AutoAttack is a parameter-free ensemble of four diverse adversarial attacks—APGD-CE, APGD-DLR, FAB, and Square Attack—designed to provide a reliable, standardized evaluation of a model's empirical adversarial robustness. It eliminates the common pitfall of gradient masking by combining white-box and black-box methods, serving as the default metric for benchmarks like RobustBench.
Glossary
AutoAttack

What is AutoAttack?
A standardized, parameter-free ensemble of attacks used to reliably evaluate the empirical robustness of machine learning models against adversarial examples.
Unlike single-attack evaluations that can be defeated by obfuscated gradients, AutoAttack's adaptive and complementary attack suite provides a rigorous lower bound on model vulnerability. Its parameter-free nature removes human bias from the evaluation process, making it the gold standard for comparing defenses against Lp-norm bounded perturbations in academic and industrial security research.
Key Features of AutoAttack
AutoAttack is a parameter-free, ensemble evaluation protocol that provides a reliable, standardized benchmark for empirical adversarial robustness, eliminating the common pitfalls of manual attack tuning and gradient masking.
Parameter-Free Ensemble Design
AutoAttack removes human bias from robustness evaluation by standardizing the attack pipeline. It combines four diverse attacks without requiring manual hyperparameter tuning:
- APGD-CE: An adaptive Projected Gradient Descent variant using the cross-entropy loss with an automatic step-size scheduler.
- APGD-DLR: An adaptive PGD attack using the Difference of Logits Ratio loss, targeting models where cross-entropy gradients are masked.
- FAB-T: A targeted Fast Adaptive Boundary attack that minimizes perturbation norm against the true class.
- Square Attack: A query-efficient black-box attack that relies on random square-shaped updates, bypassing gradient-based defenses entirely.
Standardized Threat Model
The standard evaluation protocol operates under a strict L∞-norm threat model with a perturbation budget of 8/255 for CIFAR-10 and 4/255 for ImageNet. This formal specification ensures:
- Reproducible comparisons across different research papers and model architectures.
- A clear definition of the adversary's capabilities, preventing inflated robustness claims from weak attacks.
- Alignment with the RobustBench leaderboard, which uses AutoAttack as its primary ranking metric.
Reliable Detection of Gradient Masking
A core design goal is to expose obfuscated gradients, a brittle defense where models appear robust due to non-differentiable layers or shattered gradients. AutoAttack counters this by:
- Including the Square Attack, which does not rely on gradient information and efficiently bypasses gradient masking.
- Using adaptive step-size schedules in APGD that prevent the attack from stalling on loss plateaus.
- Providing a clear diagnostic: a large gap between white-box PGD accuracy and AutoAttack accuracy strongly indicates a flawed defense.
Adaptive Attack Variants
For defenses that claim robustness beyond the standard L∞ threat model, AutoAttack supports extended evaluation modes:
- AutoAttack+: Incorporates additional attacks like the RayS black-box method for L2-norm evaluation.
- Custom threat models: Allows specification of different perturbation budgets and norms.
- Adaptive evaluation: Researchers can integrate custom attacks tailored to specific defense mechanisms, ensuring the evaluation always matches the threat model.
Computational Efficiency
Despite its ensemble nature, AutoAttack is optimized for practical evaluation:
- Early stopping: Halts attacks on samples once a successful adversarial example is found, reducing total queries.
- Batch processing: Leverages GPU parallelism for efficient gradient computation across multiple inputs.
- Fixed budget: Operates within a defined query limit, making evaluation costs predictable and comparable across hardware configurations.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Answers to common questions about the standardized, parameter-free adversarial robustness benchmark.
AutoAttack is a parameter-free ensemble of adversarial attacks designed to provide a reliable, standardized evaluation of a machine learning model's empirical robustness. It works by sequentially applying four diverse attack methods: an APGD (Auto-PGD) attack on the cross-entropy loss, an APGD attack on the Difference of Logits Ratio (DLR) loss, a targeted FAB (Fast Adaptive Boundary) attack, and a black-box Square Attack. Crucially, AutoAttack requires no manual tuning of step sizes or hyperparameters; it automatically adjusts its internal parameters based on the model's behavior. If any single attack in the ensemble finds a valid adversarial example, the model is considered defeated for that input. This ensemble approach prevents defenses that rely on gradient masking or obfuscation from achieving a false sense of security, making it the gold standard for evaluating defenses published in top-tier conferences.
Related Terms
Understanding AutoAttack requires familiarity with the specific attacks it standardizes and the defensive benchmarks it evaluates. These concepts form the core of modern empirical robustness evaluation.
FAB-T
The Fast Adaptive Boundary attack is a targeted attack that minimizes the Lp-norm of the perturbation required to change a model's classification. It is highly effective at finding minimal adversarial examples and is included in AutoAttack to complement the fixed-budget attacks (APGD). FAB-T specifically targets the model's decision boundary, catching vulnerabilities that loss-maximization methods might miss.
Square Attack
A query-efficient black-box attack that relies solely on model scores without access to gradients. It uses a randomized search scheme based on localized square-shaped updates. Its inclusion in AutoAttack ensures that defenses relying on obfuscated gradients—a common source of false robustness—are reliably broken, as the Square Attack does not depend on gradient information.
Adaptive Attacks
A methodology, not a specific algorithm. An adaptive attack is custom-designed to circumvent a known defense. AutoAttack is considered a strong baseline, but a truly robust model must withstand an adaptive evaluation where the attacker has full knowledge of the defense mechanism. If a defense is broken by an adaptive attack using its internal logic, the defense is considered failed, regardless of AutoAttack performance.
Gradient Masking
A brittle defense phenomenon that provides a false sense of security. It occurs when a model's gradients are non-informative (e.g., shattered, stochastic, or zero) due to non-differentiable operations or numerical instability. Gradient-based attacks like PGD fail, but black-box attacks (Square Attack) and boundary attacks (FAB-T) easily bypass it. AutoAttack's ensemble is explicitly designed to detect and defeat gradient masking.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us