A system and method for transferring an adversarial attack involving generating a surrogate model having an architecture and a dataset that mirrors at least one aspect of a target model of a target module, wherein the surrogate model includes a plurality of classes. The method involves generating a masked version of the surrogate model having ewer classes than the surrogate model by randomly selecting at least one class of the plurality of classes for removal. The method involves attacking the masked surrogate model to create a perturbed sample. The method involves generalizing the perturbed sample for use with the target module. The method involves transferring the perturbed sample to the target module to alter an operating parameter of the target model.