The Carlini & Wagner (C&W) attack is a state-of-the-art white-box adversarial attack that constructs adversarial examples by solving an optimization problem. Unlike simpler gradient-based methods, the C&W attack formulates the generation of a perturbation as a constrained minimization task. It uses a specifically designed margin-based loss function that directly optimizes for the minimal distortion required to cause misclassification, making it one of the most potent and difficult-to-defend attacks against deep neural networks.
Glossary
Carlini & Wagner Attack (C&W)

What is Carlini & Wagner Attack (C&W)?
The Carlini & Wagner (C&W) attack is a powerful optimization-based adversarial attack that generates minimally distorted adversarial examples by formulating the attack as a constrained minimization problem using a margin-based loss function.
The attack's objective function balances two competing goals: minimizing the Lp-norm of the perturbation to ensure imperceptibility, and maximizing a margin loss that drives the model's logit for the target class above all others. By iteratively optimizing this function using gradient descent, the C&W attack finds adversarial examples with significantly smaller distortions than methods like Projected Gradient Descent (PGD). This technique is a critical benchmark for evaluating adversarial robustness and is often used to stress-test defensive strategies like adversarial training.
Key Characteristics of the C&W Attack
The Carlini & Wagner attack is a powerful optimization-based method for generating minimally distorted adversarial examples. Its key characteristics distinguish it from simpler gradient-based attacks and make it a standard benchmark for evaluating model robustness.
Optimization-Based Formulation
Unlike single-step methods like FGSM, the C&W attack frames adversarial example generation as a constrained optimization problem. It uses a margin-based loss function and solves for the minimal perturbation δ that causes misclassification, typically using the Adam optimizer. The objective function is designed to be differentiable, allowing for efficient gradient-based search.
Margin-Based Loss Function
The attack employs a sophisticated loss function that directly optimizes the margin between the correct class and the target class logits. The original formulation introduced several loss variants (L0, L2, L∞), with the L2 version being most widely used. The loss is defined as:
f(x') = max(max{Z(x')_i : i ≠ t} - Z(x')_t, -κ)- Where Z(x') are logits, t is the target class, and κ controls the confidence margin
Minimal Distortion Guarantee
The C&W attack is specifically designed to find the smallest possible perturbation that causes misclassification. By directly minimizing the Lp-norm of the perturbation while satisfying the misclassification constraint, it produces adversarial examples that are nearly imperceptible to humans. This makes it a gold standard for evaluating worst-case model robustness.
Box-Constrained Optimization
To ensure adversarial examples remain valid inputs (e.g., pixel values in [0,1]), the attack uses a change-of-variables technique. Instead of optimizing pixel values directly, it optimizes a new variable w where:
x' = ½(tanh(w) + 1)- This guarantees all generated examples automatically satisfy the valid input range without requiring projection steps.
Targeted and Untargeted Variants
The C&W attack supports both attack modes:
- Targeted: Forces the model to classify the input as a specific, attacker-chosen class
- Untargeted: Causes any misclassification away from the correct class
- The targeted variant is more challenging and is the standard benchmark for evaluating defense mechanisms
Defense-Breaking Capability
The C&W attack famously demonstrated the brittleness of defensive distillation, a defense technique that was considered state-of-the-art at the time. By showing that distilled models could be fooled with imperceptible perturbations, it established itself as the primary benchmark for evaluating new defense proposals. Most defenses published without C&W evaluation are considered incomplete.
Frequently Asked Questions
Explore the mechanics, variants, and defensive implications of the Carlini & Wagner attack, the benchmark optimization-based method for generating minimally distorted adversarial examples.
The Carlini & Wagner (C&W) attack is a powerful, optimization-based white-box adversarial attack that generates adversarial examples by solving a constrained minimization problem. Unlike simpler gradient-based methods like FGSM, the C&W attack formulates the search for an adversarial perturbation as an optimization objective that minimizes the Lp-norm of the distortion while ensuring misclassification. It achieves this by using a margin-based loss function, which precisely measures the difference between the target class logit and the next most likely class logit. The attack iteratively adjusts the perturbation using an optimizer like Adam, effectively finding the smallest possible change to an input that forces a model to make a mistake. This makes it the gold standard for evaluating a model's worst-case robust accuracy.
C&W Attack vs. Other Adversarial Attacks
A technical comparison of the Carlini & Wagner attack against other prominent white-box adversarial attacks across key optimization, distortion, and efficacy metrics.
| Feature | C&W Attack | PGD | FGSM |
|---|---|---|---|
Optimization Formulation | Constrained minimization with margin-based loss | Iterative projected gradient descent on cross-entropy | Single-step gradient sign perturbation |
Distortion Metric | L0, L2, L∞ (flexible) | L∞ (typically) | L∞ |
Perturbation Magnitude | Minimal (finds near-optimal distortion) | Bounded by epsilon-ball | Fixed by epsilon |
Iterative | |||
Confidence Control | |||
Defeats Defensive Distillation | |||
Attack Success Rate (vs. undefended model) | ~100% | ~100% | ~60-90% |
Computational Cost | High (hundreds to thousands of iterations) | Moderate (10-40 iterations) | Low (single step) |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Mastering the C&W attack requires understanding the broader landscape of adversarial machine learning. These concepts define the threat models, defense mechanisms, and evaluation frameworks that contextualize this powerful optimization-based attack.
Projected Gradient Descent (PGD)
The universal first-order adversary and the standard benchmark for empirical robustness. PGD iteratively applies the Fast Gradient Sign Method with a small step size and projects the result back onto an epsilon-ball around the original input.
- Considered the strongest attack using only gradient information
- Serves as the core evaluation tool in adversarial training
- C&W often finds smaller perturbations than PGD, but PGD is computationally cheaper
Adversarial Training
The most empirically successful defense strategy, where a model is trained on a mixture of clean and on-the-fly generated adversarial examples. This forces the model to learn a more robust decision boundary.
- Standard implementation uses PGD to generate adversaries during training
- Defends against C&W attacks by smoothing the loss landscape
- Trades off some natural accuracy for significant gains in robust accuracy
Robustness Certification
The process of formally proving that a model's prediction is invariant to any perturbation within a defined Lp-norm ball. Unlike empirical attacks like C&W, certification provides a mathematical guarantee.
- Randomized Smoothing is a leading probabilistic certification technique
- Provides a lower bound on the minimum adversarial distortion
- C&W is often used to find upper bounds, testing the tightness of certificates
Transferability
The property by which an adversarial example crafted to fool a surrogate model also successfully causes misclassification in a different, independently trained target model. This enables practical black-box attacks.
- C&W examples generated on one architecture often transfer to others
- Enables attackers to bypass models without direct gradient access
- Defenses like adversarial training aim to reduce this cross-model vulnerability

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us