poisoning.ai
Explainers

Glaze vs Nightshade: which protects your art?

By The Poisoning.ai team
4 min read
Contents

Glaze and Nightshade do two different jobs. Glaze cloaks your own art so a model that trains on it learns the wrong style. Nightshade poisons an image so a scraper corrupts its own model. Glaze is personal defence you apply to everything you post; Nightshade is collective pressure that grows stronger as more artists use it. They are not rivals, and most artists who care run both. Both are peer-reviewed tools, but independent testing has since stripped first-generation versions of each, so treat them as deterrents, not guarantees.

Cloaking vs poisoning: two different jobs

Glaze is a cloak and Nightshade is a poison, and that distinction is the whole comparison. Glaze (Shan, Cryan, Wenger, Zheng, Hanocka, Zhao, USENIX Security 2023) protects one artist’s style, image by image. Its authors describe it as adding “barely perceptible perturbations to images, and when used as training data, mislead generative models that try to mimic a specific artist.” Nightshade (Shan, Ding, Passananti, Wu, Zheng, Zhao, IEEE S&P 2024) works at the level of a concept rather than a single artist. Its authors call it “a prompt-specific poisoning attack optimized for potency” that can control what a model generates for a chosen prompt with fewer than 100 poisoned samples. Both come from the same University of Chicago team. Glaze defends; Nightshade attacks.

How each one works

PropertyGlazeNightshade
JobCloak (defensive)Poison (offensive)
ScopePer image, per artistPer concept, at scale
Perceptual budgetLPIPS p = 0.05LPIPS p = 0.07
VenueUSENIX Security 2023IEEE S&P 2024

Glaze works per image: it shifts the picture’s style representation in a model’s feature space, so a fine-tune learns a style that is not yours. Nightshade works per concept: with about 50 optimized samples it can make a poisoned model render a cow for every prompt that mentions a car (Shan et al., IEEE S&P 2024), and the effect “bleed[s] through” to related concepts. The two carry slightly different perceptual budgets, an LPIPS bound of p = 0.05 for Glaze and a looser p = 0.07 for Nightshade, because poisoning happens upstream of the artist’s own viewing and tolerates a touch more visible change. Nightshade also needs no access to the target model: it is pure data poisoning that activates only when the image is scraped.

When to use which

Use Glaze on your own work, always. It is the right tool whenever your goal is to stop an AI learning your style from your posts, and one artist can cloak one image before posting it, with no campaign required. Use Nightshade when your goal is to impose a cost on indiscriminate scraping. Nightshade is a deterrent at scale: its strength grows with the number of participating artists, not with how many images you personally shade.

Most artists who care about this run both: Glaze as the shield on each upload, Nightshade as the collective counter-pressure. They operate on different parts of the pipeline, so applying one does not undo the other.

Do either hold up?

Both raise the cost of copying, but neither is a guarantee. Hönig, Rando, Carlini and Tramèr (ICLR 2025) found that “all existing protective tools create a false sense of security and leave artists vulnerable to style mimicry.” Using a best-of-four set of cheap removal steps, reviewers preferred the copy of Glaze-protected art 56.6% of the time, and Mist (Liang and Wu, 2023) fared worse at 62.0%, where 50% marks the point at which the copy is indistinguishable from copying unprotected work. IMPRESS (Cao, Li, Wang, Jia, Li, Chen, NeurIPS 2023) had already restored a style classifier on Glaze-protected art from 42.5% to 87.0% accuracy.

Nightshade was long treated as the less-tested of the two, but that has changed. LightShed (Foerster et al., USENIX Security 2025) is “a generalizable depoisoning attack that effectively identifies poisoned images and removes adversarial perturbations,” reporting a 99.98% detection rate on Nightshade and demonstrated against Glaze as well. A second generation of tools such as BlurGuard (Kim et al., NeurIPS 2025) is built to survive these removal steps, but those claims are not yet independently confirmed.

The short recommendation: Glaze everything, add Nightshade to push back, and do not assume either is permanent. For the full effectiveness picture see does Glaze actually work? and the tools scorecard; for the layered routine see how to protect your art from AI training. Both tools are free from the University of Chicago team.

Sources

  • Shan, Cryan, Wenger, Zheng, Hanocka, Zhao (2023). GLAZE: Protecting Artists from Style Mimicry by Text-to-Image Models. USENIX Security 2023.
  • Shan, Ding, Passananti, Wu, Zheng, Zhao (2024). Nightshade: Prompt-Specific Poisoning Attacks on Text-to-Image Generative Models. IEEE S&P 2024.
  • Hönig, Rando, Carlini, Tramèr (2025). Adversarial Perturbations Cannot Reliably Protect Artists From Generative AI. ICLR 2025.
  • Cao, Li, Wang, Jia, Li, Chen (2023). IMPRESS: Evaluating the Resilience of Imperceptible Perturbations Against Unauthorized Data Usage in Diffusion-Based Generative AI. NeurIPS 2023.
  • Liang, Wu (2023). Mist: Towards Improved Adversarial Examples for Diffusion Models.
  • Foerster, Behrouzi, Rieger, Jadliwala, Sadeghi (2025). LightShed: Defeating Perturbation-based Image Copyright Protections. USENIX Security 2025.
  • Kim, Nam, Kim, Kim, Jeong (2025). BlurGuard: A Simple Approach for Robustifying Image Protection Against AI-Powered Editing. NeurIPS 2025.
#glaze#nightshade#comparison
Get new protection tests & guides

New protection tests, breakdowns and how-long-does-it-hold checks. No spam, unsubscribe anytime.