Adversarial example transferability is the phenomenon where a perturbation computed to fool a specific source model also induces errors in a distinct target model. This occurs because different neural networks, even with varying architectures and training data, learn similar decision boundaries and feature representations. The attacker generates an adversarial example using white-box access to a local surrogate model, then deploys it against a remote black-box target.
Glossary
Adversarial Example Transferability

What is Adversarial Example Transferability?
The property by which an adversarial example crafted to fool one specific model also causes misclassification in other independently trained models with different architectures.
The underlying cause is the shared geometric structure of the loss landscape across models. High-curvature directions in the input space align between independently trained classifiers, making them vulnerable to the same adversarial directions. This property enables practical black-box attacks without querying the target, undermining the security of deployed machine learning systems and motivating research into robust defenses like adversarial training.
Key Factors Influencing Transferability
The degree to which an adversarial example transfers between models is not random. It is governed by specific architectural, data-driven, and optimization factors that security engineers must understand to diagnose systemic risk.
Model Architectural Similarity
Transferability is highest between models sharing similar architectural paradigms. An adversarial example crafted on a ResNet-50 will transfer more effectively to a ResNet-101 than to a Vision Transformer (ViT). This occurs because similar architectures learn comparable decision boundary geometries and feature hierarchies. Key factors include:
- Depth and width of the feature extractor
- Activation functions (ReLU vs. GELU)
- Presence of skip connections or attention mechanisms
- Training paradigm (supervised vs. self-supervised)
Gradient Direction Alignment
Transferability depends on the cosine similarity between the loss gradients of the source and target models. When the gradient vectors of two independently trained models point in similar directions in the input space, a perturbation computed on one model will also increase the loss of the other. Gradient alignment is often high because distinct models trained on the same data distribution converge to similar loss landscape geometries near the data manifold.
Perturbation Optimization Strategy
The attack algorithm dramatically impacts transfer rates. Iterative methods like PGD often overfit to the source model's specific loss surface, reducing transferability. In contrast, momentum-based methods (MI-FGSM) and input diversity techniques (DIM) escape poor local optima, finding perturbations that align with the broader decision boundaries shared across models. Key strategies:
- Momentum integration to stabilize update directions
- Random resizing and padding during optimization
- Translation-invariant attack formulations
- Ensemble attacks over multiple source models
Data Distribution Overlap
Models trained on identical or highly overlapping training datasets exhibit stronger adversarial transferability. This is because the learned feature representations and the induced priors are statistically correlated. Even with different architectures, training on the same data distribution creates shared blind spots in the input space. Transferability drops significantly when the target model is trained on a disjoint data domain or uses heavy data augmentation.
Ensemble-Based Attack Surfaces
Crafting adversarial examples against an ensemble of diverse source models is the most reliable method for achieving black-box transferability. By optimizing a perturbation that simultaneously fools multiple architectures, the attack converges on a universal vulnerability subspace rather than a model-specific weakness. This technique is standard in evaluating the true robustness of proprietary, black-box APIs where internal gradients are inaccessible.
Input Transformation Robustness
The transferability of an adversarial example correlates with its invariance to input transformations. Perturbations that survive common image processing operations—such as JPEG compression, resizing, or Gaussian blurring—are more likely to transfer. This property is exploited by scale-invariant attacks that optimize over a distribution of transformed inputs, forcing the perturbation to reside in a region of the input space where decision boundaries are consistently vulnerable across models.
Frequently Asked Questions
Explore the mechanisms and implications of adversarial example transferability, a critical vulnerability where attacks crafted on one model generalize to others.
Adversarial example transferability is the property by which an adversarial example generated to fool a specific source model also causes misclassification in a different, independently trained target model. This occurs because distinct models often learn similar decision boundaries and feature representations, especially when trained on comparable data distributions. The phenomenon works because adversarial perturbations exploit fundamental, shared geometric weaknesses in the high-dimensional loss landscape rather than idiosyncratic quirks of a single architecture. An attacker crafts a perturbation using white-box access to a local surrogate model, then deploys it against a remote black-box target. The attack succeeds because the gradient directions that increase the loss for the source model frequently align with those of the target model, making transferability a practical and dangerous attack vector for deployed machine learning systems.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding adversarial example transferability requires familiarity with the attack methodologies, defense mechanisms, and geometric properties that govern how perturbations propagate across model boundaries.
White-Box vs. Black-Box Attack Paradigms
Transferability bridges the gap between these two threat models. In a white-box attack, the adversary has full access to the target model's architecture, parameters, and gradients, enabling precise computation of worst-case perturbations using methods like Projected Gradient Descent (PGD). In a black-box attack, the adversary has no internal access and must rely on querying outputs or transferring attacks from a surrogate model. Transferability is the property that makes black-box attacks viable: an adversary trains a local surrogate, crafts adversarial examples against it, and deploys them against the unknown target model. The higher the transferability, the more dangerous the black-box threat.
Decision Boundary Geometry
Transferability is fundamentally a consequence of shared decision boundary geometry across independently trained models. Despite different architectures and random initializations, models trained on similar data distributions learn decision boundaries that occupy overlapping regions of the input space. Adversarial examples exploit directions of high curvature where these boundaries are closely aligned. Key geometric factors include:
- Boundary proximity: Models with closer decision boundaries exhibit higher transfer rates
- Loss landscape sharpness: Sharp, non-smooth loss surfaces correlate with vulnerability to transferred perturbations
- Gradient alignment: The cosine similarity between gradients of the surrogate and target models predicts transfer success
Ensemble-Based Attacks for Enhanced Transferability
Attackers can significantly boost transferability by crafting adversarial examples against an ensemble of surrogate models simultaneously. The ensemble in logits approach averages the loss across multiple architectures—such as ResNet, DenseNet, and VGG—during perturbation generation. This forces the adversarial example to fool diverse decision boundaries, increasing the likelihood that it will also fool an unseen target model. Advanced techniques include:
- Input diversity: Applying random transformations (resizing, padding) during attack generation to avoid overfitting to surrogate-specific features
- Momentum iterative methods: Accumulating gradient directions across iterations to escape poor local optima and find more transferable perturbations
- Translation-invariant attacks: Convolving gradients with a kernel to generate perturbations robust to spatial shifts
Adversarial Training and Transferability Reduction
Adversarial training—injecting adversarial examples into the training set with correct labels—is the most effective defense against both direct and transferred attacks. Models trained with adversarial examples learn smoother decision boundaries that are less aligned with standard surrogate models. However, a critical nuance exists: adversarial training against one attack type (e.g., FGSM) may not confer robustness against transferred C&W or PGD attacks. This has led to ensemble adversarial training, where models are hardened against perturbations generated from multiple attack algorithms and surrogate architectures, explicitly targeting the transferability property.
Gradient Masking and the False Sense of Security
Gradient masking occurs when a defense causes a model's gradients to become uninformative or misleading—either through non-differentiable preprocessing, randomized transformations, or shattered gradients. While this may appear to block white-box attacks, it does not eliminate adversarial vulnerabilities. Transferred attacks from an unprotected surrogate model will still succeed, exposing the defense as security through obscurity. True robustness requires genuinely smooth decision boundaries, not obfuscated gradients. The transferability property serves as a litmus test: if a defense fails against transferred attacks, it likely relies on gradient masking rather than genuine robustness.
Feature Space Alignment and Cross-Architecture Transfer
Transferability is not uniform across all model pairs. Architectures that learn similar feature representations exhibit higher mutual transferability. Convolutional neural networks trained on ImageNet share low-level edge and texture detectors, making them highly susceptible to cross-model transfer. However, transferring attacks between fundamentally different paradigms—such as from a CNN to a Vision Transformer (ViT)—often yields lower success rates due to divergent inductive biases. ViTs rely on self-attention over patches rather than local convolutional filters, creating distinct vulnerability patterns. Understanding these feature space relationships is critical for designing defense-in-depth strategies.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us