Projected Gradient Descent (PGD) is a multi-step variant of the Fast Gradient Sign Method (FGSM) that solves a constrained optimization problem to find the strongest possible adversarial perturbation within a specified Lp-norm budget. Starting from a random initialization within the allowed epsilon-ball, PGD iteratively takes gradient steps in the direction that maximizes the model's loss, followed by a projection operation that clips the perturbation back onto the feasible set. This max_{||δ||_p ≤ ε} L(f(x+δ), y) formulation makes PGD a universal first-order adversary, widely considered the benchmark for evaluating adversarial robustness.
Glossary
Projected Gradient Descent (PGD)

What is Projected Gradient Descent (PGD)?
Projected Gradient Descent (PGD) is a powerful iterative white-box attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method (FGSM) with a small step size and projecting the result back onto an epsilon-ball constraint.
The attack's strength derives from its random restart capability and iterative refinement, which mitigates the risk of converging to poor local maxima. By using a step size α smaller than the total epsilon budget ε, PGD systematically explores the loss landscape within the constraint boundary. Models trained adversarially against PGD—a process known as PGD-based adversarial training—exhibit empirical robustness against a wide range of other first-order attacks, making it the de facto standard for min-max optimization in robust model development.
Key Characteristics of PGD
Projected Gradient Descent (PGD) is the de facto standard for evaluating adversarial robustness. It operationalizes the min-max threat model by iteratively maximizing loss while enforcing an Lp-norm constraint.
Iterative Multi-Step Optimization
Unlike single-step methods like FGSM, PGD solves the inner maximization problem through multiple gradient ascent steps. Starting from a random initialization within the epsilon-ball, it repeatedly computes the gradient of the loss with respect to the input and takes a small step in that direction. Each step is followed by a projection operator that snaps the perturbation back onto the feasible set, ensuring the adversarial example remains within the allowed L∞ or L2 budget. This iterative refinement finds significantly stronger adversaries than one-shot attacks.
Random Initialization Strategy
A critical component of PGD is the random start before iterative optimization begins. Rather than starting from the original clean input, PGD initializes the perturbation uniformly within the epsilon-ball. This prevents the optimizer from getting stuck in shallow local maxima near the decision boundary. Multiple random restarts are often employed to increase attack success rates, making PGD a reliable lower bound for worst-case empirical robustness.
Projection onto the Epsilon-Ball
The 'Projected' in PGD refers to the constraint enforcement mechanism. After each gradient step, the perturbed input is projected back onto the Lp-norm ball of radius epsilon centered at the original input. For L∞ attacks, this is a simple clipping operation that bounds each pixel's perturbation independently. For L2 attacks, the perturbation vector is rescaled to have a norm no greater than epsilon. This projection guarantees the adversarial example remains imperceptible or within the threat model's defined budget.
Universal First-Order Adversary
Madry et al. (2018) demonstrated that PGD is a universal adversary among first-order attacks—if a model is robust against PGD, it is empirically robust against all gradient-based attacks. This insight established PGD as the primary benchmark for adversarial training. The attack leverages only first-order gradient information, making it computationally tractable for deep networks while still exposing vulnerabilities that gradient-masking defenses attempt to hide.
Step Size and Iteration Scheduling
PGD's effectiveness depends on two hyperparameters: step size (alpha) and number of iterations (k). The step size is typically set as a fraction of epsilon (e.g., alpha = epsilon / 4), balancing convergence speed with granularity. The iteration count controls the attack budget—more steps yield stronger adversaries but increase compute cost. Common configurations include PGD-20 (20 steps) for evaluation and PGD-7 or PGD-10 for adversarial training, representing a trade-off between attack strength and training throughput.
Role in Adversarial Training
PGD serves as the canonical attack for adversarial training, where models are trained on PGD-generated examples rather than clean data. This min-max procedure—minimizing model loss against a PGD adversary that maximizes it—produces state-of-the-art empirical robustness. Models trained with PGD adversarial training exhibit flattened loss landscapes and smoother decision boundaries, making them resistant to a wide family of first-order attacks beyond the specific PGD configuration used during training.
PGD vs. Other Adversarial Attacks
Comparative analysis of Projected Gradient Descent against other canonical gradient-based and optimization-based adversarial attack methodologies.
| Feature | Projected Gradient Descent (PGD) | Fast Gradient Sign Method (FGSM) | Carlini-Wagner (C&W) L2 |
|---|---|---|---|
Attack Category | Iterative Gradient-Based | Single-Step Gradient-Based | Optimization-Based |
Iterative Steps | Multiple (k-step) | Single (1-step) | Multiple (convergence-driven) |
Perturbation Constraint | L∞-norm (epsilon-ball projection) | L∞-norm (no explicit projection) | L2-norm (penalized in objective) |
Computational Cost | Moderate (k forward/backward passes) | Low (single forward/backward pass) | High (per-sample optimization loop) |
Attack Strength (Empirical) | High (strongest first-order attack) | Low to Moderate | Very High (near-minimal perturbation) |
Gradient Masking Resistance | |||
Typical Use Case | Adversarial training benchmark | Baseline vulnerability assessment | Minimal perturbation discovery |
Misclassification Target | Untargeted or Targeted | Untargeted | Targeted |
Frequently Asked Questions
Clear, technical answers to the most common questions about the PGD attack algorithm, its implementation, and its role in adversarial robustness research.
Projected Gradient Descent (PGD) is a powerful iterative white-box adversarial attack that generates adversarial examples by repeatedly applying the Fast Gradient Sign Method (FGSM) in small steps and projecting the result back onto an epsilon-ball constraint. The algorithm initializes a perturbation, often randomly within the allowed L∞-norm ball, and then iteratively computes the gradient of the loss function with respect to the input. At each step, it takes a small step in the direction that maximizes the loss, and crucially, projects the perturbed input back onto the valid constraint set to ensure the perturbation magnitude never exceeds the specified epsilon threshold. This projection step is what distinguishes PGD from simpler iterative methods and makes it the de facto standard for evaluating worst-case adversarial robustness. The multi-step nature allows PGD to find stronger adversarial examples than single-step methods like FGSM by effectively climbing the loss landscape within the constrained region.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Projected Gradient Descent is a cornerstone of adversarial robustness research. The following concepts define the attack landscape and the defensive methodologies used to counter iterative, constrained optimization threats.
Gradient Masking
A false sense of security phenomenon where a defense obfuscates gradients rather than truly improving robustness.
- Obfuscated Gradients: Shattered gradients (non-differentiable defenses), stochastic gradients (randomized defenses), or exploding/vanishing gradients.
- Detection: If a black-box attack (like a score-based method) succeeds where a white-box PGD fails, gradient masking is likely present.
- Implication: Defenses exhibiting this property are considered broken, as they fail against transfer attacks or hard-label methods.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us