Projected Gradient Descent (PGD) is a white-box adversarial attack that iteratively maximizes a model's loss function while constraining the perturbation to an epsilon-bounded Lp-norm ball. Unlike the single-step Fast Gradient Sign Method (FGSM), PGD applies multiple small gradient steps, each followed by a projection operator that clips the perturbation back onto the allowed norm surface, creating a significantly more powerful and reliable evaluation of empirical robustness.
Glossary
Projected Gradient Descent (PGD)

What is Projected Gradient Descent (PGD)?
Projected Gradient Descent is a multi-step iterative attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method and projecting the result back onto an Lp-norm ball.
As the de facto standard benchmark for adversarial robustness evaluation, PGD is central to adversarial training defenses. The attack's strength derives from its ability to escape local maxima through random restarts and its formal guarantee that the perturbation remains within the defined threat model. A model's accuracy against PGD-perturbed inputs serves as a lower-bound estimate of its resilience to first-order gradient-based adversaries.
Key Characteristics of PGD
Projected Gradient Descent (PGD) is the gold-standard iterative attack for evaluating empirical robustness. It refines the single-step FGSM by repeatedly applying gradient updates and projecting the result back onto an Lp-norm ball, creating a worst-case perturbation.
Iterative Multi-Step Refinement
Unlike single-step attacks, PGD applies the Fast Gradient Sign Method (FGSM) repeatedly with a small step size α. After each step, the perturbation is projected back onto the Lp-norm ball (typically L∞) to ensure the adversarial example stays within the allowed threat model.
- Process:
x_{t+1} = Π_{x+S} (x_t + α * sign(∇_x J(θ, x_t, y))) - Key Insight: This iterative process finds a much stronger local maximum of the loss function than single-step methods.
- Standard Setting: Often uses 40 steps (PGD-40) with a step size of
ε/10.
Lp-Norm Projection Operator
The 'Projected' in PGD refers to the mathematical projection Π that constrains the perturbation. After each gradient step, if the perturbation δ exceeds the allowed budget ε, it is projected back onto the surface of the Lp-ball.
- L∞ Norm: The most common constraint, limiting the maximum change to any single pixel to
ε. - L2 Norm: Constrains the Euclidean distance of the perturbation.
- L1 Norm: Used for sparse perturbations.
- Purpose: Ensures the attack remains imperceptible or within a defined physical limit.
Random Initialization (Restarts)
A critical component of a strong PGD evaluation is random initialization. Instead of starting from the original input, the attack begins at a random point within the allowed ε-ball.
- Avoiding Local Minima: This prevents the optimizer from getting stuck in a shallow local maximum of the loss landscape near the starting point.
- Standard Practice: Multiple random restarts are performed, and the worst-case example is selected.
- Gradient Masking Detection: If a defense fails against PGD with restarts but survives without them, it is a strong indicator of obfuscated gradients.
Universal First-Order Adversary
PGD is considered a universal first-order adversary, meaning it is the strongest possible attack using only first-order (gradient) information. If a model is robust against PGD, it is empirically robust against all gradient-based attacks.
- Benchmark Standard: PGD is the primary attack used in RobustBench to rank defenses.
- Adaptive Evaluation: Defenses must be tested against PGD with full knowledge of the defense mechanism (white-box) to be considered valid.
- Relationship to Training: Adversarial training uses PGD to generate the training data, making it the de facto standard for building robust models.
Loss Maximization Objective
The core objective of PGD is to solve the constrained optimization problem: maximize the model's loss subject to the perturbation being within the allowed set S.
- Formulation:
max_{δ∈S} L(θ, x+δ, y)whereS = {δ : ||δ||_p ≤ ε}. - Cross-Entropy: Typically maximizes the cross-entropy loss to push the model away from the correct class.
- Targeted Variant: Can be adapted to minimize loss towards a specific target class, creating a targeted attack.
Distinction from FGSM
While FGSM is a single, large step to the boundary of the ε-ball, PGD refines this over many small steps. This makes PGD a significantly stronger attack.
- FGSM:
x_adv = x + ε * sign(∇_x J(θ, x, y))(one step). - PGD: Iterates FGSM with a smaller step size
α < εand projects. - Result: Defenses that block FGSM often fail catastrophically against PGD, a phenomenon known as gradient masking.
- Computational Cost: PGD is
ktimes more expensive than FGSM, wherekis the number of iterations.
PGD vs. FGSM: A Comparison
A technical comparison of the single-step Fast Gradient Sign Method against the multi-step Projected Gradient Descent attack, highlighting differences in computational cost and empirical threat potency.
| Feature | FGSM | PGD |
|---|---|---|
Attack Type | Single-Step | Multi-Step Iterative |
Optimization Strategy | One large step in gradient direction | Multiple small steps with projection |
Computational Cost | Low (1 forward/backward pass) | High (N forward/backward passes) |
Perturbation Constraint | L-infinity ball (implicit) | L-p norm ball (explicit projection) |
Empirical Attack Strength | Weak to Moderate | Strong (Standard Benchmark) |
Gradient Masking Resistance | ||
Random Restarts Utilized | ||
Typical Step Count (N) | 1 | 20-100 |
Frequently Asked Questions
Explore the core concepts behind Projected Gradient Descent (PGD), the gold-standard iterative attack used to benchmark and harden machine learning models against adversarial manipulation.
Projected Gradient Descent (PGD) is a multi-step iterative adversarial attack that generates perturbations by repeatedly taking small steps in the direction of the loss gradient and then projecting the result back onto an Lp-norm ball to constrain the perturbation size. Unlike the single-step Fast Gradient Sign Method (FGSM), PGD initializes from a random starting point within the allowed epsilon-ball and performs multiple iterations, making it a significantly stronger and more reliable evaluation metric. The projection step ensures the final adversarial example remains within a mathematically defined distance from the original input, typically bounded by L∞ or L2 norms. This iterative optimization process effectively finds worst-case perturbations that maximize the model's loss, serving as the de facto standard for empirical robustness evaluation in security research.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts surrounding Projected Gradient Descent, the standard iterative white-box attack used to benchmark empirical adversarial robustness.
Fast Gradient Sign Method (FGSM)
The foundational single-step precursor to PGD. FGSM generates an adversarial example by taking a single large step in the direction of the loss gradient sign: x' = x + ε · sign(∇xJ(θ, x, y)). While computationally cheap, it severely underestimates model vulnerability compared to multi-step methods. PGD is essentially an iterative application of FGSM with a random start and projection step.
Adversarial Training
The primary defensive technique against PGD attacks. It augments the training dataset with adversarial examples generated on-the-fly. The standard approach uses PGD to craft the strongest possible perturbations during training, solving a min-max optimization problem:
- Inner Maximization: PGD finds the worst-case perturbation.
- Outer Minimization: The model learns to classify these perturbed inputs correctly. This remains the most empirically robust defense against Lp-bounded attacks.
Lp-Norm Threat Model
The mathematical constraint defining the adversary's power. PGD projects perturbations onto an Lp-norm ball of radius ε, ensuring the perturbation magnitude is bounded:
- L∞ (Infinity Norm): Limits the maximum change to any single pixel. The most common setting for image classifiers.
- L2 (Euclidean Norm): Limits the total magnitude of the perturbation vector.
- L1 (Manhattan Norm): Limits the sum of absolute changes, often promoting sparse perturbations.
Gradient Masking
A brittle defense that PGD is specifically designed to expose. Gradient masking occurs when a defense obfuscates the model's gradients rather than removing the underlying vulnerability. This creates a false sense of security because single-step attacks like FGSM fail, but multi-step PGD attacks with random restarts can still find adversarial examples by circumventing the non-differentiable or saturated components of the defense.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us