Projected Gradient Descent (PGD) is an iterative white-box adversarial attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method (FGSM) with a small step size α and projecting the perturbed input back onto the L∞ epsilon-ball around the original, clean input. This constrained optimization process maximizes the model's loss function while ensuring the perturbation remains imperceptible.
Glossary
Projected Gradient Descent (PGD)

What is Projected Gradient Descent (PGD)?
Projected Gradient Descent is a multi-step variant of the Fast Gradient Sign Method that iteratively applies small perturbations and projects the result back onto an epsilon-ball to generate powerful adversarial examples.
Widely regarded as the de facto standard for evaluating adversarial robustness, PGD is considered a universal first-order adversary—meaning it can defeat most defenses not explicitly trained against it. Adversarial training with PGD-generated examples remains one of the most effective empirical defense mechanisms, directly hardening a model's decision boundary against gradient-based attacks.
Key Characteristics of PGD
Projected Gradient Descent (PGD) is the de facto standard for evaluating worst-case adversarial robustness. It operates by iteratively maximizing the model's loss while constraining the perturbation to stay within an epsilon-ball around the original input.
Iterative Multi-Step Optimization
Unlike the single-step Fast Gradient Sign Method (FGSM), PGD performs a multi-step optimization process. It repeatedly applies the FGSM with a small step size α, recalculating the gradient at each iteration to find a stronger adversarial example. This iterative refinement makes PGD significantly more powerful than single-step attacks.
- Step size α: Typically set to ε / 5 or ε / 10
- Number of iterations: Usually 7, 20, or 40 steps
- Gradient recalculation: Performed at each step for precision
Projection onto the Epsilon-Ball
The defining mechanism of PGD is the projection step. After each gradient update, the perturbed input is mathematically projected back onto the L∞-norm ball of radius ε centered at the original input. This ensures the adversarial example remains within the allowed perturbation budget and the attack remains imperceptible.
- L∞ constraint: Limits the maximum change to any single pixel
- Projection operator: Clips values to [x - ε, x + ε]
- Boundary enforcement: Prevents unbounded drift during iterations
Random Initialization for Robustness
PGD incorporates a random start within the epsilon-ball before beginning gradient ascent. This prevents the attack from getting stuck in shallow local maxima of the loss landscape. Without random initialization, the attack may fail to find the true worst-case perturbation.
- Uniform random noise: Added to the clean input before iteration
- Purpose: Escape non-robust local optima
- Standard practice: A critical component for a reliable robustness evaluation
White-Box Threat Model Assumption
PGD is a white-box attack, meaning it requires full access to the target model's architecture, parameters, and gradients. This assumption represents the strongest possible adversary and is used to establish an empirical lower bound on model robustness. If a model is robust to PGD, it is likely robust to weaker black-box attacks.
- Gradient access: Required for loss maximization
- Worst-case evaluation: Gold standard for adversarial robustness benchmarking
- Transferability: PGD examples often transfer to black-box models
Adversarial Training Foundation
PGD is the cornerstone of adversarial training, the most empirically successful defense to date. During training, PGD is used to generate adversarial examples on-the-fly, which are then injected into the training batch. This forces the model to learn a decision boundary that is robust within the epsilon-ball.
- Min-max formulation: Inner maximization via PGD, outer minimization via SGD
- Computational cost: Significantly increases training time
- State-of-the-art defense: Forms the basis of robust models on benchmarks like RobustBench
Loss Landscape Exploration
PGD provides a powerful lens for analyzing the geometric properties of the loss landscape. By tracing the path of the perturbation, researchers can identify highly curved, non-robust regions where small input changes cause drastic output shifts. A flat loss landscape correlates strongly with adversarial robustness.
- Curvature analysis: Reveals sharp vs. flat minima
- Loss visualization: PGD trajectories map the local geometry
- Robustness indicator: Flatter landscapes resist adversarial manipulation
Frequently Asked Questions
Explore the mechanics, variants, and defensive countermeasures for Projected Gradient Descent, the gold-standard iterative white-box attack used to benchmark adversarial robustness.
Projected Gradient Descent (PGD) is a powerful iterative white-box adversarial attack that generates perturbations by repeatedly applying the Fast Gradient Sign Method (FGSM) with a small step size and mathematically projecting the result back onto an epsilon-ball around the original input. Unlike single-step methods, PGD solves an optimization problem: it seeks the perturbation within a defined Lp-norm bound (typically L-infinity) that maximizes the model's loss function. The algorithm starts from a random point within the allowed perturbation budget and iteratively takes gradient steps in the direction that increases loss, followed by a projection operation that ensures the adversarial example never strays beyond the allowed distance from the clean input. This 'multi-step with random start' approach makes PGD significantly more potent than FGSM and serves as the universal first-order adversary for evaluating empirical robustness.
PGD vs. Other Adversarial Attacks
A comparative analysis of Projected Gradient Descent against other canonical white-box adversarial attacks based on their mechanism, computational cost, and effectiveness.
| Feature | PGD | FGSM | C&W Attack |
|---|---|---|---|
Attack Type | Iterative | Single-step | Optimization-based |
Perturbation Norm Constraint | L∞ (typically) | L∞ | L0, L2, L∞ |
Step Size | Small, fixed (α) | Large, single (ε) | Adaptive via optimizer |
Projection Step | |||
Computational Cost | Moderate (10-40 steps) | Very Low (1 step) | High (thousands of iterations) |
Distortion Magnitude | Minimal | Larger | Minimal |
Attack Success Rate | High | Moderate | Very High |
Defense Evasion Capability | Strong | Weak | Strongest |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts for understanding the attack and defense landscape surrounding Projected Gradient Descent.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us