diff --git a/daemon/web/src/lib/components/ConfigForm.svelte b/daemon/web/src/lib/components/ConfigForm.svelte
index a1a1492..65a4635 100644
--- a/daemon/web/src/lib/components/ConfigForm.svelte
+++ b/daemon/web/src/lib/components/ConfigForm.svelte
@@ -183,6 +183,18 @@
                                 Null Cipher Heuristic
                             </label>
                         </div>
+
+                        <div class="flex items-center">
+                            <input
+                                id="nas_null_cipher"
+                                type="checkbox"
+                                bind:checked={config.analyzers.nas_null_cipher}
+                                class="h-4 w-4 text-rayhunter-blue focus:ring-rayhunter-blue border-gray-300 rounded"
+                            />
+                            <label for="nas_null_cipher" class="ml-2 block text-sm text-gray-700">
+                                NAS Null Cipher Heuristic
+                            </label>
+                        </div>
                     </div>
                 </div>
 
diff --git a/daemon/web/src/lib/utils.svelte.ts b/daemon/web/src/lib/utils.svelte.ts
index ca6f93d..0abb6a4 100644
--- a/daemon/web/src/lib/utils.svelte.ts
+++ b/daemon/web/src/lib/utils.svelte.ts
@@ -6,6 +6,7 @@ export interface AnalyzerConfig {
     connection_redirect_2g_downgrade: boolean;
     lte_sib6_and_7_downgrade: boolean;
     null_cipher: boolean;
+    nas_null_cipher: boolean;
 }
 
 export interface Config {
diff --git a/dist/config.toml.example b/dist/config.toml.example
index f4d3bb3..c0c2774 100644
--- a/dist/config.toml.example
+++ b/dist/config.toml.example
@@ -27,4 +27,5 @@ key_input_mode = 0
 imsi_requested = true
 connection_redirect_2g_downgrade = true
 lte_sib6_and_7_downgrade = true
-null_cipher = true
+null_cipher = true 
+nas_null_cipher = true
diff --git a/doc/heuristics.md b/doc/heuristics.md
index 2541f01..c4b36ba 100644
--- a/doc/heuristics.md
+++ b/doc/heuristics.md
@@ -20,3 +20,4 @@ Rayhunter includes several analyzers to detect potential IMSI catcher activity.
 - **LTE SIB6/7 Downgrade**: Tests for LTE cells broadcasting a SIB type 6 and 7
   which include 2G/3G frequencies with higher priorities
 - **Null Cipher**: Tests whether the cell suggests using a null cipher (EEA0).
+- **NAS Null Cipher**: Tests whether the security mode command at the NAS layer suggests using a null cipher (EEA0). This would usually only happen after a UE has successfully authenticated with the MME but still it shouldn't happen at all, this could be indicative of an attack though using SS7 to get key material from the HLR of the UE for a succesful authentication. It could also indicate an IMSI catcher which is connected to the mobile network MME and HLR through cooperation between government and telco. Or it could be a false positive if the telco is intending to use null ciphers (if encryption is illegal or something.)