AutoAttack is a parameter-free ensemble of four diverse adversarial attacks—APGD-CE, APGD-DLR, FAB, and Square Attack—designed to provide a standardized, reliable evaluation of a model's empirical adversarial robustness. By combining both white-box and black-box attacks without requiring manual tuning, it eliminates the common pitfall of gradient masking defenses that produce misleadingly high accuracy scores against weak, poorly configured attacks.
Glossary
AutoAttack

What is AutoAttack?
AutoAttack is a standardized, parameter-free ensemble of diverse adversarial attacks used as a reliable benchmark for evaluating empirical adversarial robustness.
Developed by Francesco Croce and Matthias Hein, AutoAttack has become the default metric in RobustBench, a widely recognized leaderboard for adversarial defenses. Its adaptive, ensemble nature ensures that a model's reported robustness is not an artifact of a single attack's failure, making it the gold standard for comparing adversarial training techniques and certified robustness methods in financial fraud detection and other security-critical domains.
Key Features of AutoAttack
A parameter-free, ensemble-based attack framework that serves as the most reliable and widely-adopted standard for evaluating empirical adversarial robustness in machine learning models.
Parameter-Free Ensemble Design
AutoAttack combines four diverse attack algorithms into a single, standardized evaluation protocol that requires no manual tuning. The ensemble includes:
- APGD-CE: Auto-PGD on the cross-entropy loss
- APGD-DLR: Auto-PGD on the difference of logits ratio loss
- FAB-T: Fast Adaptive Boundary attack, targeted variant
- Square Attack: A query-efficient black-box attack This diversity prevents defenses from overfitting to a single attack type, ensuring a holistic robustness assessment.
Automatic Step-Size Scheduling
Unlike standard PGD attacks that require manual step-size tuning, AutoAttack's APGD component dynamically adjusts the step size during optimization based on the optimization trajectory. It uses a momentum-based update rule and automatically halves the step size when the loss plateaus, ensuring convergence without human intervention. This eliminates the common pitfall of gradient masking defenses exploiting poorly tuned attacks.
Reliable Robustness Evaluation
AutoAttack has become the de facto standard for evaluating defenses on benchmarks like RobustBench. Its reliability stems from:
- No hyperparameter tuning: Eliminates human bias in attack configuration
- Complementary attack types: White-box gradient attacks + black-box query attacks
- Adaptive evaluation: Designed to counter common obfuscated gradient defenses A defense that withstands AutoAttack is considered genuinely robust, not just resilient to a specific, poorly-configured attack.
Standard Threat Models
AutoAttack supports two canonical evaluation settings:
- L∞ (L-infinity): Bounded perturbations where each pixel or feature can change by at most ε, typically ε = 8/255 for CIFAR-10
- L2: Euclidean distance-bounded perturbations, typically ε = 0.5 for CIFAR-10 Both settings use a fixed budget across all samples, enabling fair, apples-to-apples comparisons between different defense mechanisms published in the literature.
Integration with RobustBench
AutoAttack is the official evaluation engine behind RobustBench, the leading leaderboard for adversarial robustness research. RobustBench enforces a strict protocol:
- Defenses are evaluated exclusively with AutoAttack
- Results are reproducible with standardized threat models
- Leaderboard rankings are based on robust accuracy under AutoAttack This integration has driven the community toward more honest and comparable robustness claims since 2020.
Adaptive Attack Readiness
AutoAttack is designed to counter gradient masking and obfuscated gradients, a class of defenses that appear robust only because gradient-based attacks fail. The inclusion of Square Attack, a score-based black-box method that does not rely on gradients, ensures that defenses relying on shattered or stochastic gradients are still thoroughly tested. This makes AutoAttack a strong proxy for an adaptive adversary with full knowledge of the defense.
Frequently Asked Questions
Clear, technical answers to the most common questions about the AutoAttack benchmark, its components, and its role in evaluating adversarial robustness.
AutoAttack is a standardized, parameter-free ensemble of four diverse adversarial attacks used as a reliable benchmark for evaluating the empirical adversarial robustness of machine learning models. It works by sequentially applying a suite of complementary attacks—APGD-CE, APGD-DLR, FAB, and Square Attack—against a target model without requiring manual tuning. The framework automatically adjusts its internal step sizes and runs until a convergence criterion is met, producing a final robust accuracy score that has become the de facto standard in the research community. Because it requires no hyperparameter optimization from the evaluator, AutoAttack eliminates the common pitfall of gradient masking defenses appearing robust simply because the attack was poorly configured.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Mastering AutoAttack requires understanding the broader landscape of adversarial threats and defenses. These interconnected concepts form the foundation of empirical robustness evaluation in financial fraud detection systems.
Adversarial Perturbation
A carefully crafted, often imperceptible modification to an input sample designed to cause a machine learning model to misclassify it. In financial fraud detection, perturbations might involve subtly altering transaction amounts, timestamps, or merchant categories to evade anomaly scoring while preserving the fraudulent transaction's functionality.
- Lp-norm constraints bound perturbation magnitude (e.g., L∞ ≤ 8/255 for images)
- Feature-space attacks modify tabular data columns like velocity counters or geolocation features
- Semantic perturbations preserve malicious intent while changing surface features
Adaptive Attack
A white-box attack methodology specifically designed with full knowledge of a defense mechanism to circumvent it. Adaptive attacks serve as the gold standard for robustness evaluation and are central to AutoAttack's design philosophy.
- Assumes attacker knows defense architecture, parameters, and training procedure
- AutoAttack includes APGD-CE and APGD-DLR as adaptive variants
- Defenses relying on gradient masking or obfuscation consistently fail against adaptive attacks
- Essential for evaluating fraud models against sophisticated adversaries who understand detection logic
Adversarial Training
A defensive technique that augments the training dataset with adversarial examples to improve a model's robustness against evasion attacks. This is the most empirically validated defense against adversarial perturbations.
- PGD-based training generates adversarial examples during each minibatch
- TRADES loss balances natural accuracy with adversarial robustness via KL divergence regularization
- For financial models, adversarial training hardens fraud detectors against transaction manipulation
- Computational overhead is significant: 3-10x training time increase
Certified Robustness
A formal, mathematical guarantee that a model's prediction will remain constant for any input perturbation within a defined radius. Unlike empirical defenses, certification provides provable security bounds.
- Randomized smoothing constructs a smoothed classifier by adding Gaussian noise and using majority voting
- Certification radius depends on noise level and base classifier's margin
- Provides lower bounds on robustness that AutoAttack's empirical evaluation can validate
- Critical for regulated financial applications requiring guaranteed fraud detection stability
Gradient Masking
A defensive phenomenon where a model's gradients are useless for generating attacks, often providing a false sense of security against adaptive adversaries. AutoAttack explicitly detects and defeats gradient masking.
- Shattered gradients: Non-differentiable operations or numerical instability
- Stochastic gradients: Randomization that prevents reliable gradient estimation
- Vanishing/exploding gradients: Poor gradient flow through deep architectures
- AutoAttack's APGD variant with expectation over transformation bypasses stochastic defenses
- Financial models using discretization or rule-based components are particularly susceptible

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us