My name is Sidharth S, known online as Zidhuxd. I am 17 years old, based in Kerala, India — and the founder of TeenSquad Cybersecurity. This is the story of how I got here.
The Beginning: A Termux Session at 14
It started with a single question: "What exactly happens when I type a URL into my browser?" I was 14. I did not have a laptop — just an Android phone and Termux installed from F-Droid. I was running nmap scans against my own home router before I even knew what a CVE was.
Within six months, I had taught myself the basics of networking, Linux, and web application fundamentals. I consumed YouTube tutorials, HackTheBox writeups, and the PortSwigger Web Security Academy — all from a phone screen.
"I did not wait for the right setup. I used what I had — an Android phone and a burning curiosity about how systems break."
Finding My First Real Bug
My first real vulnerability was a reflected XSS in a local business website. No fancy tools — I manually fuzzed input fields after reading the OWASP Testing Guide. The site's search parameter was completely unsanitized. I disclosed it to the admin via email and got a thank-you reply three days later. That reply changed everything.
I realized: this is real. Security research is not just a hobby — it is something you can actually do at 15, from Kerala, with a phone.
Building TeenSquad at 16
The idea for TeenSquad came from frustration. Every cybersecurity resource I found was either too basic or too enterprise-focused. There was nothing built for young Indian researchers who were serious about security but did not have a CS degree or a corporate budget.
TeenSquad was my answer to that gap. The name is intentional — it is a statement that teens can do serious security research. Not tutorials. Real research. Real CVEs. Real writeups.
The Initial Stack
# Tools running on a Android phone termux-setup-storage pkg install nmap subfinder httpx pkg install python3 git curl wget pip install dirsearch wafw00f # VPS later acquired for low monthly cost apt install amass nucleibash
Research Output: Year One
- 4 disclosed vulnerabilities (2 SQLi, 1 IDOR, 1 stored XSS)
- 3 detailed writeups published on this blog
- Security flaws identified in 2 Indian SaaS platforms
- Custom Termux OSINT toolkit used by 200+ researchers
| Vulnerability | Target Type | Severity | Status |
|---|---|---|---|
| SQL Injection (Auth Bypass) | SMM Panel | Critical | Disclosed |
| IDOR (User Data Exposure) | E-commerce Platform | High | Patched |
| Stored XSS | Forum Software | Medium | Patched |
| Broken Access Control | SaaS Dashboard | High | Disclosed |
What I Would Tell Younger Me
- Do not wait for the right device. Termux on Android is enough to start.
- Document everything. Every scan, every finding, every dead end. Your notes are your portfolio.
- Disclose responsibly. Report bugs to vendors before publishing. Build a reputation for ethics.
- Focus on one area deeply. I went deep on web app security first.
- Build in public. This blog, TeenSquad, my GitHub — all of it compounds over time.
What is Next for TeenSquad
TeenSquad is growing. The research roadmap for 2025-2026 includes expanding into Android application security, building an open-source recon framework, and publishing a structured curriculum for young Indian security researchers. The mission has not changed: prove that age is not a barrier to serious security research.
