diff --git a/tests/hwsim/test_ap_pmf.py b/tests/hwsim/test_ap_pmf.py
index 3913c5ce7..7feb173b6 100644
--- a/tests/hwsim/test_ap_pmf.py
+++ b/tests/hwsim/test_ap_pmf.py
@@ -927,58 +927,11 @@ def mac80211_read_key(keydir):
             pass
     return vals
 
-def test_ap_pmf_beacon_protection_bip(dev, apdev):
-    """WPA2-PSK Beacon protection (BIP)"""
-    """WPA2-PSK AP with PMF required and Beacon protection enabled (BIP)"""
-    run_ap_pmf_beacon_protection(dev, apdev, "AES-128-CMAC")
-
-def test_ap_pmf_beacon_protection_bip_cmac_256(dev, apdev):
-    """WPA2-PSK Beacon protection (BIP-CMAC-256)"""
-    run_ap_pmf_beacon_protection(dev, apdev, "BIP-CMAC-256")
-
-def test_ap_pmf_beacon_protection_bip_gmac_128(dev, apdev):
-    """WPA2-PSK Beacon protection (BIP-GMAC-128)"""
-    run_ap_pmf_beacon_protection(dev, apdev, "BIP-GMAC-128")
-
-def test_ap_pmf_beacon_protection_bip_gmac_256(dev, apdev):
-    """WPA2-PSK Beacon protection (BIP-GMAC-256)"""
-    run_ap_pmf_beacon_protection(dev, apdev, "BIP-GMAC-256")
-
-def run_ap_pmf_beacon_protection(dev, apdev, cipher):
-    ssid = "test-beacon-prot"
-    params = hostapd.wpa2_params(ssid=ssid, passphrase="12345678")
-    params["wpa_key_mgmt"] = "WPA-PSK-SHA256"
-    params["ieee80211w"] = "2"
-    params["beacon_prot"] = "1"
-    params["group_mgmt_cipher"] = cipher
-    try:
-        hapd = hostapd.add_ap(apdev[0], params)
-    except Exception as e:
-        if "Failed to enable hostapd interface" in str(e):
-            raise HwsimSkip("Beacon protection not supported")
-        raise
-
-    bssid = hapd.own_addr()
-
-    Wlantest.setup(hapd)
-    wt = Wlantest()
-    wt.flush()
-    wt.add_passphrase("12345678")
-
-    # STA with Beacon protection enabled
-    dev[0].connect(ssid, psk="12345678", ieee80211w="2", beacon_prot="1",
-                   key_mgmt="WPA-PSK-SHA256", proto="WPA2", scan_freq="2412")
-
-    # STA with Beacon protection disabled
-    dev[1].connect(ssid, psk="12345678", ieee80211w="2",
-                   key_mgmt="WPA-PSK-SHA256", proto="WPA2", scan_freq="2412")
-
-    time.sleep(1)
-
+def check_mac80211_bigtk(dev, hapd):
     sta_key = None
     ap_key = None
 
-    phy = dev[0].get_driver_status_field("phyname")
+    phy = dev.get_driver_status_field("phyname")
     keys = "/sys/kernel/debug/ieee80211/%s/keys" % phy
     try:
         for key in os.listdir(keys):
@@ -1034,6 +987,55 @@ def run_ap_pmf_beacon_protection(dev, apdev, cipher):
     if tx_spec < 3:
         raise Exception("AP did not update BIGTK BIPN sufficiently")
 
+def test_ap_pmf_beacon_protection_bip(dev, apdev):
+    """WPA2-PSK Beacon protection (BIP)"""
+    """WPA2-PSK AP with PMF required and Beacon protection enabled (BIP)"""
+    run_ap_pmf_beacon_protection(dev, apdev, "AES-128-CMAC")
+
+def test_ap_pmf_beacon_protection_bip_cmac_256(dev, apdev):
+    """WPA2-PSK Beacon protection (BIP-CMAC-256)"""
+    run_ap_pmf_beacon_protection(dev, apdev, "BIP-CMAC-256")
+
+def test_ap_pmf_beacon_protection_bip_gmac_128(dev, apdev):
+    """WPA2-PSK Beacon protection (BIP-GMAC-128)"""
+    run_ap_pmf_beacon_protection(dev, apdev, "BIP-GMAC-128")
+
+def test_ap_pmf_beacon_protection_bip_gmac_256(dev, apdev):
+    """WPA2-PSK Beacon protection (BIP-GMAC-256)"""
+    run_ap_pmf_beacon_protection(dev, apdev, "BIP-GMAC-256")
+
+def run_ap_pmf_beacon_protection(dev, apdev, cipher):
+    ssid = "test-beacon-prot"
+    params = hostapd.wpa2_params(ssid=ssid, passphrase="12345678")
+    params["wpa_key_mgmt"] = "WPA-PSK-SHA256"
+    params["ieee80211w"] = "2"
+    params["beacon_prot"] = "1"
+    params["group_mgmt_cipher"] = cipher
+    try:
+        hapd = hostapd.add_ap(apdev[0], params)
+    except Exception as e:
+        if "Failed to enable hostapd interface" in str(e):
+            raise HwsimSkip("Beacon protection not supported")
+        raise
+
+    bssid = hapd.own_addr()
+
+    Wlantest.setup(hapd)
+    wt = Wlantest()
+    wt.flush()
+    wt.add_passphrase("12345678")
+
+    # STA with Beacon protection enabled
+    dev[0].connect(ssid, psk="12345678", ieee80211w="2", beacon_prot="1",
+                   key_mgmt="WPA-PSK-SHA256", proto="WPA2", scan_freq="2412")
+
+    # STA with Beacon protection disabled
+    dev[1].connect(ssid, psk="12345678", ieee80211w="2",
+                   key_mgmt="WPA-PSK-SHA256", proto="WPA2", scan_freq="2412")
+
+    time.sleep(1)
+    check_mac80211_bigtk(dev[0], hapd)
+
     valid_bip = wt.get_bss_counter('valid_bip_mmie', bssid)
     invalid_bip = wt.get_bss_counter('invalid_bip_mmie', bssid)
     missing_bip = wt.get_bss_counter('missing_bip_mmie', bssid)
diff --git a/tests/hwsim/test_sigma_dut.py b/tests/hwsim/test_sigma_dut.py
index eb3bf0821..69e48aed6 100644
--- a/tests/hwsim/test_sigma_dut.py
+++ b/tests/hwsim/test_sigma_dut.py
@@ -26,6 +26,7 @@ from test_dpp import check_dpp_capab, update_hapd_config, wait_auth_success
 from test_suite_b import check_suite_b_192_capa, suite_b_as_params, suite_b_192_rsa_ap_params
 from test_ap_eap import check_eap_capa, int_eap_server_params, check_domain_match, check_domain_suffix_match
 from test_ap_hs20 import hs20_ap_params
+from test_ap_pmf import check_mac80211_bigtk
 
 def check_sigma_dut():
     if not os.path.exists("./sigma_dut"):
@@ -4048,3 +4049,36 @@ def run_sigma_dut_ap_channel(dev, apdev, params, channel, mode, scan_freq,
             stop_sigma_dut(sigma)
             subprocess.call(['iw', 'reg', 'set', '00'])
             dev[0].flush_scan_cache()
+
+def test_sigma_dut_beacon_prot(dev, apdev):
+    """sigma_dut controlled STA and beacon protection"""
+    ssid = "test-pmf-required"
+    params = hostapd.wpa2_params(ssid=ssid, passphrase="12345678")
+    params["wpa_key_mgmt"] = "WPA-PSK-SHA256"
+    params["ieee80211w"] = "2"
+    params["beacon_prot"] = "1"
+    try:
+        hapd = hostapd.add_ap(apdev[0], params)
+    except Exception as e:
+        if "Failed to enable hostapd interface" in str(e):
+            raise HwsimSkip("Beacon protection not supported")
+        raise
+
+    ifname = dev[0].ifname
+    sigma = start_sigma_dut(ifname)
+
+    try:
+        sigma_dut_cmd_check("sta_reset_default,interface,%s,prog,PMF" % ifname)
+        sigma_dut_cmd_check("sta_set_ip_config,interface,%s,dhcp,0,ip,127.0.0.11,mask,255.255.255.0" % ifname)
+        sigma_dut_cmd_check("sta_set_security,interface,%s,ssid,%s,type,PSK,passphrase,%s,encpType,aes-ccmp,keymgmttype,wpa2,PMF,Required,BeaconProtection,1" % (ifname, "test-pmf-required", "12345678"))
+        sigma_dut_cmd_check("sta_associate,interface,%s,ssid,%s,channel,1" % (ifname, "test-pmf-required"),
+                            timeout=10)
+        sigma_dut_wait_connected(ifname)
+
+        time.sleep(1)
+        check_mac80211_bigtk(dev[0], hapd)
+
+        sigma_dut_cmd_check("sta_reset_default,interface," + ifname)
+    finally:
+        stop_sigma_dut(sigma)
+        dev[0].set("ignore_old_scan_res", "0")