5G security is often discussed as if modern architecture automatically means stronger security. In reality, that assumption does not survive contact with real operator environments. Production networks are shaped by legacy systems, vendor defaults, operational constraints, partial visibility, and security tradeoffs made in the name of availability. That is exactly why red team exercises matter. They show how compromise really happens across domains that are supposed to be separate.
In a recent P1 Security webinar, Philippe Langlois shared lessons from red team engagements focused on mobile critical infrastructure, including 5G standalone and non standalone environments, radio access networks, OAM exposure, and propagation toward the core. The conclusion was direct. Operators still face realistic compromise paths from the field to central infrastructure, and those paths are often created not by one catastrophic flaw, but by the accumulation of physical weakness, network exposure, insecure defaults, and complexity.
Why red teaming matters in telecom security
Telecom security is not just a product security problem. It is an end to end infrastructure problem. APT groups do not care about ownership boundaries, team silos, or internal diagrams. They move across domains, pivot through overlooked systems, and use whatever gives them a route toward subscriber data, lawful intercept environments, management systems, and core services.
That is what makes red teaming valuable. It does not just identify isolated weaknesses. It shows how those weaknesses chain together in the real world. It also helps operators prioritize security work by identifying the pivot points that matter most. If one control can break an entire kill chain, fixing that point first buys time and reduces overall exposure.
5G looks cleaner in architecture diagrams than it does in production
On paper, 5G standalone environments look structured, standardized, and modern. In production, they accumulate legacy dependencies, proprietary behavior, operational shortcuts, and poorly understood interfaces.
That gap between theory and reality is one of the most important lessons from the webinar. Operators do not secure a clean specification. They secure a real environment made up of old and new technologies living side by side. DNS, lawful intercept, OAM, lifecycle orchestration, virtualization, transport, and management layers all shape the attack surface. Looking only at the formal 5G core model creates a false sense of security.
This is why red team work is so useful in telecom. It reveals the architecture that actually exists, not the one people assume exists.
The real attack surface is horizontal
Attackers do not think in silos. They do not care whether a problem belongs to RAN, transport, OSS, core, or IT. They look for routes.
That is why mobile network compromise is often horizontal. A foothold in one area can become a pivot into another if segmentation is weak, credentials are reused, trust boundaries are loose, or management paths are too open. This is one of the biggest differences between normal point in time testing and a broader red team exercise. A normal assessment may show that one system is vulnerable. A red team shows that the vulnerability is reachable from somewhere defenders assumed was unrelated.
That distinction matters because many telecom incidents are not caused by one dramatic weakness. They are caused by several ordinary weaknesses that connect.
RAN to core compromise is not a theoretical scenario
One of the strongest takeaways from the webinar was that compromise from radio access environments into core infrastructure is not a hypothetical edge case. It is a realistic attack path.
A typical chain starts with weak physical security at a radio site. That may mean a remote location, poor CCTV coverage, weak fences, weak locks, or cabinets that are easier to access than many teams assume. From there, an attacker may reach debug ports, network ports, or management paths on the site equipment. If defaults, weak credentials, poor filtering, or management exposure are still present, that foothold can become lateral movement toward EMS, OSS, lawful intercept, subscriber related systems, and other critical assets.
That is the real issue. The problem is not just a weak cabinet lock or one bad configuration. The problem is that those small failures often connect to much larger operational consequences.
Physical security still matters
Too many discussions about 5G security begin in software and end in software. That misses part of the real attack model.
Physical access still matters in telecom. Radio sites, transport locations, and other field infrastructure remain operationally relevant. Weak physical protections can give attackers access to ports, devices, and local paths that make later stages of compromise much easier. In some cases, even temporary access is enough to establish persistence or create a route for later exploitation.
The webinar also highlighted another uncomfortable reality. Drop devices can be hard to detect, and once a foothold exists, data exfiltration can be fast. In mobile infrastructure, physical compromise and network compromise are not separate topics. They are often part of the same chain.
Weak segmentation is still one of the biggest problems
The most damaging issue is often not the first exploit. It is what the attacker can reach afterwards.
That is why weak segmentation and weak filtering remain so dangerous. If a compromised site, device, or management host can reach systems that should be isolated, then the architecture has already failed from a defensive point of view.
IPsec is a good example. In many cases, the problem is not the protocol itself. The problem is how it is used. Shared trust, overly broad reachability, weak filtering, or poor separation between management and operational paths can turn a protected tunnel into a pivot path. The same logic applies to network classes, internal routing, management exposure, and service reachability.
Once lateral movement becomes possible, isolated vulnerabilities stop being isolated.
Cloud native 5G improves some things and worsens others
Cloud native deployment brings benefits, but it also introduces a new security burden. Kubernetes and related technologies can improve standardization and operational flexibility, yet they also create a very large attack surface and break a number of traditional security assumptions.
In modern 5G environments, microsegmentation is often weak or incomplete, internal address pools may be reachable by default, management and orchestration layers may be too open, and telecom specific workloads may rely on deployment patterns that security teams are not fully comfortable with yet. On top of that, many traditional IT security approaches do not transfer cleanly into containerized telecom environments. Static assumptions around IP based identity and simple network boundaries are no longer enough.
This becomes even more difficult at the edge, where orchestration, Linux exposure, custom interfaces, and telecom specific services all combine in harder to monitor environments.
Compliance does not equal security
A recurring problem in telecom is that security is too often treated as a checklist exercise. Controls exist on paper, but fail in practice.
Mutual TLS may be enabled, but with poor identity handling. A backup process may exist, but with excessive internal access. A management control may be documented, but reachable from places it should never be reachable from. Vendors and operators may both say the same technology is in use, yet the resulting security posture can differ dramatically depending on how the environment is actually deployed.
This is why red teaming matters. It tests reality, not declarations.
The biggest risk may be the areas nobody is testing
One of the most important lessons from the webinar is that identified vulnerabilities are not the whole problem. Unknown or untested domains may be even more dangerous.
Telecom environments still contain too many partial audits, too many blind spots, and too many assumptions that some areas are out of scope or low risk. Legacy systems, lawful intercept, support infrastructure, orchestration layers, obscure perimeters, and crossover points between IT and OT are often where the real surprises are found.
The danger is not just that these areas contain weaknesses. It is that nobody has measured how exposed they are in the first place.
What operators should do next
Operators need periodic red team exercises that reflect the real breadth of the environment, not just narrow technical slices. They need continuous scanning and monitoring, but they also need depth through red teaming, pentesting, vulnerability research, and threat hunting.
They need to reduce blind spots across RAN, core, OAM, lawful intercept, orchestration, roaming, and adjacent infrastructure. They need to break kill chains at their pivot points instead of chasing isolated findings one by one. And they need stronger executive ownership of telecom security, because low urgency and fragmented ownership keep the same structural weaknesses alive.
The path forward is not complicated conceptually. Improve visibility. Harden the basics. Segment aggressively. Test the real environment. Fix the pivots first. Repeat continuously.
Final thoughts
The main lesson from this webinar is simple. Telecom compromise does not begin and end inside one clean perimeter. Real attacks move across physical exposure, radio access, management systems, orchestration layers, legacy systems, and core services.
5G does not erase that reality. In some cases, it makes it easier to miss.
That is why RAN to core compromise should be treated as a real defensive model, not as an extreme scenario. Operators need realistic testing, stronger segmentation, better hardening, and faster action on the paths attackers actually use. Otherwise the architecture may look modern while the compromise path remains very old fashioned.




