In 2024, Neal Agarwal published a single page titled "Not a Robot" — a series of escalating, deliberately ridiculous CAPTCHA-style challenges. Find the cat in the haystack. Drag the slider while it dodges. Solve a CAPTCHA inside a CAPTCHA. It went viral. By 2026 it's one of the most-cited references when designers complain about real CAPTCHA UX.
So what does the Neal Fun page actually teach us? More than "CAPTCHAs are annoying." It's a clinic in interface friction, attention, and the difference between real security theater and playful security theater.
The viral mechanic, in three points
| Element | Why it works for a joke | Why it fails in production |
|---|---|---|
| Escalating difficulty | Builds dramatic tension | Frustrates real users |
| No actual security goal | Pure entertainment | Doesn't stop bots |
| Long completion time | Funny once | Kills conversions |
The page is funny because it weaponizes the exact patterns that make real CAPTCHA painful — and then has no payoff. There's no signup at the end. No purchase. No account access at risk. The friction is the content.
What designers actually borrow from it (correctly)
- The mismatch between effort and reward. Real CAPTCHAs that take 15 seconds to gate a free newsletter signup are the bug Neal's page satirizes. If your CAPTCHA takes longer than the form does, fix one of those numbers.
- The dread of escalation. When users fail one challenge and the next one looks harder, conversion drops off a cliff. Real systems should keep retries simple, not punitive.
- The performative aspect. "Click all the traffic lights" is a ceremony — it signals "we are taking security seriously" more than it actually does so. Modern frictionless CAPTCHAs lean the other way: less ceremony, more silent device-trust signals.
What designers borrow incorrectly
The most common bad takeaway is "CAPTCHAs are pointless, remove them." Bot traffic on public forms is real and growing. The Neal Fun joke works because there's nothing on the other side of the gate. Remove the gate from your signup form and within a week your database is full of credential-stuffed accounts, scraped emails, and SEO spam.
The right takeaway is: make the ceremony invisible to legitimate users. Reserve visible challenges for risk-scored edge cases.
A sane risk-tiered flow
┌──────────────────────┐
user submit → │ device-trust check │ ──→ pass → process
└──────────┬───────────┘
│ fail
▼
┌──────────────────────┐
│ lightweight visual │ ──→ pass → process
│ challenge (1 click) │
└──────────┬───────────┘
│ fail
▼
┌──────────────────────┐
│ hard fallback │ ──→ pass / block
└──────────────────────┘90%+ of legitimate users should never see anything past step one. That's the design goal. Every visible challenge is a tax on conversion, paid by humans, in service of catching the small fraction the silent layer missed.
The psychology, briefly
Neal's page works because it inverts trust. Users expect CAPTCHAs to be slightly insulting — "prove you're not a robot, peasant" — and the joke version cranks that all the way up. Real products should do the opposite: imply the user is trusted by default, only ask when the signal is genuinely ambiguous.
This is also why CaptchaLa designs for invisibility on the happy path and only surfaces a UI when device, network, or behavioral signals push the request into a gray zone.
Implementation note
If you're building a CAPTCHA flow in 2026, three concrete defaults will keep you on the right side of the Neal Fun joke:
- Default to invisible mode; surface UI only when score is uncertain.
- Cap visible challenges to one screen, one interaction.
- Never escalate difficulty within a single session — block or pass instead.
The goal is for the joke page to feel exotic by comparison to your real product, not familiar.
Takeaways
- Neal Agarwal's CAPTCHA page is a great satire and a terrible spec.
- The lesson is "minimize ceremony," not "delete the gate."
- Risk-tier your flow so frictionless users never see a challenge.
- If your CAPTCHA looks like the joke, your users have already noticed.