Static demoNo API billClient-side only

Find the exploit hiding in the file.

FileFormat.Fail is an OrbitCurve-style binary security lab: inspect synthetic PNG, PDF, ZIP, PE, ELF, and polyglot artifacts, make a defender call, then reveal the analyst read.

Start with the PNG case

CASE 00Parser confusion

PNG preview says image.ZIP parser says archive.

0uploaded bytes leave your browser

6safe challenge files

4defender verdict choices

1tweetable DevDay demo

Current evidence

The harmless screenshot

A user uploads a normal-looking PNG. The preview renders fine, but the byte trail keeps going after the image ends.

60risk

Filenameharmless-screenshot.png

Primary typePNG

Size235 bytes

Markers1

Make the callWhat should a defender label this file?

Mission

Find the second file format hidden after the image data.

A user uploads a normal-looking PNG. The preview renders fine, but the byte trail keeps going after the image ends.

Primary parserPNG

2 signature hits

Risk pressureelevated

1 suspicious marker

How to play

Inspect the byte map, strings, and hex view. Make a verdict before opening the analyst reveal. The samples are synthetic, safe, and intentionally tiny.

Submission framing

GPT-5.5 designed the cases. Image Gen shaped the visual system. The deployed lab stays free.

Use this as the DevDay note: “I built a browser-only binary file security lab. GPT-5.5 helped design the file-format attack scenarios, detection heuristics, and analyst explanations. Image Gen helped craft the visual byte-map/case-file direction. No live API calls; uploaded files never leave the browser.”

#OpenAIDevDay2026