o3-mini-low vs o4-mini-low KQL Benchmark
o3-mini-low wins by 8.5%
Compared on 188 shared test questions
Overall Accuracy
o3-mini-low
51.6%
97 / 188 correct
o4-mini-low
43.1%
81 / 188 correct
Average Cost per Query
o3-mini-low: $0.0279
o4-mini-low: $0.0311
o4-mini-low costs 11.5% more
Average Execution Time
o3-mini-low: 36.54s
o4-mini-low: 73.44s
o4-mini-low takes 101.0% longer
Question-by-Question Analysis
Question-by-Question Comparison
Detailed comparison showing where each model succeeded or failed
Showing 1 to 25 of 188 questions
Page 1 of 8
| T1016.001 | On a Linux host, a ping command was executed to test internet connectivity. Determine which IP address was used as the ping target. | ✓ | ✗ | o3-mini-low Wins |
| T1016 | A Linux host’s Syslog shows a shell-based network discovery script ran multiple commands. One of them listed current TCP connections. Which utility was invoked? | ✓ | ✗ | o3-mini-low Wins |
| T1027 | On a Windows endpoint, look for evidence of a base64-encoded PowerShell payload execution. Which executable launched the encoded command? | ✓ | ✗ | o3-mini-low Wins |
| T1027 | On a Linux system, identify the script that was generated by decoding a base64 data file and then executed. What was the filename of that script? | ✓ | ✗ | o3-mini-low Wins |
| T1036.003 | In a Linux environment, you observe a process labeled like the cron daemon but running from an unexpected path. Investigate creation events to uncover the actual filename used by this fake cron process. | ✓ | ✗ | o3-mini-low Wins |
| T1048.003 | Windows process creation logs show a PowerShell-driven file transfer to an FTP service. Which executable was leveraged to perform this exfiltration? | ✓ | ✗ | o3-mini-low Wins |
| T1057 | A malicious actor may attempt to list running processes on a Windows machine using a WMI-based command. Review the process creation events to find out which utility was invoked to perform this enumeration. | ✓ | ✗ | o3-mini-low Wins |
| T1059.004 | An analyst suspects that a restricted shell escape was executed using a common Perl package manager on Linux. Review the process execution records to determine which tool was invoked to spawn the shell. | ✓ | ✗ | o3-mini-low Wins |
| T1069.001 | On a Linux endpoint, process events reveal a chain of group‐enumeration utilities executed by a single session. Which utility was used to query the system’s group database? | ✓ | ✗ | o3-mini-low Wins |
| T1059.004 | On a Linux host, identify the process invocation that altered a user’s login shell. What was the full command used? | ✓ | ✗ | o3-mini-low Wins |
| T1069.001 | Review recent Windows process event logs for PowerShell activity that suggests local group enumeration through WMI. What exact command was executed? | ✓ | ✗ | o3-mini-low Wins |
| T1070.004 | A Linux host executed a native utility to overwrite and then remove a temporary file in one step. Identify the name of the file that was securely deleted by this action. | ✓ | ✗ | o3-mini-low Wins |
| T1070.006 | On a Linux system, attackers may use timestamp manipulation to hide malicious changes. Investigate relevant logs to identify which file’s modification timestamp was altered by such a command. | ✓ | ✗ | o3-mini-low Wins |
| T1070.008 | An attacker on Linux used bash to copy all files from /var/spool/mail into a newly created subdirectory before modifying them. What is the name of that subdirectory? | ✓ | ✗ | o3-mini-low Wins |
| T1090.003 | On a Linux endpoint, a command was executed to start a proxy service commonly used for onion routing. Identify the name of the service that was launched to enable this proxy functionality. | ✓ | ✗ | o3-mini-low Wins |
| T1082 | A user‐space process on a Linux device invoked a shell to capture and display the system’s environment variables and path. Which exact command was used to perform this discovery? | ✓ | ✗ | o3-mini-low Wins |
| T1070 | A suspicious actor appears to have removed the USN change journal on a Windows workstation. Investigate process start records to find out exactly which command was used to delete the journal. What was the full command line invoked? | ✓ | ✗ | o3-mini-low Wins |
| T1112 | On Windows systems, disabling RDP via the registry generates registry write events. Investigate registry event logs for modifications under the Terminal Server configuration path. What is the name of the registry value that was changed to disable Remote Desktop Protocol? | ✓ | ✗ | o3-mini-low Wins |
| T1112 | A Windows user’s registry was altered via a command-line tool to disable the lock workstation feature by adding a DWORD entry under the current user Policies\System key. Which registry value name was modified in this operation? | ✓ | ✗ | o3-mini-low Wins |
| T1082 | A Windows system shows a cmd.exe process spawn that appears to have been used for environment discovery. Review the process creation records to identify the exact command the adversary ran to enumerate environment variables. | ✓ | ✗ | o3-mini-low Wins |
| T1112 | A Windows host logs a change to the Terminal Server registry key disabling single-session per user. Which command-line utility executed this registry modification? | ✓ | ✗ | o3-mini-low Wins |
| T1124 | On a Linux host, an activity was recorded where the local clock and timezone were queried. Review the available process execution logs to uncover what full command was run to fetch the system time and timezone. | ✓ | ✗ | o3-mini-low Wins |
| T1201 | Windows systems may be probed for their password policy settings using a native command-line tool. Determine which command was executed to list the local password policy on the target hosts. | ✓ | ✗ | o3-mini-low Wins |
| T1201 | On Windows, an elevated SecEdit.exe process was observed exporting the local security policy. Review the process execution records to identify the name of the text file where the policy was saved. | ✓ | ✗ | o3-mini-low Wins |
| T1201 | On a Linux system, logs show that the password expiration settings file was accessed. Identify which command was executed to list its contents. | ✓ | ✗ | o3-mini-low Wins |
Page 1 of 8
Explore individual model performance and detailed analysis