Perturb turns breaking AI vision models into paid work: a Bittensor where get rewarded for finding the tiny image tweaks that make a classifier confidently wrong.
//What is Perturb
Perturb (subnet 26) is a network that stress-tests AI image classifiers by attacking them. It pays people to discover "adversarial examples": images changed so slightly a human sees nothing different, yet the model flips from "cat" to "guacamole." The network turns those attacks into two products, a dataset of verified failures a model owner can train against, and a robustness score for a given model.
The simple version: It's like a bug bounty program, but the bugs are pictures that fool an AI, and the whole thing runs continuously instead of once.
Centralized equivalent: Commercial AI-security tools like HiddenLayer, Robust Intelligence, and Protect AI. Perturb's pitch is that a live, incentivized network keeps finding new attacks, where a bought tool tests once and goes stale.
How it works:
Miners receive an attack challenge, run a PGD-style attack against the target classifier, and return the single perturbed image that breaks it.
Validators pull challenge images from the ImageNet-100 training split, run the reference classifier, hand challenges to miners, then check each response: did the prediction flip, and how small was the change? They score miners on that and set weights.
//Why This Matters
The problem it solves: Modern classifiers score high on clean test data and stay, in the project's own words, "catastrophically brittle" to tiny perturbations. Existing adversarial testing is fragmented, expensive, and static, a report you buy once. Perturb makes it a continuous service where the attacks get stronger over time.
The opportunity: As AI moves into places where a wrong label carries real cost, from content moderation to medical imaging, "how does this model behave under attack" stops being academic. A standing supply of fresh adversarial examples and a way to certify robustness is a real gap.
The Bittensor advantage: Adversarial attack is an arms race, and a decentralized field of independent miners searches the attack space more broadly than any single vendor's fixed toolset. It also fits Bittensor's economics cleanly: finding an adversarial example is computationally hard, but checking one is trivially cheap. Run the model, compare the prediction, measure how much the image moved. That verification asymmetry is exactly the kind of work a validator can police at scale.
Traction signals: Public development is active, the repository shows 92 commits with the most recent on 2026-07-01. The team posts regularly as @perturbaix and ships from a public codebase. and pool depth are still small, so this is early.
//Full Analysis
Category: Other (AI Security and Adversarial Robustness) | Centralized Competitor: HiddenLayer, Robust Intelligence, Protect AI
Adversarial robustness has been a known weakness of neural networks for a decade, and a small industry of tools has grown up around testing for it. Almost all of it is centralized and point-in-time: you send a model, you get a report. Perturb's bet is that turning the attack side into an open, paid, always-on network produces better coverage than any static tool, because the incentive is to keep finding new failures rather than to rerun a fixed battery.
Mechanism:
The loop is a challenge-response game, described in the subnet's own repository. Validators sample challenge images from the roughly 126k-image ImageNet-100 training split and run them through a reference classifier (EfficientNetV2-L) to establish the correct label. They broadcast an attack challenge to selected miners over Bittensor's Axon transport. A miner runs a baseline PGD-style attack, a standard gradient method for nudging an image toward a wrong prediction, and returns only the perturbed image, encoded in base64. The validator then does the cheap half of the work: it runs the model on the returned image, checks whether the prediction flipped, and measures the size of the perturbation. Smaller changes that still fool the model score higher. Validators keep rolling histories and periodically write weights on-chain.
That split is the point. The subnet is built around what the repository calls verification asymmetry: attacking is expensive, verifying is cheap. It is the same shape that makes a lot of Bittensor subnets work, and it is a natural fit here rather than a forced one.
On the output side, Perturb frames two commercial products: verified adversarial training datasets, the confirmed failures packaged so a model owner can harden against them, and on-chain robustness certificates aimed at regulatory or compliance use. The project website adds vulnerability heatmaps and robustness scores, and describes coverage beyond image classifiers toward multimodal systems over time. Those broader claims live on the marketing site rather than in the shipped code, so treat the running network today as the ImageNet-100 image-classification loop, with the wider roadmap as stated intent.
The team is named publicly on perturbai.io: Koyuki Nakamori (co-founder and CEO), Jeffrey Lamb (co-founder and CTO), Vadym Shakuro (co-founder and AI advisor), and Vidusha Sanidu (engineer). Nakamori's public account describes a background at Ava Labs and the Opentensor Foundation, which is worth noting given the Opentensor connection is to Bittensor's own founding team.
A word on the token economics, because they look unusual at a glance. Perturb's share of network emissions currently rounds to about 0%. Under Bittensor's current model, a subnet's share scales with , its moving-average price, and a (1 minus miner burn) term. Perturb is running a miner burn near 95%, meaning almost all miner-side emission is withheld and routed to the owner or burn key rather than paid out, and that term alone pushes the subnet's network emission share down toward zero right now. This is a lever, recomputed every , not a permanent setting. Alpha trades around 0.00772 TAO with a near 7,700 TAO, the pool holds roughly 2,900 TAO of depth, and about 19 miners are currently active. The price is down around 20% over the past 30 days, with a modest net inflow over the past week.
//Risk Factors
These factors move fast; captured at publishing date
Emission share near zero, with a clock: At roughly 0% network emission, there is little protocol-funded growth flowing in, largely a consequence of the near-95% miner burn the subnet is running. Perturb registered on 2026-05-06, so it sits inside Bittensor's four-month new-subnet immunity for now. Once that window closes, around September 2026, a persistently low moving-average price would expose it to automatic deregistration, which removes the lowest-priced non-immune subnet roughly every two days. The high burn is reversible in a single tempo, but the emission and price picture is the thing to watch.
Concentration and thin : Ownership and stake are concentrated (a Gini coefficient around 0.81 across the top positions), and the pool depth of roughly 2,900 TAO is shallow. A large entry or exit could move the price meaningfully.
A crowded, well-funded centralized field: AI-security incumbents like HiddenLayer and Robust Intelligence are established and enterprise-facing. Perturb's decentralized datasets and robustness certificates have to prove they are more useful than a mature commercial report, and the commercial-output side is still more roadmap than shipped product.
Early stage: The subnet is about two months old and its public codebase runs from a single primary repository. Execution risk is normal for a project at this stage.
Into the next one.
Keep exploring
Other research from the same neighborhood of the network.