Astral
Back to blog

Security · 16 min read

We Attacked Our Own Drones 11,340 Times. Here's What We Learned.

June 9, 2026

None of the attacks worked — not the way you'd expect.

Over several weeks, we ran 11,340 simulation trials against our autonomous warehouse-search drone stack. We hit it with GNSS spoofing, RF jamming, proportional-navigation interceptors, and direct control takeover. Varied seeds, tasks, defense configurations. Tracked every trial.

The headline result: no attack degraded mission success rate beyond the 95% confidence interval. One attack even inflated it. If you stopped reading here, you'd conclude our drones are basically impervious to adversarial interference. That conclusion would be wrong — and the gap between what the numbers say and what they mean is exactly why we're writing this.

Mission Success Rate Is the Wrong Metric for C-UAS

This is the central finding. Every attack profile we tested returned a mission success rate within the confidence interval of baseline (57.6% ±6.7 pp). GNSS walk-off: +1.2 pp. RF jamming: 0.0 pp. PN interceptor: 0.0 pp.

Control takeover improved success rate by +8.1 pp. The attacker's redirect goal happened to sit closer to the mission target in ~8% of trials. The drone got hijacked and accidentally completed more tasks.

None of this means the attacks did nothing. It means mission success rate doesn't capture what C-UAS threats actually do. The right metrics are physical: capture percentage, maximum position error, detection latency, minimum miss distance.

What the Four Attack Types Actually Do

GNSS Walk-Off

Smooth-capture spoofing: position blends from true toward attacker-controlled offset over 5 seconds. Velocity is left untouched — preserving the IMU signal that enables dead-reckoning detection. Physical result: 5.14 m mean maximum position error under single-axis walk-off. Combined with RF jamming: 7.95 m.

RF Jamming

Packet loss (0.5–0.9) and latency (0.2–0.8 s) injected into the communication channel. Produces no measurable change in single-drone mission success. The jam failsafe — RTL on 3 s of neighbor silence — returns 0.0% false positives on clean baseline.

Control Takeover

Direct override of action.target_position. The goal-bounds defense (reject targets outside ±30 m geofence) stops this completely. False positives on clean baseline: 0.0%.

Why PN Interceptors Are the Real Threat

Proportional-navigation guidance (N=3.5, v_max=8 m/s, net capture radius 1.5 m) achieves a 79.5% capture rate with no defense active. Minimum miss distance: 0.11 m. When RF jamming is layered on: capture rate still 79.5%. Physical interception geometry is not sensitive to communication degradation.

This is the metric that matters. A 79.5% probability your drone gets physically removed from the air in a single engagement is operationally decisive. No mission success rate figure captures that.

Defenses: What Works

Plausibility detection: dead-reckoning vs. GPS position; flag when divergence >3 m. Under single walk-off: 39.8% TP. Under combined GNSS+RF jam: 79.5% TP(the jam forces faster spoofing, making detection easier). False positives on clean baseline: 0.0%.

Critical implementation lesson: the DR integrator must use elapsed wall time between controller calls (2 s), not the physics timestep (0.05 s). Using 0.05 s produced a 75.8% false-positive rate. This is an easy bug to introduce in any system where physics dt differs from control rate.

All defenses stacked: 0.0% FP on clean baseline, +1.9 pp mission success overhead. Properly tuned defenses impose no operational cost.

The Fidelity Boundary

Reliably testable in kinematic sim: GNSS position error, PN capture geometry, control takeover, jam failsafe, plausibility detection, goal-bounds enforcement.

Not testable without hardware or RF simulation: carrier-phase GPS, RAIM, Galileo OSNMA authentication (operational since July 2025), barrage vs. reactive jamming physics, EKF lock-pull, camera/radar interception detection, aerodynamic evasion effectiveness.

The evasion defense triggered at 0% — not because evasion is ineffective, but because interceptors are not inserted into the drone's onboard sensor list in the current harness. That is a simulation fidelity gap, not a finding about evasion.

Practical Takeaways

  • Don't use mission success rate as your primary C-UAS metric. Track capture rate and position error separately.
  • PN interceptors are your highest-priority threat — 79.5% capture against non-maneuvering drones.
  • Plausibility detection is deployable today at 0% FP if you use the right clock.
  • Goal-bounds enforcement stops control takeover with zero performance cost.
  • Jam failsafe (RTL on link silence) should be standard firmware on every drone.
  • Update your GNSS threat model for OSNMA — capable adversaries now layer RF denial on top of spoofing.

Full paper with methodology and all tables: research: C-UAS study.