RobustBench is a standardized evaluation framework that provides a curated, continuously updated leaderboard for adversarial robustness in image classification. It addresses the crisis of unreliable benchmarking by enforcing a strict, common threat model and evaluating every submitted defense against AutoAttack, a parameter-free ensemble of white-box and black-box attacks. This eliminates the confounding factor of gradient masking and obfuscated gradients, ensuring that reported accuracy genuinely reflects resilience to malicious inputs rather than a failure of the evaluation methodology itself.
Glossary
RobustBench

What is RobustBench?
A standardized benchmark for evaluating the empirical adversarial robustness of image classification models, maintaining a public leaderboard of defenses tested against the AutoAttack suite.
By establishing a canonical set of defenses, datasets (CIFAR-10, ImageNet), and perturbation norms (L-infinity, L2), RobustBench enables direct, apples-to-apples comparison of progress in the field. It serves as the definitive empirical ground truth for security researchers, distinguishing truly robust models from those relying on brittle defenses. The platform also catalogs the strongest known adversarial training recipes, driving the community toward reproducible and verifiable standards in certified robustness and evasion attack resistance.
Key Features of RobustBench
RobustBench provides a rigorous, standardized leaderboard for evaluating adversarial robustness, eliminating common pitfalls like gradient obfuscation through its reliance on AutoAttack.
Standardized AutoAttack Evaluation
The core of RobustBench is its use of AutoAttack, a parameter-free ensemble of attacks. This eliminates the need for manual tuning and prevents gradient masking defenses from appearing robust. The standard evaluation protocol includes both white-box (APGD) and black-box (Square Attack) components, ensuring a comprehensive assessment that cannot be easily circumvented by obfuscated gradients.
Threat Model Taxonomy
The benchmark enforces a strict taxonomy of threat models, primarily focusing on Lp-norm bounded perturbations. Defenses are categorized by the specific norm they defend against:
- L-infinity: Defending against pixel-level changes bounded by a maximum value.
- L2: Defending against small, overall image perturbations. This clarity prevents the common pitfall of comparing defenses designed for different, incompatible threat models.
Mitigating Gradient Masking
A primary contribution of RobustBench is its systematic exposure of gradient masking. Many prior defenses appeared robust because they broke gradient-based attacks, not because they were truly robust. By using a diverse set of attacks including gradient-free methods, RobustBench reliably identifies and disqualifies these brittle defenses, forcing the field toward genuine robustness improvements rather than security through obscurity.
Reproducible Model Zoo
RobustBench provides a curated Model Zoo containing pre-trained weights for the top-performing robust models. This allows researchers to easily download, test, and compare against state-of-the-art defenses without re-implementing complex training pipelines. The zoo standardizes the evaluation baseline, ensuring that new defenses are compared against the exact same models in a controlled, reproducible environment.
Frequently Asked Questions
Clear answers to common questions about the RobustBench leaderboard, its evaluation methodology, and its role in standardizing adversarial robustness research.
RobustBench is a standardized benchmark for evaluating the adversarial robustness of image classification models. It maintains a public leaderboard that ranks defenses based on their performance against AutoAttack, a parameter-free ensemble of white-box and black-box attacks. The framework provides a unified evaluation protocol, including fixed threat models (typically L-infinity perturbations of 8/255 on CIFAR-10 and 4/255 on ImageNet), pre-trained base models, and standardized datasets. By eliminating the confounding variable of custom evaluation settings, RobustBench enables direct, apples-to-apples comparisons between proposed defense mechanisms. The project also curates Model Zoo, a collection of pre-trained robust models with verified robustness claims, allowing researchers to benchmark new attacks against state-of-the-art defenses without re-implementing complex training pipelines.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Key concepts and methodologies that form the foundation of standardized adversarial robustness evaluation, as exemplified by the RobustBench leaderboard.
Adversarial Training
The dominant defensive paradigm on RobustBench, where models are trained on adversarial examples generated on-the-fly. The most effective variants combine Projected Gradient Descent (PGD) with TRADES loss functions to balance clean accuracy against adversarial robustness.
- Injects worst-case perturbations during each training step
- Remains the only defense not broken by adaptive attacks
- Computationally expensive but yields state-of-the-art certified robustness
Threat Model Specification
RobustBench standardizes evaluation around the Lp-norm bounded perturbation threat model, primarily L-infinity with epsilon = 8/255 on CIFAR-10. This formalizes the adversary's capabilities: they can modify each pixel by a maximum amount while keeping the image visually unchanged.
- Defines the attack surface for all benchmarked models
- Enables apples-to-apples comparison across architectures
- Complements common corruptions benchmarks for non-adversarial robustness
Gradient Masking Detection
A critical diagnostic used by RobustBench to identify obfuscated gradients, a brittle defense mechanism where models appear robust only because their gradients are shattered or non-informative. Tests include verifying that black-box attacks outperform white-box attacks and checking for increasing loss under larger perturbations.
- Flags defenses that provide a false sense of security
- Ensures leaderboard integrity by excluding flawed evaluations
- Related to adaptive attack methodology for rigorous testing
Certified Robustness via Randomized Smoothing
A probabilistic defense that constructs a certifiably robust classifier by adding Gaussian noise to inputs and aggregating predictions via majority vote. Unlike empirical defenses, it provides a mathematical lower bound on the L2 radius within which no adversarial example exists.
- Offers formal guarantees rather than point estimates
- Trades clean accuracy for provable safety margins
- Complements empirical leaderboards with verification-based metrics
Transferability of Adversarial Examples
The phenomenon where adversarial examples crafted against one surrogate model also fool other independently trained target models. RobustBench tracks this property to assess whether defenses genuinely remove vulnerabilities or merely overfit to specific attack strategies.
- Exploited in black-box attacks without query access
- Highlights the shared geometric structure of decision boundaries
- Mitigated by ensemble adversarial training across diverse architectures

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us