Projected Gradient Descent (PGD) is a multi-step iterative variant of the Fast Gradient Sign Method (FGSM) that generates adversarial examples by taking repeated small steps in the direction of the gradient of the loss function. After each step, the perturbed input is projected back onto the epsilon-ball—a norm-bounded region around the original input—ensuring the total distortion remains within a specified adversarial budget. This projection step distinguishes PGD from simpler iterative methods and makes it one of the strongest first-order attacks available for evaluating model robustness.
Glossary
Projected Gradient Descent (PGD)

What is Projected Gradient Descent (PGD)?
Projected Gradient Descent is a powerful multi-step iterative white-box attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method and projecting the result back onto an epsilon-ball to constrain distortion.
PGD is widely considered a universal benchmark for adversarial robustness because it reliably finds worst-case perturbations within the allowed threat model. The attack is typically initialized with a random start within the epsilon-ball to avoid gradient masking and is executed for a fixed number of iterations with a step size smaller than epsilon. Models trained adversarially against PGD-generated examples demonstrate empirical robustness against a broad range of other attacks, making PGD-based adversarial training the de facto standard defense methodology in both image classification and radio frequency machine learning domains.
Key Characteristics of PGD
Projected Gradient Descent (PGD) is a multi-step iterative white-box attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method (FGSM) and projecting the result back onto an epsilon-ball to constrain the perturbation magnitude.
Iterative Multi-Step Process
Unlike single-step methods like FGSM, PGD applies the gradient-based perturbation iteratively over multiple small steps. Each step computes the gradient of the loss with respect to the input, adds a small perturbation in the gradient direction, and then projects the result back onto the Lp-norm ball of radius epsilon. This iterative refinement finds stronger adversarial examples within the allowed adversarial budget.
Projection onto the Epsilon-Ball
The defining mechanism of PGD is the projection operator. After each gradient step, the perturbed input is mathematically projected back onto the surface of the Lp-norm sphere (typically L-infinity) centered at the original input. This ensures the perturbation never exceeds the specified distortion constraint (epsilon). Common projection methods include:
- L-infinity: Clamping each pixel or sample to [x - ε, x + ε]
- L2: Scaling the perturbation vector to have norm ≤ ε
Random Initialization
A critical enhancement in standard PGD is random initialization within the epsilon-ball before beginning the iterative steps. Instead of starting from the original input, the attack begins at a randomly perturbed point within the allowed budget. This prevents the optimization from getting stuck in shallow local maxima and significantly increases attack success rates against adversarial training defenses.
Universal First-Order Adversary
PGD is considered the strongest first-order attack—it only uses gradient information and does not require second-order approximations. If a model is robust against PGD, it is empirically robust against all other first-order attacks. This makes PGD the de facto standard for evaluating adversarial robustness and the primary method for generating adversarial examples during adversarial training.
PGD vs. FGSM Comparison
While FGSM takes a single large step to the boundary of the epsilon-ball, PGD takes multiple smaller steps with intermediate projections:
- FGSM: x_adv = x + ε · sign(∇_x J(x, y))
- PGD: x_t+1 = Π_{x+ε} (x_t + α · sign(∇_x J(x_t, y))) The step size α is typically set to ε/k for k iterations, making PGD a strictly more powerful attack at the cost of increased computation.
Role in Adversarial Training
PGD serves as the attack component in the min-max formulation of adversarial training. During training, PGD generates the worst-case adversarial examples within the epsilon-ball, and the model parameters are updated to correctly classify these perturbed inputs. This min-max optimization—minimizing model loss while maximizing input perturbation—is the most empirically successful defense against adversarial attacks.
PGD vs. Other Adversarial Attacks
A technical comparison of Projected Gradient Descent against other primary adversarial attack algorithms used to evaluate the robustness of automatic modulation classification models.
| Feature | Projected Gradient Descent (PGD) | Fast Gradient Sign Method (FGSM) | Carlini-Wagner (CW) Attack |
|---|---|---|---|
Attack Type | White-box iterative | White-box single-step | White-box optimization-based |
Iterative Steps | Multiple (e.g., 40) | Single step | Multiple (binary search) |
Perturbation Constraint | Projected onto epsilon-ball (L∞) | Fixed epsilon step (L∞) | Minimized via Lagrangian (L2, L∞, L0) |
Computational Cost | Moderate | Low | High |
Attack Strength | High | Low to Moderate | Very High |
Defeats Defensive Distillation | |||
Typical Use Case | Standard robustness benchmark | Baseline evaluation | Minimum distortion analysis |
Gradient Masking Resistance |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the Projected Gradient Descent (PGD) attack, its mechanisms, and its role in adversarial robustness for signal classification.
Projected Gradient Descent (PGD) is a powerful, multi-step iterative white-box adversarial attack that generates an adversarial example by repeatedly applying the Fast Gradient Sign Method (FGSM) with a small step size and then projecting the result back onto an epsilon-ball around the original input. The attack starts from a random initialization within the allowed perturbation budget. In each iteration, it computes the gradient of the loss function with respect to the input, takes a small step in the direction that maximizes the loss, and then uses a projection operator to ensure the perturbed sample remains within the Lp-norm constraint (typically L∞). This iterative refinement allows PGD to find significantly stronger adversarial examples than single-step methods like FGSM. PGD is widely considered a universal first-order adversary and serves as the standard benchmark for evaluating empirical adversarial robustness in deep learning models, including automatic modulation classification systems.
Related Terms
Projected Gradient Descent (PGD) is a cornerstone of adversarial robustness research. Understanding its relationship to these concepts is critical for building resilient signal classifiers.
Adversarial Budget (Epsilon-Ball)
Defines the maximum allowable perturbation magnitude, typically an L-infinity norm bound. PGD constrains the adversary to an epsilon-ball around the original input. After each gradient step, the projection operation clips the perturbation to ensure it remains within this budget, maintaining the attack's imperceptibility.
Certified Robustness
While PGD provides an empirical lower bound on model robustness, certified defenses provide a mathematical guarantee. Techniques like randomized smoothing prove that no perturbation within a specific radius can change the classification. PGD is used to test these guarantees empirically.
Transferability (Black-Box Attacks)
Adversarial examples generated by PGD on a white-box surrogate model often transfer to a black-box target model. This property allows attackers to fool deployed classifiers without internal access. PGD's multi-step nature generates highly transferable perturbations.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us