Rishi Security Research
Posts Article Labs
Back to posts
Research Archive
Jun 23, 2025

Internal Security Detection Through SafeBase Trust Centres

Using exposed SafeBase trust portals and Nuclei headless scanning to extract public-facing security controls, validate assurance claims, and automate change detection at scale.

osintnucleidetectionsafebasecompliance

Introduction — Hunting for Assurance and OSINT

Exposed SafeBase portals serve two audiences at once:

  • Prospects who need proof of your security posture
  • Security researchers (blue and red teamers)

Each green tick reveals a control that (supposedly) exists today; every missing tick is an equally loud hint at what doesn’t.

What This Detection Method Does

The approach outlined in this post:

  • Harvests every control title directly from the HTML body using Nuclei in headless mode
  • Normalises those titles into machine-readable findings via a single regex-based template
  • Outputs JSON/CLI matches of internal security controls

Why Collect This Data?

Compliance frameworks such as:

  • ISO 27001
  • SOC 2
  • PCI-DSS
  • Regional privacy regulations

…require evidence that security controls are in place and functioning.

SafeBase simplifies this by removing the need for endless email exchanges and document requests.

Why Scrape Your Own Trust Centre?

Even if you built it, there are strong reasons:

  • Continuous assurance
    Auditors increasingly expect ongoing, real-time evidence

  • Change detection
    Control names, groupings, or policies may change after updates or acquisitions

  • Third-party mappings
    JSON output allows mapping against frameworks like NIST 800-53

Blue vs Red Team Value

Team Benefit
Blue Team Ensures public claims remain accurate
Red Team Identifies gaps by comparing against internal control libraries

Detection

Manual review works, but doesn’t scale.

Instead, this approach uses ProjectDiscovery / Nuclei, a fast scanning tool powered by YAML templates.

Why Nuclei?

  • Template-driven detection
  • High-speed scanning
  • Easily customisable
  • Ideal for large-scale automation

Matchers

The template includes 70 matchers.

Example Regex Matchers

- type: regex
  name: firewall
  regex: ['(?i)Firewall(?:[\s\S]{0,600}?data-testid="enabled")?']

- type: regex
  name: incident-response-policy
  regex: ['(?i)Incident\s+Response\s+Policy(?:[\s\S]{0,600}?data-testid="enabled")?']

Regex Techniques Used

Problem Fix
Different capitalisation (?i) flag
Mixed spaces/newlines \s+
Unknown gap between title and icon [\s\S]{0,600}?

Eliminating False Positives

A DSL matcher ensures higher accuracy:

- type: dsl
  name: names
  dsl:
    - 'status_code == 200'
    - 'contains_any(body, "Powered by SafeBase")'
  condition: and

What This Checks

Both must be true:

  • Response status code is 200
  • HTML contains "Powered by SafeBase"

Bypassing Cloudflare WAF

Most SafeBase portals sit behind Cloudflare WAF, blocking scraping attempts.

Solution: Headless Mode

Using Nuclei’s headless Chromium execution:

  • Runs JavaScript challenges
  • Bypasses Cloudflare Managed Challenge
  • Renders dynamic content

Headless Configuration

headless:
  - steps:
      - action: navigate
        args:
          url: "{{BaseURL}}"
      - action: sleep
        args:
          duration: 1s

Breakdown

  • navigate
    Launches Chromium and loads the target URL

  • sleep (1s)
    Allows:

    • JavaScript execution
    • Cookie setting
    • Full page rendering

Increase delay if HTML appears incomplete.

Troubleshooting

If results are missing:

  • Your IP may be blocked
  • Use a proxy if necessary

Scanning at Scale

1. Build Your Target List

# domains.txt
https://trust.gitlab.com
https://security.projectdiscovery.io
https://trust.your-vendor-here.com

You can also include:

  • Subdomains
  • Crawled endpoints

2. Run Nuclei with Concurrency

nuclei \
  -t safebase-checks-enabled.yaml \
  -headless \
  -l matches.txt \
  -c 50 \
  -o safebase-scan.json

Key Flags

Flag Purpose
-l Input file
-c 50 Parallel browsers (resource intensive)
-o Output file

Output Options

  • JSON
  • CSV
  • Stdout

You can forward results to:

  • S3
  • Slack
  • SIEM

Template Repository

https://github.com/rxerium/internal-security-detect

3. Automate via CI/CD

GitHub Actions Example

jobs:
  safebase-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          nuclei -t safebase-checks-enabled.yaml -headless -l domains.txt -c 50 -o results.json
      - name: Upload artefact
        uses: actions/upload-artifact@v4
        with:
          name: safebase-results
          path: results.json

Final Thoughts

This technique is limited to organisations using SafeBase, but it demonstrates a powerful concept:

Passive OSINT can intersect with compliance, assurance, and detection.

By leveraging publicly accessible trust portals, researchers can:

  • Analyse control frameworks
  • Validate security claims
  • Detect changes automatically

…all without authentication or direct system access.