There is a particular kind of person who, upon encountering a locked door, does not look for the key — they study the lock. Sidharth S, known across cybersecurity circles as Zidhuxd, is that kind of person. At an age when most students are memorising textbook answers, he was mapping live network infrastructure from an Android phone in his room in Kerala, India — and finding the cracks that nobody else had noticed.
This is not a story about a prodigy who was born exceptional. It is a story about someone who chose to be deeply, stubbornly curious — and followed that curiosity far enough to discover that the real world's digital systems are far more fragile than they appear.
The Beginning: When Curiosity Becomes Obsession
Sidharth did not arrive at cybersecurity through a classroom. There was no mentor who handed him a roadmap, no course that walked him through it step by step. The entry point was simpler and stranger than that — it was a question he could not stop asking: what is actually happening when data moves across a network?
That question has a way of pulling people into an increasingly deep rabbit hole. Follow it far enough and you stop asking how systems work and start asking how they break. For Sidharth, that transition happened naturally, almost inevitably. He started with the tools available to him — an Android device, a free terminal emulator called Termux, and an internet connection — and began teaching himself networking, Linux, and web application architecture from first principles.
What is striking about this period is not what he learned, but how. He did not follow a structured curriculum. He broke things, observed the results, formed hypotheses, tested them. He would scan his own home network and sit with the output for hours, cross-referencing it against documentation and writeups from researchers he had never met. The learning was driven entirely by the friction between what he expected to happen and what actually did.
"He did not learn cybersecurity. He learned how to think about systems — and cybersecurity was the natural consequence."
From Curious to Capable: The Transition Nobody Sees
There is a phase in any self-taught technical career that rarely gets documented — the long middle period between knowing nothing and knowing something real. It is unglamorous. It is mostly made up of misread documentation, tools that do not behave as expected, and findings that turn out to be false positives. Sidharth went through all of it.
He consumed PortSwigger's Web Security Academy methodically, working through each vulnerability class not as an abstract concept but as something to reproduce, test, and understand from first principles. He read bug bounty writeups not for the conclusions but for the methodology — the mental process a researcher uses when staring at an application they have never seen before and trying to find where it fails.
Gradually, the gap between reading about vulnerabilities and finding them began to close. He developed an instinct — the kind that is hard to teach and impossible to shortcut — for which parts of a system are most likely to be poorly implemented. Input validation. Authentication flows. Password reset mechanisms. Anywhere a developer had to handle untrusted user data and make a decision about it.
Real Systems, Real Findings
The vulnerability was a SQL injection. Not a textbook example — a real one, in production, on a platform being actively used by thousands of people. The entry point was a query parameter in a password reset flow that had never been sanitised. A single apostrophe returned a raw MySQL error. From there, the exploitation chain was methodical: column enumeration, UNION-based extraction, and ultimately access to the admin credentials table.
The finding was critical by any standard — a CVSS score placing it firmly in the range where organisations escalate immediately. Sidharth disclosed it responsibly: documented, structured, sent to the vendor within 24 hours, with a full proof-of-concept and remediation recommendation. The response came with an acknowledgement and a reward in high-value credits.
Technical Depth: Tools and the Thinking Behind Them
Web Application Security
His primary domain. He approaches web targets with a manual-first methodology — reading the application before touching any tooling, mapping the attack surface, identifying parameters and flows most likely to contain logic flaws. The tools he reaches for — subfinder, dnsx, httpx, nuclei — are used surgically, not indiscriminately. He knows what each one is doing at the protocol level, which means he knows when its output can be trusted and when it cannot.
Android Reverse Engineering
APK reverse engineering requires a different mental model entirely — you are not looking at a running web application, you are reconstructing the logic of a compiled binary. Sidharth uses jadx for high-level Java/Kotlin decompilation and apktool for access to the underlying Smali bytecode. He can modify application logic at the bytecode level — patching boolean checks, bypassing certificate pinning, extracting hardcoded API keys that developers assumed were safely buried inside compiled code.
OSINT and Reconnaissance
His OSINT toolkit runs almost entirely on Termux: subfinder for subdomain enumeration, dnsx for DNS resolution, httpx for probing live web services, theHarvester and holehe for email and identity tracing. He has built custom shell scripts that chain these tools into automated pipelines — the kind of recon infrastructure most security teams deploy on dedicated servers, running entirely on a phone.
The Mindset: How He Actually Thinks
What distinguishes Sidharth from someone who has simply learned a set of tools is the way he thinks about systems. He approaches every target with structured curiosity — not "what vulnerabilities does this tool find?" but "what decisions did the developer make here, and which of those decisions might have been wrong?"
Automated vulnerability scanning is pattern matching — looking for known signatures of known vulnerabilities. The vulnerabilities that require real thinking are the ones that do not match any known pattern. Finding them requires the ability to model how a developer thinks, identify where that thinking went wrong, and construct a test that exposes the gap. Sidharth has developed this ability through volume and attention — not formal training.
"Most people learn what the tools find. He learned to find what the tools miss."
Recognition and What It Actually Means
Sidharth has been recognised as one of the youngest cybersecurity researchers in Kerala — a distinction meaningful not because of the age qualifier, but because of the quality of the work. The acknowledgements he has received from vendors are not participation trophies. They are responses to real, critical findings that real organisations needed to know about.
At an age when most people are still building foundational knowledge that makes independent research possible, he has already demonstrated the full cycle of security research: target selection, reconnaissance, vulnerability discovery, exploitation, responsible disclosure, remediation guidance — completed end-to-end on real systems.
What This Website Is
This is not a tutorial blog. There are enough of those. This website is a working archive — a record of real research, real methodology, and real findings from someone who is still in the middle of building something. The writeups here are primary sources. The tools articles are written by someone who uses the tools daily, not someone who read the documentation and summarised it.
What Comes Next
Sidharth is seventeen. The trajectory from where he is now — discovering critical vulnerabilities in real systems, building recon infrastructure from a phone, editing APK bytecode without formal training — points in a direction that is genuinely interesting to watch.
The researchers who matter in ten years will not be the ones who learned the most tools. They will be the ones who developed the deepest understanding of how complex systems fail — and who had the discipline to document that understanding clearly and honestly. Sidharth is already doing both. He is not waiting for permission. He never has been.
