A Projected Gradient Descent (PGD) Attack is a multi-step, iterative first-order adversarial attack that generates perturbations by repeatedly applying the Fast Gradient Sign Method (FGSM) with a small step size, then projecting the perturbed input back onto the Lp-norm ball of radius epsilon surrounding the original data point. This projection step ensures the adversarial example remains within a mathematically defined, imperceptible distance from the clean input, making PGD a universal and reliable benchmark for evaluating worst-case model robustness.
Glossary
Projected Gradient Descent (PGD) Attack

What is Projected Gradient Descent (PGD) Attack?
A powerful iterative white-box attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method and projecting the result back onto an epsilon-ball around the original input.
Widely considered the strongest first-order adversary, PGD is the standard attack used in adversarial training to harden models against a broad range of input manipulations. Unlike single-step FGSM, PGD's iterative optimization with random restarts effectively explores the loss landscape within the epsilon-boundary, finding perturbations that maximize the model's classification error. Defending against PGD is a de facto prerequisite for achieving empirical adversarial robustness, as models resistant to PGD tend to exhibit resilience against weaker attacks.
PGD Attack vs. FGSM Attack
A technical comparison of the single-step Fast Gradient Sign Method and the iterative Projected Gradient Descent attack, highlighting differences in computation, threat severity, and defensive implications.
| Feature | FGSM | PGD | Notes |
|---|---|---|---|
Attack Type | Single-step | Multi-step iterative | PGD is a universal first-order adversary |
Optimization Goal | Maximize loss in one step | Maximize loss via projected gradient descent | PGD finds a local maximum of the loss |
Perturbation Constraint | L-infinity epsilon-ball | L-infinity epsilon-ball with projection | Both operate under an Lp norm budget |
Computational Cost | Low (1 forward/backward pass) | High (K passes, e.g., 40 steps) | PGD cost scales linearly with iterations |
Attack Strength | Weaker, easily defended | Strongest first-order white-box attack | PGD defeats gradient masking defenses |
Transferability | High | Moderate | FGSM perturbations transfer more readily |
Defense Benchmarking | Baseline sanity check | Gold standard for empirical robustness | RobustBench uses Auto-PGD for evaluation |
Mathematical Formulation | x' = x + ε · sign(∇xJ) | x^(t+1) = Π(x^t + α · sign(∇xJ)) | PGD includes a projection operator Π onto the ε-ball |
Key Characteristics of PGD Attacks
Projected Gradient Descent (PGD) is widely considered the strongest first-order adversary for evaluating empirical robustness. Unlike single-step methods, PGD iteratively refines a perturbation while strictly enforcing an Lp norm constraint, making it a universal benchmark for adversarial training defenses.
Iterative Multi-Step Optimization
PGD is not a single gradient step; it is an iterative optimization algorithm. Starting from a random perturbation within the epsilon-ball, it repeatedly takes small steps in the direction of the gradient of the loss function. After each step, the perturbed input is projected back onto the Lp-norm ball to ensure the attack remains imperceptible. This iterative refinement creates significantly more powerful adversarial examples than single-step methods like FGSM.
Random Initialization Strategy
A critical component of the standard PGD implementation is random initialization. Rather than starting from the original clean image, the attack begins at a uniformly random point within the allowed epsilon-ball. This prevents the optimizer from getting stuck in shallow local maxima of the loss landscape near the original input. Without random restarts, PGD can significantly underestimate a model's true vulnerability.
Projection Operator Mechanics
The 'Projected' in PGD refers to the mathematical projection operator applied after every gradient step. This operator maps the perturbed input back to the closest point within the valid constraint set. For L∞ attacks, this is a simple clipping operation that ensures no pixel changes by more than epsilon. For L2 attacks, it involves rescaling the perturbation vector to have an L2 norm exactly equal to epsilon. This strict enforcement guarantees the attack stays within the defined threat model.
Universal First-Order Adversary
PGD is considered a universal adversary among first-order attacks—those that only use gradient information. If a model is robust against a multi-step PGD attack with random restarts, it is empirically robust against all other gradient-based white-box attacks. This property makes PGD the de facto standard for adversarial training, where PGD-generated examples are injected into the training loop to harden the model's decision boundaries.
Step Size and Epsilon Scheduling
PGD performance is sensitive to hyperparameter tuning. The step size (alpha) controls how far the perturbation moves per iteration, typically set to epsilon/4 or epsilon/10. A step size that is too large causes the optimizer to oscillate around the loss maximum; too small requires excessive iterations. Advanced variants use learning rate schedules or momentum-based updates to converge faster and find stronger adversarial examples within a fixed budget.
Relationship to Adversarial Training
PGD is the backbone of adversarial training, the most empirically successful defense methodology. During training, every clean batch is augmented with PGD-generated adversarial examples. The model is then trained to correctly classify both clean and perturbed inputs. This min-max optimization—minimizing the model's loss while maximizing it via PGD—creates a robust saddle point that significantly improves certified and empirical robustness.
Frequently Asked Questions
Clear, technical answers to the most common questions about the Projected Gradient Descent attack, a cornerstone of adversarial robustness evaluation.
A Projected Gradient Descent (PGD) attack is a powerful, iterative white-box adversarial attack that generates perturbations by repeatedly taking small steps in the direction of the gradient of the loss function and then projecting the result back onto an epsilon-ball around the original input. Unlike the single-step Fast Gradient Sign Method (FGSM), PGD performs this multi-step optimization, typically using a random start within the allowed perturbation budget. The core mechanism involves a loop: x_{t+1} = Proj_{x+S}(x_t + α * sign(∇_x J(θ, x_t, y))), where α is the step size, S is the set of allowed perturbations constrained by an Lp norm (usually L∞), and the projection function ensures the adversarial example never strays beyond the maximum allowable distortion. This makes PGD a universal first-order adversary, meaning it represents the strongest possible attack using only gradient information, and is the standard benchmark for evaluating adversarial robustness.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Projected Gradient Descent (PGD) is a cornerstone of adversarial robustness evaluation. The following concepts form the critical context for understanding how PGD attacks are constructed, defended against, and benchmarked within a comprehensive security posture.
Fast Gradient Sign Method (FGSM)
The foundational single-step white-box attack that PGD iteratively refines. FGSM computes the sign of the gradient of the loss function with respect to the input and applies a perturbation of magnitude epsilon in a single step. While computationally cheap, it significantly underestimates model vulnerability compared to multi-step variants like PGD. Key distinction: PGD is essentially FGSM applied multiple times with a projection step back onto the epsilon-ball after each iteration, making it a strictly stronger first-order adversary.
L-infinity Norm Constraint
The mathematical distance metric that defines the 'epsilon-ball' within which a PGD adversary is allowed to operate. The L-infinity norm measures the maximum absolute change to any single pixel or feature. Why it matters for PGD: The projection step at each iteration clips every perturbed coordinate back to the range [x - epsilon, x + epsilon], ensuring the adversarial example remains visually indistinguishable from the original. This constraint is what makes PGD a realistic threat model for physical-world attacks.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us