gpt-4.1-finetuned vs gpt-5-mini-high KQL Benchmark
gpt-5-mini-high wins by 22.3%
Compared on 188 shared test questions
Overall Accuracy
gpt-4.1-finetuned
26.1%
49 / 188 correct
gpt-5-mini-high
48.4%
91 / 188 correct
Average Cost per Query
gpt-4.1-finetuned: $0.0414
gpt-5-mini-high: $0.0150
gpt-4.1-finetuned costs 176.2% more
Average Execution Time
gpt-4.1-finetuned: 33.24s
gpt-5-mini-high: 44.83s
gpt-5-mini-high takes 34.9% longer
Question-by-Question Analysis
Question-by-Question Comparison
Detailed comparison showing where each model succeeded or failed
Showing 1 to 25 of 188 questions
Page 1 of 8
| T1003.007 | On a Linux system, review process creation logs to spot any dd commands reading from /proc/*/mem. What was the name of the file where the dumped memory was written? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1016.001 | On a Linux host, a ping command was executed to test internet connectivity. Determine which IP address was used as the ping target. | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1027 | On a Windows endpoint, look for evidence of a base64-encoded PowerShell payload execution. Which executable launched the encoded command? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1027 | On a Linux system, identify the script that was generated by decoding a base64 data file and then executed. What was the filename of that script? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1059.004 | On a Linux host, identify the process invocation that altered a user’s login shell. What was the full command used? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1069.001 | Review recent Windows process event logs for PowerShell activity that suggests local group enumeration through WMI. What exact command was executed? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1070.003 | On a Linux endpoint, you suspect malicious clearing of the bash history by redirecting from the null device. Explore process or file events to uncover the exact shell command that performed this action. | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1078.003 | On a Linux host, review account management activity in Syslog or process event logs to pinpoint which command was executed to create a new local user. What was the name of the tool invoked? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1090.003 | On a Linux endpoint, a command was executed to start a proxy service commonly used for onion routing. Identify the name of the service that was launched to enable this proxy functionality. | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1112 | On a Windows endpoint, review the registry write events to spot when the WDigest key is altered to permit plaintext credential storage. What registry value name was changed? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1124 | In Windows process event logs, you notice both the net time and w32tm commands being executed to display the system time and timezone. Which executor name from the test configuration was responsible for launching these utilities? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1217 | An attacker is suspected of using the Windows shell to enumerate a user’s Internet Explorer bookmarks via the Favorites folder. Identify the exact command they executed to perform this listing. | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1201 | On a Linux system, logs show that the password expiration settings file was accessed. Identify which command was executed to list its contents. | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1531 | Within Windows process event logs, identify instances where the built-in net.exe utility is used to change a user account password. What was the new password argument passed in? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1562.003 | Within Linux process execution records, locate any bash commands where the HISTFILESIZE environment variable was exported. What value was assigned to HISTFILESIZE? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1562.004 | Investigate Linux process execution logs for any use of iptables that removes a rule blocking outbound FTP traffic. What full command was issued to delete this rule? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1562.012 | A Linux system’s audit framework appears to have been reset unexpectedly. Search your process execution records to identify which exact invocation removed all auditd rules. What full command was executed? | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1614.001 | During investigation of a Linux device, you see evidence of a process that reports system locale details. Identify the tool used. | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1614.001 | Using Linux process or syslog logs, identify the executable that was run to output the system's locale information. | ✓ | ✗ | gpt-4.1-finetuned Wins |
| T1006 | Identify the PowerShell cmdlet used on Windows to format and display the raw volume bytes after an attacker read the boot sector via a DOS device path. | ✗ | ✓ | gpt-5-mini-high Wins |
| T1007 | An analyst suspects a user or script ran a service enumeration command on a Linux system. Review process events to find the service-listing invocation and specify the full command that was executed. | ✗ | ✓ | gpt-5-mini-high Wins |
| T1016.001 | An analyst notices a PowerShell process on a Windows host that appears to be checking SMB connectivity. Which PowerShell cmdlet was executed to perform this outbound port 445 test? | ✗ | ✓ | gpt-5-mini-high Wins |
| T1016 | A Linux host’s Syslog shows a shell-based network discovery script ran multiple commands. One of them listed current TCP connections. Which utility was invoked? | ✗ | ✓ | gpt-5-mini-high Wins |
| T1018 | On a Windows endpoint, review process creation logs to uncover when a built-in utility was used to reveal ARP entries. What exact command was used to list the ARP cache? | ✗ | ✓ | gpt-5-mini-high Wins |
| T1018 | Review Linux process execution records for any commands that list TCP metric cache entries and filter out loopback interfaces. Which utility was used? | ✗ | ✓ | gpt-5-mini-high Wins |
Page 1 of 8
Explore individual model performance and detailed analysis