The Carlini & Wagner (C&W) attack is a powerful optimization-based white-box attack that generates adversarial examples by solving a constrained optimization problem. Unlike simpler gradient-based methods, C&W formulates the attack as finding the smallest perturbation, measured by an Lp-norm distance metric (typically L0, L2, or L∞), that causes the target model to misclassify the input. The objective function uses a carefully designed loss term that directly optimizes the difference between the logit of the target class and the highest logit of other classes, making it highly effective at defeating defensive distillation and other gradient-masking defenses.
Glossary
Carlini & Wagner Attack (C&W)

What is Carlini & Wagner Attack (C&W)?
The Carlini & Wagner (C&W) attack is an optimization-based adversarial attack formulated to find minimally distorted perturbations that cause misclassification by minimizing a loss function that balances the Lp-norm distance and the misclassification objective.
The attack operates by iteratively minimizing a combined loss using an optimizer like Adam, treating the perturbation as a variable transformed through a change-of-variables to satisfy box constraints naturally. The C&W L2 variant is widely considered one of the strongest benchmark attacks for evaluating adversarial robustness, as it consistently finds smaller perturbations than methods like Projected Gradient Descent (PGD). Its computational cost is higher due to the per-sample optimization loop, but its ability to produce near-minimal adversarial examples makes it the gold standard for measuring worst-case model vulnerability and establishing empirical robustness certificates.
Key Characteristics of the C&W Attack
The Carlini & Wagner attack is a powerful optimization-based method for generating minimally distorted adversarial examples. It formulates the attack as an objective function that jointly minimizes the perturbation magnitude and maximizes misclassification confidence.
Optimization-Based Formulation
Unlike single-step methods like FGSM, the C&W attack solves an iterative optimization problem to find the smallest possible perturbation. It uses a specially designed loss function f(x') where f(x') ≤ 0 if and only if the model misclassifies x' as the target class. The attack minimizes:
- Distance metric:
D(x, x')— typically L0, L2, or L∞ norm - Misclassification objective:
c · f(x')— wherecis a constant balancing the two terms
This formulation is solved using Adam optimizer or gradient descent, iteratively adjusting the perturbation until a successful adversarial example is found with minimal distortion.
Multiple Distance Metrics (L0, L2, L∞)
The C&W framework supports three distinct Lp-norm distance metrics, each producing a different style of adversarial example:
- L2 Attack: Minimizes the Euclidean distance between original and adversarial inputs. Produces small, distributed perturbations across many pixels. Most commonly used variant.
- L0 Attack: Minimizes the number of pixels that are altered. Generates sparse perturbations where only a handful of pixels change significantly.
- L∞ Attack: Minimizes the maximum change to any single pixel. Ensures no individual pixel exceeds a specified perturbation budget.
This flexibility allows security engineers to test model robustness against different threat models and perturbation constraints.
Targeted vs. Untargeted Variants
The C&W attack can operate in two distinct modes depending on the adversary's goal:
- Targeted Attack: Forces the model to classify the adversarial input as a specific, attacker-chosen class. The loss function is designed so that
f(x')is minimized when the target logit exceeds all other logits. - Untargeted Attack: Simply causes any misclassification away from the correct class. The loss function only requires that the highest logit belongs to any class other than the original.
Targeted attacks are generally harder to achieve and require larger perturbations than untargeted attacks, making them a stricter test of adversarial robustness.
Box-Constrained Optimization via Change of Variables
To ensure adversarial examples remain within valid pixel ranges (e.g., [0, 1] for normalized images), the C&W attack uses a change-of-variables technique. Instead of optimizing pixel values directly, it optimizes a new variable w where:
x' = ½(tanh(w) + 1)mapswfrom (−∞, ∞) to (0, 1)- This eliminates the need for clipping or projection during optimization
- The optimizer works in an unconstrained space while the output remains valid
This approach avoids the gradient masking problems that plague projection-based methods and ensures smooth, continuous optimization throughout the attack process.
Confidence-Adjusted Loss Function
The C&W attack introduces a confidence parameter κ (kappa) that controls how strongly the adversarial example is misclassified:
- κ = 0: The attack succeeds as soon as the target logit barely exceeds the highest non-target logit
- κ > 0: The attack requires the target logit to exceed other logits by a margin of κ, producing high-confidence adversarial examples
Higher confidence values produce more robust adversarial examples that remain effective even under slight input variations. This parameter directly trades off between perturbation magnitude and misclassification confidence, allowing precise control over attack strength.
Binary Search for Constant c
The loss function includes a constant c that balances perturbation size against misclassification success. The C&W attack uses a binary search procedure to find the optimal c:
- Start with a small initial value of
c - If the attack fails to find an adversarial example, increase
c(prioritizing misclassification) - If the attack succeeds, decrease
c(prioritizing smaller perturbations) - Repeat until the smallest successful perturbation is found
This adaptive search ensures the attack discovers the minimal-distortion adversarial example for each input, making it the gold standard for evaluating worst-case model robustness.
Frequently Asked Questions
Core questions about the optimization-based C&W attack, its formulation, and its implications for adversarial robustness.
The Carlini & Wagner attack is a powerful optimization-based adversarial attack that finds minimally distorted perturbations by formulating an objective function that jointly minimizes the Lp-norm distance to the original input while maximizing the model's misclassification error. Unlike simpler gradient-sign methods, C&W solves a constrained optimization problem using gradient descent, often employing a change-of-variables on the perturbation to eliminate box constraints. The attack iteratively adjusts the perturbation to find the smallest possible distortion that causes the target model to misclassify the input, making it one of the strongest known attacks for evaluating adversarial robustness.
C&W Attack vs. Other Adversarial Attacks
A feature-level comparison of the Carlini & Wagner (C&W) optimization-based attack against the Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD).
| Feature | C&W Attack | PGD | FGSM |
|---|---|---|---|
Optimization Type | Lagrangian-formulated objective | Iterative projected gradient | Single-step gradient |
Distance Metric | L0, L2, L∞ | L∞ (typically) | L∞ |
Perturbation Minimization | |||
Confidence Margin Tuning | |||
Defensive Distillation Bypass | |||
Computational Cost | High (1000s of iterations) | Medium (10-100 iterations) | Low (1 iteration) |
Attack Strength (Robustness Benchmark) | Strongest | Strong | Weak |
Gradient Masking Resistance |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The C&W attack is a cornerstone of adversarial machine learning. Understanding its relationship to other attack methodologies, defense mechanisms, and robustness evaluation frameworks is critical for security engineers hardening ML systems.
Projected Gradient Descent (PGD)
A powerful iterative white-box attack that serves as the standard benchmark for empirical robustness. Unlike C&W's optimization-based approach, PGD takes multiple small gradient steps and projects the result back onto an epsilon-ball around the original input. While C&W directly minimizes distortion, PGD maximizes loss within a fixed perturbation budget. PGD is often used for adversarial training due to its computational efficiency.
Fast Gradient Sign Method (FGSM)
A single-step white-box attack that generates an adversarial example by adding a perturbation in the direction of the sign of the gradient. FGSM is computationally cheap but produces suboptimal perturbations compared to C&W. It is primarily used for rapid prototyping and as a baseline. C&W consistently finds smaller distortions than FGSM, making FGSM a weak standard for evaluating true model vulnerability.
Adversarial Training
A defensive technique that injects adversarial examples into the training dataset with correct labels. The model learns a smoother decision boundary. C&W attacks are frequently used to evaluate adversarially trained models because they can often find adversarial examples even when PGD fails. If a model survives a C&W attack, it demonstrates stronger empirical robustness than PGD-only evaluation suggests.
Gradient Masking
A false sense of security where a defense causes model gradients to become useless or misleading. C&W attacks are specifically designed to bypass gradient masking defenses like defensive distillation. The C&W loss function uses a margin-based objective and can substitute non-differentiable operations, making it a critical tool for security engineers to audit whether a defense provides true robustness or merely obfuscates gradients.
Robustness Certificate
A formal, verifiable guarantee that a model's prediction remains constant for any perturbation within a specified Lp-norm radius. While C&W provides empirical upper bounds on vulnerability, certificates provide provable lower bounds on robustness. Techniques like randomized smoothing offer certified defenses. C&W attacks are used to test whether certified bounds are tight by searching for adversarial examples near the certified radius.
Adversarial Example Transferability
The property where an adversarial example crafted for one model also fools independently trained models with different architectures. C&W attacks exhibit lower transferability than gradient-based methods like FGSM because they are highly optimized for a specific target model. This makes C&W ideal for white-box evaluation but less effective for black-box transfer attacks without additional techniques.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us