Back to all insights
Picture of Shane Brown

Shane Brown

Sebastian “Gehaxelt” Neef: From Teenage Hacker to Security Researcher

Sebastian “Gehaxelt” Neef: From Teenage Hacker to Security Researcher

The best security researchers don’t start with a plan. They start with curiosity. Sebastian Neef, known online as “Gehaxelt,” turned teenage fascination into a career exposing critical infrastructure vulnerabilities and building tools used by thousands of security professionals.

How It Started: Gaming Bots and Web Security

Sebastian got his first computer at age eight. He played games like most kids. But at fourteen, his father showed him how to build simple websites with HTML and CSS. Something clicked.

He started writing automation bots for the games he played. Not to cheat. To understand how systems work beneath the surface. “One might not consider this to be hacking, but it helped me begin to think outside the box,” Sebastian said.

Around 2010, Anonymous hacks dominated the news. Sebastian, now sixteen, asked himself a question: Is hacking websites really easy, or are these hackers skilled?

He spent evenings learning web security techniques. The answer surprised him. Back then, many frameworks and system administrators weren’t security-conscious. SQL injection and cross-site scripting vulnerabilities were everywhere.

Bug Bounties and Early Success

Sebastian discovered bug bounty programs around 2011-2012. These programs let him legally test his skills against real targets instead of simulated challenges.

Results came fast. During his final years of high school, he reached the Top 10 on Bugcrowd’s global leaderboard. His findings earned him spots in halls of fame at Google, PayPal, Twitter, Adobe, and Apple.

Some programs paid him. Others sent merchandise. The money helped as a soon-to-be university student. But Sebastian describes different motivation: “I often imagined a ‘challenge’ between the website’s developers and myself. In other words, who writes better code? Many times, the answer was yes, and the resulting rush of adrenaline did the rest.”

Deutsche Telekom acknowledged him for reporting XSS vulnerabilities to their security team.

Internetwache.org: Making Ethical Hacking Clear

In 2012, Sebastian co-founded Internetwache.org with Tim Philipp Schäfers. Germany’s strict hacking laws prohibit security testing without authorization. Not all websites had formal bug bounty programs.

“I assumed sending emails from ‘1337-h4xx0r@gmail.com’ would quickly land me in jail. I needed to be more clear about my intentions,” Sebastian explained.

The website conveyed his ethical approach. Most recipients responded with thanks. Some offered rewards. The worst responses were silence or dismissal.

Exposed Critical Infrastructure: The Big Discovery

The most impactful research from Internetwache.org exposed alarming vulnerabilities in European critical infrastructure. Sebastian and Tim found over 100 exposed industrial control systems accessible via public internet. This included four hydroelectric dams.

Their research revealed unprotected access to:

  • Waterworks in Germany and Italy (one near Munich served 80,000 people)
  • Mobile traffic lights in Germany
  • Clinic systems in Switzerland
  • Smart buildings and home automation systems

Half required no authentication. Anyone who found them had administrator access.

In 2017, they presented findings to the European Parliament. German media outlets ARD and RBB covered the story. Sebastian told Threatpost: “You don’t need to know a special configuration. The web applications controlling these processes are accessible.”

Tools That Changed Security Testing

Sebastian built tools now used daily by security professionals. GitTools provides three utilities for discovering and exploiting exposed .git repositories on web servers. The toolkit appears in countless penetration testing guides.

He also developed a .DS_Store scanner for identifying sensitive files exposed through Apple’s metadata format. His latest tool, PHUZZ, is a coverage-guided fuzzer for PHP web applications. It won first place at the CSAW 2024 Applied Research Competition.

His research on exposed .git directories in the Alexa Top 1M websites became a foundational study. It demonstrated how development artifacts leak sensitive source code and credentials.

Academic Path and PhD Work

Sebastian completed his Bachelor’s and Master’s degrees in Computer Science at Technical University of Berlin. He’s currently pursuing his PhD at the Chair for Security in Telecommunications.

His research focuses on network and software security with emphasis on web security. He teaches students, supervises theses, and leads the university’s Computer Security Working Group. The student club competes internationally in Capture The Flag competitions under the team name ENOFLAG.

In 2019, he co-authored an IT security book with Tim Philipp Schäfers.

Recognition From Detectify

Sebastian joined the Detectify Crowdsource community. Elite security researchers submit vulnerability modules run against customer assets. His contributions generated over 8,071 hits across Detectify’s customer base.

In 2022, Detectify awarded him the “Fabulous Feedbacker” award for his willingness to help, attitude, and proactive activity in internal channels.

When asked about working with Detectify, Sebastian highlighted the value: “What I like about Detectify’s Crowdsource system is they do the work and I do the research. It’s a win/win for everyone.”

Lessons for Aspiring Researchers

Sebastian’s journey offers practical insights for those interested in ethical hacking:

Start with curiosity, not credentials. Sebastian never set out to become a security professional. His path emerged from questioning how systems work.

Know the boundaries. “If one respects the scope of a program, tries not to break things when performing tests, and doesn’t attempt to extort anything, chances are good it will be a win-win situation.”

Collaborate and share. Bug bounty communities on Twitter and chat groups let Sebastian exchange writeups, techniques, and ideas. “Although it was tough competition, it had a positive feedback loop, and collaborating was fun, too.”

Stay current through practice. Sebastian recommends CTF competitions as learning resources. “Well organized CTFs usually feature the latest vulnerabilities and hacking techniques.”

Still Going

Today, Sebastian balances academic research with freelance security work and CTF competitions. He maintains multiple blogs, gives talks at conferences including Chaos Communication Congress, and remains active in the security community.

His story shows ethical hacking careers emerge from simple beginnings. A curious teenager with a computer. A willingness to learn. The integrity to use discovered knowledge responsibly.

Sebastian Neef didn’t plan to become a security researcher. He followed his questions until the answers led him to a career protecting systems we all depend on.

more insights

When the Hacker Was an Algorithm

February 2, 2026

When the Hacker Was an Algorithm: Inside the First AI-Orchestrated Cyber Espionage Campaign In September 2025, Anthropic security engineers spotted something wrong in their system

Read more >

The Phantom Hacker

January 30, 2026

The Phantom Hacker: Dylan Wheeler Got Away With $100 Million in Cybercrime Four teenage hackers stole over $100 million from Microsoft, Epic Games, and the

Read more >

ClawdBot/Moltbot

January 27, 2026

ClawdBot/Moltbot: When Viral AI Tools Become Security Nightmares ClawdBot exploded onto the tech scene in January 2026. Within three days, the open-source AI assistant rocketed

Read more >