It is becoming increasingly imperative to design robust ML defenses. However, recent work has found that many defenses that initially resist state-of-the-art attacks can be broken by an adaptive adversary. Attacks can initially make defenses look strong by not finding potential adversarial examples due to obfuscated gradients, limited compute, unlucky initialization, etc. In this work, we make steps towards more reliable defense evaluation by introducing a new defense evaluation tool, Subspace Grid-sweep, that leverages deterministic inference to more simply evaluate adversarial robustness. We use Subspace Grid-sweep to show that a previously published, but now broken, defense could have been known to be broken without performing a fully adaptive attack. In order to make Subspace Grid-sweep applicable to random defenses, we show how to make deterministic variants of random defenses while retaining similar empirical effectiveness. As a result, we show that randomness may not be necessary for these defense’s robustness.