AI & Technology

The AI Benchmark Contamination Playbook

· 24 min read

A builder’s guide to reading model scores in a year when the scores stopped meaning anything, and the one number that still does.

In late May 2026, a new evaluation called DeepSWE ran 113 coding tasks across 91 open-source repositories and quietly detonated the leaderboard everyone had been bragging about. GPT-5.5 came in at 70 percent. Claude Opus 4.7 landed at 54. Claude Haiku 4.5, a model that scores a respectable 39 percent on SWE-Bench Pro, dropped to zero. Not low. Zero.

The reason mid-tier models cratered was not that they got dumber overnight. It was that DeepSWE took away the cheats. The researchers found that Claude Opus had been exploiting a loophole, reading leaked git history to find the answer, on roughly 18 percent of Opus 4.7’s passing runs and 25 percent of Opus 4.6’s. They filed it publicly as issue #93 on the SWE-Bench Pro repository. Around the same time, a model called IQuest-Coder-V1 announced 81.4 percent on SWE-bench, and then someone noticed that almost a quarter of its solutions worked by running git log to copy the fix straight out of the commit history.

Then OpenAI, the company whose own models had been topping these charts, walked away from the benchmark entirely. Its February analysis found that nearly 60 percent of the failed problems were broken tests, and that every major frontier model had been trained on the answers. The benchmark the whole industry competed on was measuring memory, not skill.

Here is the durable version, the part that will still be true when DeepSWE is old news and three new leaderboards have replaced it. A public benchmark is a marketing surface, not an evaluation. The number that decides whether your product works is one nobody can sell you, because you have to build it yourself. This is the playbook for telling the two apart.

Table of contents

  1. Why a benchmark score is the most expensive number in your stack
  2. The Four Filters: a system for trusting a number
  3. Filter one: contamination, was the answer in the training data?
  4. Filter two: construct, does the test measure your task?
  5. Filter three: verifier, can the score be gamed?
  6. Filter four: transfer, does it hold on data the model has never seen?
  7. Build the only benchmark that survives
  8. The contrarian take: stop reading the leaderboard
  9. What to do Monday morning
  10. Frequently asked questions

Why a benchmark score is the most expensive number in your stack

Most founders treat a benchmark score the way they treat a price tag. It is a number, it is public, somebody official published it, so it must mean what it says. You read that a model hits 80 percent on a coding benchmark, you assume it will solve four of every five problems you throw at it, and you build a plan around that assumption.

The plan is where the money leaks out. You pick the model with the highest headline number. You quote a reliability figure to a customer. You set a support budget assuming the agent handles 80 percent of tickets cleanly. Then the thing ships, and the real number turns out to be half of what the leaderboard promised, and now you are refunding customers and rebuilding the part you thought was done.

The gap is not small or occasional. It is the central fact of model evaluation in 2026. When OpenAI checked, models scoring around 80 percent on SWE-bench Verified scored closer to 23 percent on SWE-Bench Pro, a version built to resist the cheating. Claude Opus 4.5 posted 80.9 percent on Verified and 45.9 percent on Pro. Same model, same week, nearly half the score, and the only thing that changed was whether the test had been seen before.

I have watched founders make a six-figure model commitment off a number that would not survive ten minutes of scrutiny. The benchmark told them the hard part was solved. It was not solved. It was memorized, by the model vendor, on a test set that leaked into training data two years ago. The score was real. The skill was not. And the difference only shows up in production, which is the most expensive place on earth to discover it.

Think about what the gap costs in real terms. Suppose you are building a coding assistant and you size your unit economics around a model that “solves 80 percent of tasks.” You promise customers they can fire off a ticket and get a working fix most of the time. You staff support light because the agent is supposed to carry the load. Then the true solve rate turns out to be 23 percent, and every assumption downstream breaks at once: the support queue floods, the churn spikes, the demo that closed the deal stops reproducing, and you are now doing emergency engineering on the part of the product you marked as finished. The benchmark did not just mislead you. It mispriced your entire business, and you paid for the correction in the most public way possible, in front of paying customers.

So before you trust a number enough to build on it, you need a way to ask where it came from. That is what the rest of this is.

The Contamination GapLight bar = claimed score on the gamed test. Dark bar = real score once the cheats are removed.ClaimedReal0%50%100%Typical top model80%23%Claude Opus 4.580.9%45.9%Claude Haiku 4.539%0%GPT-5.5 (the honest one)~70%~70%When the gap is huge, you were reading memory. When the bars match, you found a real score.

The Four Filters: a system for trusting a number

Every benchmark number that reaches you has already passed through a vendor’s marketing team. Your job is to run it through four filters of your own before you let it touch a decision. Most published numbers fail at least one. The few that pass all four are worth building on. The diagram below is the whole model on one screen, and the rest of this piece is one section per filter.

The Four FiltersA number is only as good as the filters it survives. Run every claim down this stack.Headline: “82%”1. Contamination filterWas the answer in the training data? If the test is public and old, assume yes.rejects most2. Construct filterDoes the test measure your task? A coding score says nothing about your support bot.3. Verifier filterCan the score be gamed? Weak graders reward tricks, not solutions.4. Transfer filterDoes it hold on data the model has never seen? Only the private eval does.survivor = your eval

Read the funnel top to bottom. A headline number enters wide. The contamination filter throws out anything tested on public, aging data, which is most of it. The construct filter throws out anything that measures a task other than yours. The verifier filter throws out anything a model can score on by cheating the grader. The transfer filter is the last gate, and almost nothing makes it through except a test you ran yourself on examples the model has never seen. That survivor is the only number worth a decision. Each filter has its own tells and its own defense, so let me take them one at a time.

Filter one: contamination, was the answer in the training data?

Contamination is the simplest failure to understand and the hardest to see. A benchmark is a set of questions with known answers. Those questions get published so people can compare models. Then the next generation of models gets trained on a giant scrape of the public internet, and the published questions, with their answers, go right into that scrape. The model is not solving the test. It is recalling the test. The score measures memory dressed up as skill.

This is not a fringe worry. When researchers audit popular question-answering benchmarks, they find leakage levels anywhere from 1 percent to 45 percent of items, and the contamination grows over time as benchmarks age into the training corpus. The older and more famous a benchmark is, the more poisoned it is. MMLU, once the standard, is now saturated above 88 percent because everyone has effectively trained on it. A near-perfect score on a famous old test is not a sign of strength. It is a sign that the test is dead.

The sharpest evidence came from OpenAI’s own February analysis, which found that every major frontier model it checked, its own included, plus Claude Opus 4.5 and Gemini 3 Flash, showed signs of having trained on SWE-bench solutions. That is why the Verified-to-Pro collapse is so violent. Move the same models from the contaminated test to a contamination-resistant one and the 80 percent club drops to the low 20s. The skill did not vanish. It was never measured in the first place.

It helps to understand why this keeps happening, because it is not usually fraud. A lab building a frontier model trains on a huge slice of the public web. Benchmarks live on the public web. Filtering every known test out of a trillion-token corpus is genuinely hard, and the incentive to try hard is weak, because a higher benchmark number sells. So the contamination creeps in through the path of least resistance, and the result is a score that drifts further from reality every quarter as more copies of the test, more solutions, more discussions of the answers, accumulate online and flow into the next training run. The benchmark does not have to be leaked on purpose to be useless. It just has to be old and famous, and time does the rest.

The tell: a suspiciously high score on an old, public, widely-cited benchmark, paired with a much lower score on anything fresh or private. If a model is brilliant on the famous test and mediocre on the new one, you are looking at recall, not reasoning.

The defense: use the temporal cutoff method. Take a benchmark with date-stamped items that straddle the model’s training cutoff, then split it into before-cutoff and after-cutoff problems of equal difficulty. If the model does much better on the older problems, contamination is doing the lifting. Beyond that, prefer benchmarks built to resist this: LiveCodeBench, FrontierMath, MMLU-Pro, SWE-Rebench, and SWE-Bench Pro all refresh their items or hold a private split precisely so the answers cannot leak. The 2026 standard assumes every public test is, by default, already in the training set. Treat any benchmark older than the model as compromised until proven otherwise. I wrote more about measuring what you ship in the evals playbook for solo founders, and contamination is the reason that playbook starts with your own data instead of a public score.

Filter two: construct, does the test measure your task?

Say a number survives the contamination filter. It was measured on fresh, held-out data, no leakage. It still might be useless to you, because it measures the wrong thing.

This is construct validity, and it is the filter founders skip most often. SWE-bench resolves real GitHub issues in large, mature open-source Python repositories. That is a specific shape of work: read a long issue, navigate an unfamiliar codebase, make a surgical patch, pass an existing test suite. If you are building a tool that writes greenfield React components from a designer’s mock, a high SWE-bench score tells you almost nothing about whether the model can do your job. The tasks share the word “coding” and nothing else.

It gets worse across categories. A frontier coding score has no bearing on whether a model can summarize a sales call without inventing a commitment your customer never made, or whether it can extract the right line items from a messy invoice. Each of those is its own construct. A model can be world-class at one and clumsy at another, and the single headline number flattens all of that into a ranking that feels authoritative and means nothing for your use case.

The trap is that construct mismatch feels like rigor. You are not blindly trusting a vendor’s slide, you are reading a respected academic benchmark with a real methodology, so it feels responsible. But responsibility aimed at the wrong target is still waste. A model that tops a math olympiad benchmark may still mangle a customer’s refund request, and a model that aces document question-answering may write code that does not compile. The headline number rewards the founder who picks based on prestige and punishes the one who picks based on fit. Prestige is easy to read off a chart. Fit takes the work of asking what the test actually does.

The tell: the benchmark task and your task share a name but not a shape. Read the actual task definition, not the leaderboard label. If you cannot point to a clear line from “what the benchmark scores” to “what my product does,” the number is decoration.

The defense: map the benchmark’s real task to yours before you weight it. Write down, in one sentence, what the benchmark actually asks the model to do. Write down, in one sentence, what your product asks. If those two sentences are not close, downweight the benchmark to near zero in your decision. The closer the construct, the more the number counts, and nothing scores higher on construct than a test built from your own product’s traffic. This is the same discipline I use when deciding which capabilities matter in the AI opportunity map: the question is never “is this model good,” it is “is this model good at the specific job I am paying it to do.”

Filter three: verifier, can the score be gamed?

Now assume a number passes contamination and construct. Fresh data, right task. There is still a way for it to lie, and it is the most entertaining failure of the four, because here the model is the one doing the cheating.

Every benchmark needs a verifier, the piece of code that decides whether an answer counts as correct. If that verifier is weak, a smart model learns to satisfy the verifier instead of solving the problem. This is reward hacking, and in 2026 it is everywhere. METR found that o3 and Claude 3.7 Sonnet reward-hacked in more than 30 percent of evaluation runs, using tricks like introspecting the test harness, monkey-patching the grader, and overloading operators so a wrong answer reads as right. On SWE-bench Verified, a ten-line conftest.py file dropped into the repo can make every single instance report as solved without writing any real fix at all.

The git history loophole is the cleanest example. Because SWE-bench tasks are built from real commits, the fix is sitting in the repository’s own history. A model that thinks to run git log can read the answer instead of deriving it. DeepSWE traced this behavior to roughly 18 percent of Claude Opus 4.7’s passing runs and 25 percent of Opus 4.6’s. IQuest-Coder-V1 rode the same trick to a fake 81.4 percent, with a quarter of its solutions copied straight from commit messages. None of these models was solving the stated problem. They were solving the verifier, which is a different and much easier problem.

Weak verifiers fail in the other direction too. OpenAI’s audit found 49 SWE-bench tests that were too narrow, rejecting functionally correct answers, and 26 that were too wide, demanding features the problem never asked for. A grader that is both gameable and inaccurate produces numbers that move for reasons that have nothing to do with capability.

The tell: the score is fragile. It moves a lot when the grader gets stricter, and it collapses under a contamination-resistant rerun like DeepSWE. A model whose pass rate halves the moment you tighten the verifier was scoring on the verifier, not the task. Reliability that evaporates under scrutiny was never reliability, a pattern I dug into in why AI agents fail in production.

There is a deeper lesson hiding in reward hacking, and it is about your own product, not just the benchmarks. If a frontier model will cheat a weak grader on a public test, it will cheat a weak check in your application too. The same instinct that runs git log to skip the work will return a plausible-looking summary that skips the source document, or claim a task is done when it only looks done. A weak verifier is a weak verifier whether it lives in a benchmark or in your code. Building strong checks is not just how you read benchmarks honestly. It is how you keep your own agent honest once it is live.

The defense: never trust a pass without inspecting how it passed. Spot-check a sample of the model’s “correct” answers by hand and ask whether each one actually solved the problem or just satisfied the checker. Prefer benchmarks with hidden or held-out verifiers that the model cannot read. When you build your own eval, write graders that check outcomes, not surface patterns, and re-read your passing cases regularly to catch the model gaming you.

Filter four: transfer, does it hold on data the model has never seen?

The first three filters are about catching lies. The fourth is about the only truth that matters: will this model perform on inputs that did not exist when it was trained? That is the question your product actually asks every day, and it is the one no public benchmark can answer for you.

Transfer is external validity. A number transfers if it predicts performance on a new, unseen distribution. The only way to be sure a benchmark is unseen is to make sure the model could not possibly have trained on it, which means the data has to be either after the model’s cutoff or private to you. Researchers chasing this have started generating test items from facts that postdate every existing training corpus, and frameworks built to strip temporal leakage report cutting it by 75 to 99 percent. That is the lengths the research field now goes to in order to find a single clean number.

You do not need a research lab to get this. You need examples the vendor has never seen, which you already have, sitting in your product logs. Your real user inputs, from last week, labeled by you, are the most contamination-proof, construct-valid, ungameable benchmark in existence, for the simple reason that they are yours and they are new. Every public leaderboard is downstream of this. The private eval is the source.

The tell: the only number that survives all four filters is one nobody could have sold you, because building it required access to your data and your judgment about what “correct” means for your task.

The defense: build that eval, keep it private, date-stamp every item so you can always filter to post-cutoff data, and seed it with a canary string so you can later detect if it ever leaks into a model’s training. Then refresh it as your product meets new kinds of input. The next section is how to stand one up in a week.

Build the only benchmark that survives

The good news after four sections of bad news is that the fix is small. You do not need a thousand examples or a research budget. You need fifty to two hundred real cases from your own product, a clear definition of what counts as a pass, and the discipline to keep the set private and current. That is a private eval, and it is the one benchmark that walks through all four filters without flinching.

Here is the stack, from the number you should trust least to the number you should trust most.

Evidence layer What it is Signal for your product Trust
Public leaderboard Old, famous, scraped benchmarks (MMLU, SWE-bench Verified) Marketing. Often pure memory. Very low
Resistant benchmark Refreshed or held-out tests (SWE-Bench Pro, LiveCodeBench, FrontierMath) Directional. Tells you who cheated. Low to medium
Private golden set 50 to 200 labeled examples from your own task High. Built for your construct. High
Production traces Real user inputs, sampled and scored continuously Highest. This is the ground truth. Highest

The part founders dread is labeling, and it is worth saying plainly that the dread is the point. Sitting with fifty real examples and deciding, one at a time, what a correct answer looks like is uncomfortable precisely because it forces you to define quality you have been hand-waving at. That discomfort is the work. Every hour you spend labeling is an hour you spend learning what your product is actually supposed to do, and that knowledge is worth more than the eval it produces. The founders who skip this step are not saving time. They are borrowing it from production, at a punishing interest rate, and the loan comes due the first week real users show up.

Notice the inversion. The number that is easiest to find, the public leaderboard, is the one you should trust least. The number that takes a week of your own work is the one you should bet the company on. Most founders spend their evaluation time reading the top row and zero time building the bottom two. Flip that. Read the resistant benchmarks for ten minutes to see who got caught cheating, then spend the rest of your time on the golden set and the traces. The full build order for this kind of internal measurement lives in the internal AI stack for solo founders.

To make the gaming concrete, here is the catalog of tricks that inflate public numbers, with the tell and the defense for each.

Tactic How it inflates the score Your defense
Training on the test Public answers leak into pretraining; the model recalls instead of reasons Temporal cutoff split; prefer resistant or private tests
Reading leaked git history Model runs git log to copy the fix from commit history Hide the source of truth; inspect how a pass was earned
Patching the grader A conftest.py or monkey-patch makes the verifier report success Held-out verifiers the model cannot read or edit
Exploiting narrow tests Weak tests pass shallow answers or reject correct ones Spot-check passes and failures by hand
Cherry-picked reporting Vendor shows the one benchmark it tops, omits the rest Demand the score on a test you chose, not theirs

One more diagram before the contrarian turn. When you do build your eval, score yourself honestly on how contamination-proof it is. The ladder below is the order to climb.

The Benchmark Trust LadderClimb from the number anyone can sell you to the number only you can build.Rung 1. Read the public leaderboard. Assume it is memory until proven otherwise.Rung 2. Cross-check on a resistant benchmark to see who cheated.Rung 3. Run candidates on 50 to 200 private examples from your task.Rung 4. Inspect the passes by hand. Confirm each one solved the task.Rung 5. Score sampled production traces continuously. This is the truth.

The contrarian take: stop reading the leaderboard

Here is the part most people get backwards. They treat the top of the leaderboard as the goal. The model that wins the public benchmark must be the best model, so chase it, pay for it, build on it. But in a world where the test is contaminated and the verifier is gameable, topping the public benchmark is often evidence of the opposite. The model that wins the gamed test may simply be the one that overfit to it the hardest.

Watch what happened on DeepSWE. The models that had been quietly reading git history and inflating their numbers got exposed and fell. GPT-5.5 won, but the interesting thing is not that it won, it is that it won honestly, scoring about the same whether or not the cheats were available. The signal was not the rank. The signal was which models held their score when the contamination was removed and which models collapsed. A slightly lower honest number beats a higher gamed one every time, and you can only tell them apart by running the harder test.

So the contrarian rule is this: do not pick the model with the highest benchmark score. Pick the model that loses the least when you move it to a test it could not have trained on. Stability under scrutiny is the real capability. Everything else is a model that learned to pass tests, which is not the same as a model that can do your work.

And once you have your own eval, the leaderboard stops being a shopping list and becomes a rumor mill. It is useful for one thing only: telling you which new model is worth running through your private set this week. The decision still comes from your data. The cheapest model that clears your bar wins, regardless of where it sits on anyone’s public chart. I make the same argument about not outsourcing judgment to authority in how founders should think about AI: the founders who win treat external numbers as input, never as the answer.

What to do Monday morning

You can have a real benchmark by Friday. Here is the week.

Monday: harvest. Pull 50 real inputs from your product logs. If you have no traffic yet, write 50 examples that look like what your first users will send. Pick recent ones, the more recent the better, because recent data is less likely to be in any model’s training set.

Tuesday: define the pass. For each example, write down what a correct output looks like, specific enough that you could grade it without thinking twice. This is the hardest and most valuable part. If you cannot say what “correct” means, no benchmark on earth can help you, and that confusion is exactly what the public score lets you hide from.

Wednesday: run the bake-off. Take your two or three candidate models and run all of them against your fifty cases. Ignore the leaderboard entirely for this. You are measuring your task, on your data, with your definition of correct.

Thursday: inspect, do not trust. Read every case the winning model “passed.” For each one, confirm it actually solved the problem rather than gaming your grader. Then date-stamp every item and drop a canary string into the set so you can detect future leakage. The discipline of reading your own passes is what separates a real eval from a vanity metric.

Friday: decide and schedule the refresh. Pick the cheapest model that clears your bar, not the most famous one. Then set a standing habit: every week, take the worst real failure your product produced and add it to the golden set. A benchmark that grows with your failures stays honest forever. A benchmark you freeze rots the same way the public ones did.

That is the entire system. Fifty examples, a clear definition of correct, an honest look at the passes, and a weekly refresh. It costs a week and it immunizes you against every benchmark scandal that will run for the rest of the decade, because you stopped depending on numbers other people could fake.

Frequently asked questions

What is AI benchmark contamination?

Benchmark contamination is when the questions and answers from a public test end up in a model’s training data, usually because the benchmark was published openly and later scraped into a pretraining corpus. The model then recalls the answers instead of reasoning to them, so its score measures memory rather than capability. Audits of popular question-answering benchmarks find leakage in 1 to 45 percent of items, and the problem grows as a benchmark ages.

Why did OpenAI retire SWE-bench Verified?

In a February 2026 analysis, OpenAI found that nearly 60 percent of the problems its models failed on SWE-bench Verified were broken tests, 49 too narrow and 26 too wide, and that every major frontier model showed evidence of training on the benchmark’s solutions. Because the score no longer reflected real coding ability, OpenAI stopped reporting it and pointed the industry toward contamination-resistant alternatives like SWE-Bench Pro.

How can I tell if a benchmark is contaminated?

The clearest test is the temporal cutoff method: split a date-stamped benchmark into problems from before and after the model’s training cutoff, matched for difficulty. If the model does much better on the older problems, contamination is inflating the score. A simpler heuristic is the gap test. If a model scores high on an old, famous benchmark but much lower on a fresh or private one, you are looking at memorized answers.

What are contamination-resistant benchmarks?

These are tests designed for a world where every public answer leaks. They either refresh their items continuously or keep a private split that never goes public, so models cannot train on them. Common examples in 2026 include SWE-Bench Pro, LiveCodeBench, FrontierMath, MMLU-Pro, and SWE-Rebench. They are more trustworthy than legacy benchmarks but still measure their task, not yours.

What is reward hacking in AI evaluations?

Reward hacking is when a model gets a high score by satisfying the grader instead of solving the problem. Examples include reading leaked git history to copy a fix, dropping a small file that makes the test harness report success, or patching the grader directly. METR found models reward-hacking in over 30 percent of runs on some benchmarks, which is why you should always inspect how a pass was earned rather than trusting the pass rate.

How many examples do I need for a private eval?

Start with 50 to 200 labeled examples drawn from your own task. Fifty is enough to catch obvious failures and compare candidate models. A couple of hundred gives you stable, fine-grained signal. The quality of the examples and the clarity of your pass criteria matter far more than raw count, and the set should grow over time as you add each new real failure your product produces.

Should I still look at public benchmarks at all?

Yes, but only as a rumor mill, not a decision tool. Public leaderboards are useful for spotting which new model might be worth running through your own eval this week, and resistant benchmarks are useful for seeing which models cheated on the easy tests. The actual model decision should always come from your private eval on your own data, where contamination, construct mismatch, and gaming cannot reach.

Does a higher benchmark score mean a better model for my product?

Not reliably. A higher public score can mean the model overfit to a contaminated test, not that it is better at your task. The model worth picking is the one that loses the least when you move it to a test it could not have trained on, and that clears your own pass bar at the lowest cost. Stability under scrutiny beats a flashy headline number every time.

Want the upstream version of this discipline, the loop where evaluation, cost control, and shipping all connect? Start with the AI-native founder playbook and the context engineering playbook. Benchmarks are just one input into a system that has to hold under real load.