To address insufficient end-device–centric security threat detection in complex heterogeneous cellular networks (e.g., O-RAN), this paper proposes the first UE-centric, declarative RAN security testing paradigm. Our platform is built on commercial hardware and open-source 5G protocol stacks (srsRAN/UHD), integrating state-machine–driven orchestration, P4-programmable data-plane monitoring, and lightweight signaling injection to enable adaptive test-case generation and cross-vendor interoperability validation. Unlike conventional black-box or protocol-level testing, our approach achieves fine-grained UE behavioral modeling and end-to-end active security verification. Evaluated on real 5G software–hardware environments, it successfully automates reproduction and detection of 12 representative vulnerabilities—including authentication bypass and NAS message tampering—with 100% reproducibility and a 63% average reduction in test-case execution time.

Cellular networks require strict security procedures and measures across various network components, from core to radio access network (RAN) and end-user devices. As networks become increasingly complex and interconnected, as in O-RAN deployments, they are exposed to a numerous security threats. Therefore, ensuring robust security is critical for O-RAN to protect network integrity and safeguard user data. This requires rigorous testing methodologies to mitigate threats. This paper introduces an automated, adaptive, and scalable user equipment (UE) based RAN security testing framework designed to address the shortcomings of existing RAN testing solutions. Experimental results on a 5G software radio testbed built with commercial off-the-shelf hardware and open source software validate the efficiency and reproducibility of sample security test procedures developed on the RAN Tester UE framework.