Transferability is the property by which an adversarial example crafted against a specific source model retains its malicious efficacy against a distinct target model. This cross-model vulnerability arises because different neural networks often learn similar decision boundaries and feature representations, making the perturbations geometrically meaningful across architectures.
Glossary
Transferability

What is Transferability?
Transferability is the phenomenon where adversarial examples generated to fool one machine learning model also induce misclassification in other independently trained models, even if they have different architectures or training data.
This property is the foundation of black-box attacks, where an adversary with no internal access to a target system trains a local substitute model, generates adversarial examples against it, and transfers them to the victim model. The degree of transferability depends on the architectural similarity between models and the attack's optimization strength, with multi-step methods like Projected Gradient Descent (PGD) typically exhibiting higher transfer rates than single-step attacks.
Key Factors Influencing Transferability
The degree to which an adversarial example transfers between models is not arbitrary. It is governed by specific architectural, data, and optimization factors that security researchers must understand to accurately assess system risk.
Model Architectural Similarity
Adversarial examples transfer most effectively between models with homogeneous architectures. A perturbation crafted for a ResNet-50 will transfer to another ResNet-50 with high probability, but transfer drops significantly when targeting a Vision Transformer (ViT). This occurs because similar architectures learn correlated decision boundaries and feature representations. Key architectural factors include:
- Depth and width: Deeper networks with similar capacity share more vulnerable subspaces.
- Activation functions: ReLU-based networks exhibit more transferable adversarial subspaces than smooth activations like GELU or Swish.
- Normalization layers: BatchNorm statistics create dataset-specific loss geometries that can either amplify or inhibit transferability.
Gradient Alignment and Loss Landscape Geometry
Transferability is fundamentally a property of gradient correlation between source and target models. When the loss gradients of two models point in similar directions for a given input, perturbations crafted on one will deceive the other. This phenomenon is explained by the local linearity hypothesis: neural networks behave approximately linearly in the vicinity of training points, and these linear approximations overlap across independently trained models. Techniques that explicitly maximize gradient alignment—such as gradient matching attacks and intermediate feature attacks—can dramatically increase cross-model transfer rates by targeting shared representational subspaces rather than model-specific decision boundaries.
Training Data Distribution Overlap
Models trained on overlapping or identical datasets exhibit significantly higher adversarial transferability. This is because shared training data induces convergent learning dynamics—both models converge toward similar Bayes optimal decision boundaries. The phenomenon is particularly pronounced when:
- Models are trained on the same benchmark datasets (ImageNet, CIFAR-10).
- Data augmentation strategies are identical or highly similar.
- Class label semantics and granularity are consistent.
Conversely, models trained on disjoint data distributions—even with identical architectures—show markedly reduced transferability. This has critical implications for black-box attack surface analysis: an attacker with knowledge of the training data distribution can select a surrogate model that maximizes expected transfer.
Perturbation Budget and Optimization Iterations
The Lp-norm perturbation budget (epsilon) directly modulates transferability. Larger perturbation magnitudes increase the likelihood of crossing decision boundaries in both source and target models, but at the cost of perceptual detectability. The relationship is non-linear:
- Small epsilon (e.g., 4/255): Transfer is highly architecture-dependent; only models with near-identical decision boundaries are fooled.
- Large epsilon (e.g., 16/255): Transfer rates plateau as perturbations enter universal adversarial subspaces—directions in input space that are orthogonal to data manifold variations.
Additionally, multi-step iterative attacks (PGD, MI-FGSM) generate more transferable examples than single-step methods (FGSM) by more precisely navigating the loss landscape. Momentum-based optimization (MI-FGSM) and input diversity techniques (DIM) further stabilize gradient directions, preventing overfitting to the surrogate model's specific geometry.
Ensemble-Based Surrogate Strategies
Crafting adversarial examples against an ensemble of surrogate models is the most reliable method for maximizing black-box transferability. By optimizing perturbations that simultaneously fool multiple architectures, the attack converges on shared vulnerable subspaces rather than model-specific weaknesses. The ensemble approach exploits the fact that while individual models have unique decision boundaries, the intersection of their adversarial regions often aligns with the target model's vulnerabilities. Effective ensemble strategies include:
- Logit fusion: Averaging output logits before computing the loss.
- Loss fusion: Summing individual model losses with equal or learned weighting.
- Feature-level attacks: Maximizing disruption of intermediate representations across all surrogate models.
This technique is the foundation of state-of-the-art black-box attacks and is a standard baseline in robustness evaluation benchmarks like RobustBench.
Input Transformation and Defense Evasion
Transferability is not only a function of the source and target models—it is also influenced by input preprocessing pipelines and defensive mechanisms deployed at inference time. Defenses that randomize inputs (e.g., randomized smoothing, JPEG compression, bit-depth reduction) disrupt the precise perturbation patterns crafted on the surrogate model, reducing transfer rates. However, expectation-over-transformation (EOT) attacks can circumvent these defenses by optimizing adversarial examples to remain effective across a distribution of input transformations. This creates a continuous arms race: defenders deploy stochastic preprocessing to break transferability, while attackers incorporate those same transformations into their optimization loop to restore cross-model efficacy.
Frequently Asked Questions
Explore the mechanics and implications of adversarial example transferability, a critical phenomenon that undermines the security of machine learning systems by allowing attacks to cross model boundaries.
Transferability is the property by which an adversarial example crafted to fool one specific model (the surrogate) also induces misclassification in other independently trained models (the targets), even if they have different architectures or training data. This phenomenon occurs because distinct models often learn similar decision boundaries and rely on comparable, non-robust features. An attacker can generate perturbations on a local white-box model and deploy them against a remote black-box API without any query access, completely bypassing security measures. The existence of transferability demonstrates that vulnerabilities are not isolated bugs but systemic properties of the learned feature space.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding transferability requires familiarity with the core attack and defense mechanisms that define the adversarial threat landscape.
Adversarial Example
A maliciously perturbed input designed to cause a machine learning model to make a mistake while appearing unmodified to human observers. The transferability of these examples is what makes them dangerous in black-box settings.
Black-Box Attack
An attack that relies solely on querying a model's outputs without access to its internal parameters or architecture. Transferability is the primary enabler of black-box attacks, allowing an adversary to train a substitute model and deploy adversarial examples against the target.
Projected Gradient Descent (PGD)
A multi-step iterative variant of the Fast Gradient Sign Method that projects perturbations onto an Lp-norm ball. PGD is the standard benchmark for empirical robustness, and adversarial examples generated via PGD often exhibit high transferability across architectures.
Adversarial Training
A defensive technique that augments training data with adversarial examples to improve model robustness. While effective against white-box attacks, models hardened with adversarial training can still be vulnerable to transferable attacks from a different surrogate architecture.
Gradient Masking
A phenomenon where a defense provides a false sense of security by obscuring the model's gradients rather than removing the underlying vulnerability. These defenses often fail catastrophically against transferable black-box attacks that bypass the obfuscation entirely.
Model Extraction
An attack that steals the functionality or intellectual property of a model by querying its prediction API to train a substitute replica. The fidelity of the extracted model directly impacts the transferability of adversarial examples crafted against it.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us