Projected Gradient Descent (PGD) is a multi-step variant of the Fast Gradient Sign Method (FGSM) that finds stronger adversarial examples through iterative optimization. Rather than taking a single large gradient step, PGD applies k smaller steps of size α, each time computing the gradient of the loss with respect to the current perturbed input. After every step, the perturbed input is projected back onto the L-infinity epsilon-ball of radius ε centered at the original input, ensuring the perturbation magnitude never exceeds the specified perturbation budget. This projection step is what distinguishes PGD from simpler iterative methods and guarantees the attack remains within the defined threat model.
Glossary
Projected Gradient Descent (PGD)

What is Projected Gradient Descent (PGD)?
Projected Gradient Descent (PGD) is a powerful iterative white-box attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method (FGSM) with a small step size and projecting the perturbed input back onto an epsilon-ball around the original data point.
PGD is widely considered a first-order universal adversary and serves as the standard benchmark for evaluating adversarial robustness. The attack initializes from a random starting point within the epsilon-ball to avoid gradient masking defenses, then performs projected gradient ascent on the maximization objective. Adversarial training with PGD-generated examples remains one of the most effective empirical defenses, forcing the model to learn a smoother decision boundary. The computational cost scales linearly with the number of iterations, making PGD more expensive than single-step attacks but significantly more reliable for identifying worst-case vulnerabilities in neural networks.
Key Characteristics of PGD
Projected Gradient Descent (PGD) is the gold-standard iterative attack for evaluating adversarial robustness. It refines the single-step FGSM by repeatedly applying small perturbations and projecting the result back onto an epsilon-ball, finding the strongest possible adversary within a defined threat model.
Iterative Multi-Step Optimization
Unlike the single-step Fast Gradient Sign Method (FGSM), PGD applies the gradient update multiple times with a small step size α. Starting from a random initialization within the epsilon-ball, each iteration computes the gradient of the loss with respect to the input and takes a step in that direction. This iterative process allows PGD to escape shallow local maxima and find a much stronger adversarial perturbation than FGSM.
Projection onto the Epsilon-Ball
After each gradient step, the perturbed input is projected back onto the L-p norm ball of radius ε centered at the original input. This enforces the perturbation budget constraint, ensuring the adversarial example remains within the allowed threat model. The projection operator clips the perturbation magnitude, preventing the attack from drifting outside the imperceptibility threshold.
Random Initialization Strategy
PGD begins from a random starting point within the epsilon-ball rather than the original input. This prevents the attack from getting stuck in poor local maxima near the starting point. By exploring the perturbation space from multiple random restarts, PGD provides a more reliable estimate of the model's worst-case robustness.
Universal First-Order Adversary
PGD is considered a universal first-order adversary—it is the strongest attack possible using only first-order gradient information. If a model is robust against PGD, it is empirically robust against all other gradient-based attacks. This makes PGD the de facto standard for adversarial training and robustness benchmarking.
Threat Model Parameterization
PGD is highly configurable through key hyperparameters:
- ε (epsilon): Maximum perturbation magnitude
- α (alpha): Step size per iteration
- Number of steps: Iteration count
- Norm type: L∞, L2, or L1 constraint
This flexibility allows security engineers to simulate different attacker capabilities and evaluate robustness under varying threat models.
Role in Adversarial Training
PGD is the core attack used in adversarial training, the most effective empirical defense. During training, PGD generates adversarial examples on-the-fly, and the model is trained to classify them correctly. This min-max optimization—minimizing loss against maximally perturbed inputs—forces the model to learn smooth decision boundaries resistant to adversarial manipulation.
PGD vs. FGSM vs. C&W Attack Comparison
A technical comparison of three foundational white-box adversarial attack algorithms used to evaluate model robustness.
| Feature | FGSM | PGD | C&W Attack |
|---|---|---|---|
Attack Type | Single-step gradient | Iterative gradient | Optimization-based |
Computational Cost | Low | Medium | High |
Perturbation Norm Constraint | L-infinity | L-infinity (typically) | L0, L2, L-infinity |
Perturbation Magnitude | Fixed epsilon step | Cumulative epsilon-ball projection | Minimal distortion objective |
Attack Strength | Weak to Moderate | Strong | Very Strong |
Defense Evasion | Often fails against robust models | Benchmark for evaluating defenses | Breaks many gradient-masked defenses |
Gradient Masking Resistance | |||
Optimization Objective | Maximize loss | Maximize loss | Minimize Lp distance + misclassification |
Typical Use Case | Baseline vulnerability test | Standard robustness benchmark | Generating minimally perturbed examples |
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the PGD attack algorithm, its mechanisms, and its role in adversarial robustness.
Projected Gradient Descent (PGD) is a powerful iterative white-box adversarial attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method (FGSM) in small steps and projecting the perturbed input back onto an epsilon-ball around the original data point. Unlike the single-step FGSM, PGD initializes the perturbation randomly within the allowed perturbation budget and then performs multiple gradient ascent steps, each followed by a projection operation that clips the result to stay within the L-infinity norm constraint. This iterative refinement allows PGD to find significantly stronger adversarial examples that lie near the boundary of the allowed perturbation set. The algorithm is widely considered a universal first-order adversary—meaning it is the strongest attack possible using only first-order gradient information—and serves as the standard benchmark for evaluating adversarial robustness in both academic research and security engineering contexts.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts surrounding Projected Gradient Descent, forming the iterative attack and defense loop for hardening neural networks against worst-case perturbations.
Fast Gradient Sign Method (FGSM)
The single-step precursor to PGD. FGSM generates an adversarial example by computing the sign of the gradient of the loss with respect to the input and taking one step of magnitude epsilon. While computationally cheap, it often underestimates model vulnerability. PGD is essentially a multi-step variant of FGSM with a projection step, making it a strictly stronger attack for evaluating true robustness.
Adversarial Training
The primary defensive technique that uses PGD as its engine. During training, PGD is run on each batch to generate the strongest possible adversarial examples, which are then fed back into the model with correct labels. This min-max optimization forces the model to learn a smoother decision boundary. PGD-based adversarial training remains one of the few empirically robust defenses against L-infinity attacks.
Perturbation Budget (Epsilon-Ball)
Defines the maximum allowed distortion in an adversarial attack, typically constrained by an L-infinity norm for PGD. The epsilon-ball is a hypercube around the original input where every pixel can change by at most epsilon. PGD's projection step ensures the perturbed image never leaves this ball. Common values for CIFAR-10 are 8/255; for ImageNet, 4/255.
Gradient Masking
A brittle defense phenomenon where a model's gradients become non-informative or zero, causing PGD to stall. This creates a false sense of security—the model appears robust to gradient-based attacks but remains vulnerable to black-box or transfer attacks. True robustness requires PGD to converge to a high-loss region, not fail due to shattered or obfuscated gradients.
Carlini & Wagner (C&W) Attack
An optimization-based attack that formulates adversarial example generation as minimizing a loss function balancing distortion and misclassification. Unlike PGD, which uses fixed step sizes and projection, C&W uses Adam or SGD to directly optimize for minimal perturbations. It often finds smaller distortions than PGD but is computationally heavier, making PGD the preferred choice for adversarial training loops.
Robustness Certificate
A formal, verifiable guarantee that a model's prediction will not change for any perturbation within a specified Lp-norm radius. While PGD provides an empirical lower bound on robustness by finding adversarial examples, certification methods like randomized smoothing provide a provable upper bound. The gap between PGD attack success and certified robustness is an active area of research.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us