RobustBench is a standardized benchmark for adversarial robustness that enforces a strict evaluation protocol to reliably measure and compare the effectiveness of defense mechanisms. It curates a public leaderboard of models, attacks, and defenses, requiring submissions to adhere to a common threat model—typically an (\ell_\infty)-bounded perturbation of (\epsilon = 8/255) on CIFAR-10—to eliminate the confounding effects of gradient masking and weak attack evaluations that previously inflated reported robustness claims.
Glossary
RobustBench

What is RobustBench?
A standardized evaluation framework for adversarial robustness that provides a rigorous, reproducible leaderboard to track progress in defending machine learning models against evasion attacks.
The framework's core contribution is its systematic, auto-attack-based evaluation pipeline that serves as a parameter-free, reliable standard for empirical testing. By providing pre-trained model checkpoints and a unified codebase, RobustBench enables researchers to perform reproducible adaptive attack evaluations, ensuring that progress in the field is measured against a consistent, unforgiving baseline rather than through cherry-picked results.
Core Components of RobustBench
RobustBench provides a rigorous, standardized framework for benchmarking adversarial robustness, enforcing a common evaluation protocol to track genuine progress against adaptive attacks.
Standardized Threat Model
Enforces a strict, common evaluation protocol based on a specific threat model to prevent methodological inconsistencies. This includes a fixed L-infinity perturbation budget (typically ε=8/255) and a defined set of allowed attacker knowledge. By standardizing these parameters, RobustBench eliminates the common pitfall of comparing defenses evaluated under different, often weaker, attack settings, ensuring a level playing field for all submissions.
AutoAttack Evaluation Suite
Uses AutoAttack (AA) as the default, parameter-free benchmark for evaluation. AutoAttack is an ensemble of four diverse attacks:
- APGD-CE: An adaptive Projected Gradient Descent attack with a cross-entropy loss.
- APGD-DLR: An adaptive PGD attack using the Difference of Logits Ratio loss.
- FAB-T: A targeted version of the Fast Adaptive Boundary attack.
- Square Attack: A query-efficient black-box attack. This ensemble provides a reliable and strong empirical robustness estimate, replacing weaker, obsolete attacks.
Public Leaderboard
Maintains a dynamic, publicly accessible leaderboard that ranks defenses by their robust accuracy against AutoAttack on standard datasets like CIFAR-10, CIFAR-100, and ImageNet. The leaderboard tracks both clean accuracy and adversarial accuracy, explicitly highlighting the trade-off between standard performance and robustness. This transparency allows researchers to quickly identify the state-of-the-art and prevents inflated claims of robustness from non-adaptive evaluations.
Model Zoo
Provides a curated Model Zoo containing pre-trained, robust models from top-ranked defenses. These models are readily accessible for download and use, serving as standardized baselines for new research. The zoo includes models with varying levels of robustness, enabling researchers to:
- Benchmark new attacks against known defenses.
- Perform transfer attack studies.
- Use robust models as feature extractors for downstream tasks without retraining from scratch.
Rigorous Submission Protocol
Implements a strict submission process that requires defenders to provide a full, executable code package. Each submission is independently re-evaluated by the RobustBench maintainers using the standard AutoAttack protocol. This process is designed to detect and reject defenses that rely on gradient masking or other obfuscation techniques that create a false sense of security. The protocol mandates that a defense must be effective against a full adaptive attack to be considered valid.
Frequently Asked Questions
Addressing the most common technical and strategic questions about the RobustBench benchmark, its evaluation protocol, and its role in standardizing adversarial robustness research for security-focused engineering teams.
RobustBench is a standardized benchmark for evaluating the adversarial robustness of image classification models. It operates by maintaining a public leaderboard that ranks defenses based on their performance against a fixed, rigorous evaluation protocol. The core mechanism involves testing a submitted model against a suite of strong, parameter-free adaptive attacks, primarily AutoAttack, to measure its robust accuracy—the model's accuracy on adversarially perturbed inputs. Unlike prior evaluations where researchers often used weak or custom attacks, RobustBench enforces a unified threat model, typically an (L_\infty) or (L_2) norm-bounded perturbation on CIFAR-10 or ImageNet. This prevents gradient masking from being mistaken for true robustness, as the evaluation includes adaptive white-box attacks designed to circumvent obfuscated gradients. The benchmark's leaderboard tracks progress over time, providing a transparent, reproducible measure of how well a model can resist evasion attacks without relying on obfuscation or unrealistic assumptions.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts and tools that form the foundation of standardized adversarial robustness evaluation, as tracked by the RobustBench leaderboard.
AutoAttack: The Standardized Evaluator
A parameter-free ensemble of diverse white-box and black-box attacks that serves as the default evaluation protocol on RobustBench. AutoAttack combines APGD-CE, APGD-DLR, FAB, and Square Attack to provide a reliable, adaptive assessment that resists gradient masking and other obfuscated defenses. Its deterministic, tuning-free nature eliminates human bias in robustness claims.
Adversarial Training
The dominant defense paradigm on RobustBench, where models are trained on adversarial examples generated on-the-fly. The most effective variants use TRADES loss or AWP (Adversarial Weight Perturbation) to balance natural accuracy with robust generalization. This technique directly minimizes the model's worst-case loss within a defined perturbation budget, typically an L-infinity ball of radius 8/255.
Certified Robustness via Randomized Smoothing
A probabilistic certification method that constructs a smoothed classifier by adding isotropic Gaussian noise to inputs. Unlike empirical defenses, it provides a provable radius within which no adversarial example can exist. RobustBench tracks certified accuracy separately, as the guarantees come at a significant cost to natural accuracy compared to empirical methods.
Threat Models: L-infinity, L2, and Beyond
RobustBench standardizes evaluation around specific perturbation constraints. The most common is the L-infinity norm (pixel-wise maximum change), followed by L2 (Euclidean distance). Each threat model defines the adversary's power. A defense validated only on L-infinity may fail catastrophically against L1, spatial transformations, or common corruptions, making multi-norm evaluation critical.
Adaptive Attacks: The Gold Standard
An evaluation methodology where the attacker has full knowledge of the defense and tailors the attack to circumvent it. RobustBench enforces this by requiring defenses to be open-source and reproducible. If a defense relies on gradient masking, randomized transformations, or non-differentiable components, an adaptive attack will expose the false sense of security by using BPDA (Backward Pass Differentiable Approximation) or EOT (Expectation over Transformation).

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us