In 2013, Szegedy and colleagues reported a result that should have changed how machine learning was deployed: for essentially any image a neural network classifies correctly, there exists a nearly identical image, differing by a perturbation imperceptible to a human, that the same network classifies with confidence as something else. The perturbation was not noise in the colloquial sense. It was a precise, structured signal, computed against the model's own gradients, that exploited the geometry of the decision boundary.
A year later, Goodfellow, Shlens, and Szegedy gave the phenomenon a mechanism and a weapon. Their argument was that adversarial examples arise not from exotic nonlinearity but from the essentially linear behavior of high-dimensional models: sum enough small, aligned perturbations across thousands of input dimensions and the output moves a lot. The Fast Gradient Sign Method (FGSM) that followed took a single step along the sign of the loss gradient and reliably flipped predictions. It was fast, it was one line of math, and it worked.
A decade of sharper knives
Everything since has been a refinement of that idea under different constraints. Madry and colleagues formalized robustness as a min-max problem and introduced Projected Gradient Descent (PGD), FGSM run for many iterations with projection back into an allowed perturbation ball, which remains the standard white-box attack and the standard adversarial-training inner loop. Carlini and Wagner reframed the attack as a penalized optimization and produced perturbations so small and so reliable that C&W attacks became the benchmark for breaking proposed defenses.
Then the assumptions loosened. Score-based black-box attacks like Square Attack (Andriushchenko et al., 2020) dispensed with gradients entirely, using random search over structured perturbations, and proved competitive with white-box methods while being immune to gradient masking. Decision-based attacks like HopSkipJump need only the model's final label. The uncomfortable conclusion is that access is not the barrier we hoped: a determined adversary with only an API can still find the failure.
The literature is not ambiguous. Under realistic threat models, undefended models fail, and they fail in ways accuracy metrics never reveal.
The undefended majority
The public conversation about AI security has centered on large language models: prompt injection, jailbreaks, data exfiltration. Those risks are real and worth the attention. But the models that steer the physical world are a different attack surface, and almost no one is red-teaming them commercially. Object detectors, image classifiers, and sensor-fusion stacks fail under bounded perturbation in ways that never appear in an accuracy benchmark:
- Gradient attacks (FGSM, PGD, C&W) exploit the differentiability of the model itself.
- Physical attacks (adversarial patches, camouflage, printed perturbations) survive the real world: angle, distance, lighting, and print-and-recapture.
- Black-box attacks (Square Attack, HopSkipJump) need only query or decision access, no gradients.
A patch that survives printing and a change of viewing angle can make a vehicle disappear from an overhead feed. A handful of pixels of structured noise can flip a classifier with high confidence. None of this is speculative, it is a decade of peer-reviewed results that industry has largely declined to operationalize.
Attack to defend
You cannot harden what you have not attacked. The defensive techniques that work (adversarial training, certified smoothing, input preprocessing, runtime detection) all depend on first knowing where and how a model breaks. That is a red-teaming problem, and red-teaming predictive systems is not a byproduct of building them. It is a discipline of its own, with its own tooling, its own threat models, and its own standards of evidence.
No American company was commercializing adversarial capabilities for predictive systems. That is the gap Mirage was built to close.
Our thesis is narrow and, we think, correct: the field has proven the attacks; what is missing is a rigorous, repeatable, operational way to run them against real models and turn the findings into fixes. That is the whole product.