On the Robustness of Tabular Foundation Models: Test-Time Attacks and In-Context Defenses

TL;DR

This paper investigates the adversarial vulnerabilities of recent tabular foundation models, demonstrating their susceptibility to test-time attacks and proposing in-context adversarial training to enhance robustness.

Contribution

It provides a comprehensive analysis of vulnerabilities and introduces an in-context adversarial training method to improve robustness of tabular foundation models.

Findings

Small perturbations significantly degrade prediction accuracy.

Tabular FMs can generate transferable adversarial examples.

In-context adversarial training improves robustness across benchmarks.

Abstract

Recent tabular Foundational Models (FM) such as TabPFN and TabICL, leverage in-context learning to achieve strong performance without gradient updates or fine-tuning. However, their robustness to adversarial manipulation remains largely unexplored. In this work, we present a comprehensive study of the adversarial vulnerabilities of tabular FM, focusing on both their fragility to targeted test-time attacks and their potential misuse as adversarial tools. We show on three benchmarks in finance, cybersecurity and healthcare, that small, structured perturbations to test inputs can significantly degrade prediction accuracy, even when training context remain fixed. Additionally, we demonstrate that tabular FM can be repurposed to generate transferable evasion to conventional models such as random forests and XGBoost, and on a lesser extent to deep tabular models. To improve tabular FM, we formulate the robustification problem as an optimization of the weights (adversarial fine-tuning), or the context (adversarial in-context learning). We introduce an in-context adversarial training strategy that incrementally replaces the context with adversarial perturbed instances, without updating model weights. Our approach improves robustness across multiple tabular benchmarks. Together, these findings position tabular FM as both a target and a source of adversarial threats, highlighting the urgent need for robust training and evaluation practices in this emerging paradigm.