateway (SeGW) Integrity: Audit the SeGW for certificate-based authentication (X.509) of the eNodeB.