Three protection tools have emerged. Each solves a different problem. Most artists assume they're in competition. They're not. They're three pieces of the same defence, each targeting different parts of the neural network vulnerabilities. Understanding why matters more than picking one.
This isn't a feature comparison. It's an explanation of where each tool lives, what it protects against, and why using them together is stronger than using one alone.
Glaze and the problem of style
Ben Zhao's lab at the University of Chicago developed Glaze to address a specific threat: style capture. When you train an AI model on images, it doesn't just learn to copy literal pixels. It learns to extract and reproduce your style. The way you compose. How you handle light. Your colour sense. Your brushwork. A trained model can then generate new images "in the style of" whatever artist was in the training data.
Glaze adds adversarial perturbations. Invisible to human eyes. Visible to neural networks as noise that corrupts the style signal. When a model tries to extract your style from a Glazed image, it gets corrupted information. The style extraction fails. "In the style of [artist]" becomes unworkable.
The implementation is local. Download the tool. Run it on your images. No cloud upload. No subscription. It's free and it's open source, so you can inspect the code and verify what it does.
The limitation is focused: Glaze protects your style. If someone is trying to use AI to generate work that looks like you, Glaze makes that harder. If your concern is your specific images being copied directly, or your work being absorbed into a general training distribution, Glaze provides less protection.
Nightshade and the problem of concepts
Nightshade, also from the University of Chicago, takes a different approach entirely. Instead of defending your work, it attacks the training process. Poisoned images corrupt AI models that train on them. A model trained on poisoned data learns incorrect associations. Cats look like dogs. Bicycles contain cat features. The learned representations become useless.
Scale is the mechanism. One poisoned image in a billion-image dataset barely matters. But if 5% of the cat images on the internet are poisoned, then models training on unfiltered internet data learn corrupted cat generation. The cost-benefit of scraping unvetted data shifts. You can't be sure what you're training on.
Nightshade is also free. Local. Open source. Download and run it on images you want to poison against training.
The difference from Glaze is profound: Nightshade isn't defending your art. It's retaliating against anyone who tries to train on it. This requires scale to work. One artist poisoning images creates minimal impact. One hundred thousand artists poisoning images changes the extraction economy fundamentally.
Art Vault and the problem of proof
Art Vault approaches the problem differently. It combines three layers of adversarial perturbation with C2PA cryptographic provenance. The goal isn't just defence. It's defence plus documentation.
The first layer targets edges. These are the structural boundaries that vision models use to parse images. Corrupting edge signals makes the image harder to process. The second layer targets texture and mid-frequency style information. This is the visual language that makes your work recognisable. The third layer operates in frequency space, corrupting the mathematical representations that modern networks rely on.
Additionally, Art Vault embeds C2PA provenance. A cryptographically signed record that says: "This image was created on [date] by [artist] and protected from training use on [date]." The signature is permanent. It survives format conversion. It's auditable.
Art Vault is cloud-based. Upload. Download protected version. Subscription model. £12 per month. This means the perturbations update quarterly as new vulnerabilities emerge, without users having to re-protect old work.
The trade-off is clear: you trade local processing and free cost for automatic updates and cryptographic proof of creation and protection date.
Why these are allies, not competitors
Different models are vulnerable to different attacks. Stable Diffusion's architecture emphasises edges differently than Midjourney's. Vision transformers process images differently than convolutional networks. A perturbation that defeats one architecture might be less effective against another.
Layering tools means building redundancy. If Glaze defeats style extraction but a model architecture is less dependent on style features, Nightshade's concept poisoning provides additional friction. If that fails, Art Vault's multi-layer approach with provenance creates a third independent defence.
The ecosystem view matters more than the feature comparison. Three tools. Three different mechanisms. Three independent pressure points. Together they make extraction progressively more expensive and riskier.
The honest limitations
Glaze and Nightshade have years of research backing. They're peer-reviewed. Published. Tested in academic settings. Art Vault is newer. It doesn't have that track record. That's a fair critique.
Glaze and Nightshade are open source. You can inspect the code. Verify the implementation. Art Vault is closed source. You have to trust Expression Labs' implementation without seeing it. This is a real difference in transparency.
Glaze and Nightshade are free. Art Vault costs money. And money changes incentives. Art Vault must keep functioning because artists are paying. That's both good (steady development) and risky (what if the company fails?). The University of Chicago tools don't have that vulnerability. But they also don't have the same incentive to update as extraction techniques evolve.
These limitations are real. They're not reasons to avoid any particular tool. They're reasons to understand which trade-offs you're making with each choice.
What each protects against
Glaze protects against style extraction. Nightshade poisons concept learning. Art Vault layers multiple perturbation types and adds provenance. No single tool protects against everything. But together, they create overlapping defences that are harder to circumvent than any one alone.
The workflow that makes sense is: Glaze locally first (style protection, free). Then Nightshade locally (concept poisoning, free). Then Art Vault cloud (multi-layer plus provenance, subscription). Each layer adds friction. Each layer targets different architectural vulnerabilities. Each layer builds redundancy.
The ecosystem perspective
What matters isn't which tool wins. It's how many artists use protection tools. If 5% of artists use Glaze and Nightshade, the extraction problem barely changes. Bad actors just train on unprotected data. But if 30% of artists use layered protection, the cost-benefit calculation shifts. Training datasets become less reliable. Quality degrades. The efficiency of unlimited free training data decreases.
This is why these tools are allies. Glaze makes style theft costly. Nightshade makes concept training risky. Art Vault makes future verification possible. Each contributes to the same ecosystem pressure: making artistic training data less attractive as a free resource.
The future that matters isn't one where any single tool is perfect. It's one where enough artists are protected that institutions begin requiring C2PA verification, style integrity checks, and poisoning detection as standard. That future requires proliferation across multiple tools, not perfection in one.
Making a choice
Start with both free tools if you want zero cost and maximum transparency. Both are available locally. Both are open source. Both are proven. Together they give you two independent defences.
Add Art Vault if you want automatic quarterly updates and cryptographic provenance. The provenance layer becomes more valuable over time as institutions adopt C2PA verification. The subscription cost is reasonable if you're building a long-term practice.
Don't think of this as choosing a winner. Think of this as building a defence stack. Each tool serves a purpose. Each tool is stronger when paired with the others. The artists who will fare best in the coming years won't be those who picked the perfect single tool. They'll be those who layered multiple independent defences and established provenance before anyone thought to ask.