This paper presents a novel auditing procedure for Differentially Private Stochastic Gradient Descent (DP-SGD) in the black-box threat model, achieving tighter empirical privacy leakage estimates compared to prior work. The key intuition is to use worst-case initial model parameters, which are crafted to minimize the gradients of normal samples in the dataset, making the target sample more distinguishable. The authors evaluate their procedure on the MNIST and CIFAR-10 datasets, achieving empirical privacy leakage estimates of εemp = 7.21 and 6.95 for MNIST and CIFAR-10, respectively, at theoretical ε = 10.0. The procedure also identifies and analyzes factors affecting the tightness of black-box auditing, such as dataset size and gradient clipping norm. The results show that smaller datasets and larger gradient clipping norms lead to looser audits. The paper also discusses the impact of fine-tuning only the last layer of the model and provides insights into the limitations and future directions of the work.This paper presents a novel auditing procedure for Differentially Private Stochastic Gradient Descent (DP-SGD) in the black-box threat model, achieving tighter empirical privacy leakage estimates compared to prior work. The key intuition is to use worst-case initial model parameters, which are crafted to minimize the gradients of normal samples in the dataset, making the target sample more distinguishable. The authors evaluate their procedure on the MNIST and CIFAR-10 datasets, achieving empirical privacy leakage estimates of εemp = 7.21 and 6.95 for MNIST and CIFAR-10, respectively, at theoretical ε = 10.0. The procedure also identifies and analyzes factors affecting the tightness of black-box auditing, such as dataset size and gradient clipping norm. The results show that smaller datasets and larger gradient clipping norms lead to looser audits. The paper also discusses the impact of fine-tuning only the last layer of the model and provides insights into the limitations and future directions of the work.