RobustBench is a curated evaluation framework that standardizes the comparison of adversarial robustness across different neural network architectures. It mitigates the common pitfall of gradient masking by providing a fixed set of pre-evaluated model checkpoints and strictly defined threat models, ensuring that reported gains in robustness are genuine and not artifacts of flawed evaluation methodologies.
Glossary
RobustBench

What is RobustBench?
RobustBench is a standardized benchmark and public leaderboard designed to provide a rigorous, reproducible evaluation of adversarial robustness in image classification models.
The leaderboard relies on AutoAttack, a parameter-free ensemble of diverse white-box and black-box attacks, to provide a reliable and consistent measurement of empirical robustness. By enforcing a common evaluation protocol, RobustBench has become the definitive reference for tracking progress in adversarial training techniques like TRADES and for establishing state-of-the-art certified robustness claims.
Key Features of RobustBench
RobustBench provides a curated, standardized leaderboard and model zoo for adversarial robustness, enabling reproducible and comparable evaluation of defenses against strong attacks.
Standardized Threat Model
Enforces a strict threat model based on an L-infinity norm perturbation budget (typically epsilon = 8/255). This prevents defenses from exploiting obfuscated gradients or unrealistic assumptions. Every model is evaluated under the same white-box access conditions, ensuring that comparisons are fair and that reported robustness is not an artifact of gradient masking.
AutoAttack Evaluation Suite
Uses AutoAttack (AA) as the primary evaluation metric, a parameter-free ensemble of diverse attacks including:
- APGD-CE: Auto-PGD on cross-entropy loss
- APGD-DLR: Auto-PGD on difference of logits ratio
- FAB-T: Fast Adaptive Boundary attack
- Square Attack: Query-efficient black-box attack This ensemble prevents defenses from overfitting to a single attack method and provides a reliable measure of empirical robustness.
Curated Model Zoo
Provides a repository of over 100 pre-trained model checkpoints with verified robustness claims. Each model is stored with its exact architecture, training recipe, and AutoAttack evaluation results. This eliminates the common problem of researchers reporting results on different evaluation setups, enabling direct, apples-to-apples comparisons without re-implementing complex training procedures.
Leaderboard Transparency
Maintains a public leaderboard ranking models by robust accuracy on CIFAR-10, CIFAR-100, and ImageNet. Each entry includes:
- Standard accuracy on clean data
- Robust accuracy under AutoAttack
- Model architecture and parameter count
- Link to the original paper and checkpoint This transparency exposes the accuracy-robustness trade-off and drives the community toward genuinely robust architectures.
Reproducibility Guarantee
All models on the leaderboard are independently re-evaluated by the RobustBench maintainers using a fixed evaluation protocol. This eliminates the common pitfall of self-reported robustness where subtle implementation bugs or weak attack hyperparameters inflate robustness claims. The fixed evaluation codebase is open-source, allowing anyone to verify results.
Integration with Adversarial Training Research
Serves as the de facto benchmark for evaluating new adversarial training methods. Techniques like TRADES, MART, and AWP (Adversarial Weight Perturbation) are all ranked on the leaderboard. Researchers can download baseline models, run their defense, and submit results for independent verification, accelerating the pace of reproducible robustness research.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the RobustBench leaderboard, its evaluation methodology, and its role in standardizing adversarial robustness research.
RobustBench is a standardized benchmark and public leaderboard for evaluating the adversarial robustness of image classification models. It works by providing a curated, fixed set of pre-trained model checkpoints and a canonical evaluation protocol based on AutoAttack, a parameter-free ensemble of attacks. Rather than relying on authors to self-report robustness, RobustBench applies a consistent, strong attack suite to every submitted model, ensuring that reported accuracy under attack is directly comparable and reproducible. The framework eliminates common pitfalls like gradient masking and weak attack evaluations, establishing a trusted, apples-to-apples comparison for the research community.
RobustBench vs. Other Evaluation Methods
A comparison of RobustBench against traditional evaluation approaches for measuring adversarial robustness, highlighting standardization, reproducibility, and threat model coverage.
| Feature | RobustBench | Ad-hoc Evaluation | AutoAttack Standalone |
|---|---|---|---|
Standardized threat model | |||
Curated model zoo with checkpoints | |||
Reproducible leaderboard rankings | |||
Parameter-free attack ensemble | |||
Defense-adaptive attack selection | |||
Gradient masking detection | |||
L-infinity epsilon = 8/255 default | |||
Standard accuracy vs. robustness trade-off tracking |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Key concepts, attacks, and defenses that form the adversarial robustness landscape surrounding the RobustBench benchmark.
Adversarial Training
The foundational defensive methodology where a model is trained on a mixture of clean and on-the-fly generated adversarial examples. By continuously exposing the model to worst-case perturbations during optimization, the decision boundary is forced to smooth out, significantly improving empirical robustness against attacks like PGD. This is the most consistently top-performing defense category on the RobustBench leaderboard.
AutoAttack (AA)
A parameter-free, ensemble attack standard used by RobustBench for reliable evaluation. It combines four diverse attacks:
- APGD-CE: Auto-PGD on cross-entropy loss
- APGD-DLR: Auto-PGD on difference of logits ratio
- FAB: Fast Adaptive Boundary attack
- Square Attack: Query-efficient black-box attack AutoAttack prevents gradient masking defenses from appearing deceptively robust by removing the need for manual step-size tuning.
Projected Gradient Descent (PGD)
An iterative, first-order white-box attack that generates adversarial examples by taking multiple small gradient steps and projecting the result back onto an Lp-norm epsilon-ball around the original input. PGD is considered the universal first-order adversary, and robustness against PGD is a strong indicator of general empirical robustness. RobustBench uses PGD-based attacks as core evaluation components.
TRADES
TRadeoff-inspired Adversarial Defense via Surrogate-loss minimization is a training objective that explicitly balances the trade-off between standard accuracy and adversarial robustness. It minimizes a loss combining natural error with a regularization term that encourages the model's output distribution to remain stable under adversarial perturbation. TRADES variants consistently achieve state-of-the-art results on RobustBench.
Gradient Masking
A brittle and often unintentional defense phenomenon where a model's gradients are obfuscated, causing gradient-based attacks like FGSM or PGD to fail. This creates a false sense of security, as the model remains vulnerable to black-box attacks, transfer attacks, or simply adjusting the attack's step size. RobustBench's standardized evaluation with AutoAttack is specifically designed to expose gradient masking.
Certified Robustness
Unlike empirical defenses that are evaluated against specific attacks, certified robustness provides a mathematical guarantee that a model's prediction will not change for any input within a proven perturbation bound. Randomized Smoothing is a leading technique for building certifiably robust models. While certified accuracy is often lower than empirical robustness, it provides provable security guarantees that complement RobustBench's empirical evaluations.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us