Big Cranium Logo White.png
TrainingHelp Center
Find the insights and best practices about our product.
General
FAQs
System & Network Requirements
Getting Started
My AI Dashboard Overview
Release Notes
2026.4.2 Release Notes
2026.4.1 Release Notes
2026.3.1 Release Notes
2026.2.2 Release Notes
2026.2.1 Release Notes
2026.1.1 Release Notes
2025.12.1 Release Notes
2025.11.1 Release Notes
2025.10.3 Release Notes
2025.10.1 Release Notes
2025.9.1 Release Notes
2025.8.1 Release Notes
2025.7.1 Release Notes
2025.4.1 Release Notes
2025.3.1 Release Notes
2025.1.1 Release Notes
2024.12.1 Release Notes
AI Manager
My AI Systems
My AI Systems Overview
AI System Details Overview
Adding a New AI System
Self-Attesting to a Compliance Framework
Compliance Scoring
Compliance Agent [Beta]
My AI Supply Chain
Supply Chain Overview
Managing Outgoing AI Card Requests
Responding to an AI Card Request
Publishing an AI Card Without a Request
My Vendors Overview
Artifacts
Bill of Materials
Bill of Materials Overview
Creating a Bill of Materials with CodeSensor
Self-Attest to a Bill of Materials
AgentSensor Overview
Technology Search Overview
Document Library
Document Library Overview
Vulnerability Management
Arena Shield
Arena Shield Overview
Shield YAML Implementation Guide
Arena
AI Arena Overview
Vulnerability Assessment
Vulnerability Management
Vulnerability Assessment Overview
Accessing a Vulnerability Assessment
Adversarial Inputs Detector
Vulnerabilities Overview
Settings
User Manager Overview
Detect AI
Integrations
Accessing a Private VCS
Registering SSH for CodeSensor
Integrating Bitbucket with Cranium
Integrating GitHub with Cranium
Integrating GitLab with Cranium
Integrating Azure DevOps with Cranium
Continuous Monitoring Overview
VCS Service Rate Limits
CloudSensor
CloudSensor Overview
Public API
Public API Overview
Authentication & Generating Credentials
Pagination & Incremental Sync
Rate Limits & Error Handling
Endpoint Reference
Bills of Materials
Technology Vulnerabilities
Arena Models
Arena Model Vulnerabilities
Home
Vulnerability Manage...
Vulnerability Assess...
Vulnerability Manage...
Vulnerability Management

Introduction

Cranium provides two surfaces for managing vulnerabilities: the Vulnerability Assessment and the Vulnerabilities page. A Vulnerability Assessment is scoped to a single Bill of Materials and is accessed via the Bill of Materials list or the AI System Manager. The Vulnerabilities page is a tenant-wide view that aggregates findings across all Vulnerability Assessments and Arena-tested models in your organization. Both surfaces support resolving and ignoring vulnerabilities, but their workflows and restoration mechanisms differ.

Resolving a vulnerability indicates it has been remediated. Ignoring a vulnerability acknowledges the risk but documents a decision not to address it at this time. Both actions require a mandatory justification and record the user and timestamp for audit purposes.

For model vulnerabilities, resolving and ignoring affect the Vulnerability Likelihood score. Resolving a category excludes it from the score's numerator while keeping it in the denominator, which lowers the overall score. Ignoring a category removes it from the calculation entirely. The score recalculates automatically when an action is taken.

Important: Vulnerability status does not persist across model rescans. Resolved and ignored attack categories reset when a model is rescanned and must be reapplied. Status persistence is planned for a future release.

Managing Model Vulnerabilities in a Vulnerability Assessment

A Vulnerability Assessment represents the findings for a single Bill of Materials. To access one, navigate to the Bill of Materials list and select the Vulnerability Assessments tab, or navigate to the AI System Manager, open the AI System, and select the Vulnerability Assessment tab.

Model Vulnerabilities

To resolve or ignore a model vulnerability in a Vulnerability Assessment:

  1. Navigate to the Models tab
  2. Expand the model row to show individual attack categories
  3. Select the attack categories you want to mark
  4. Choose Resolve or ignore from the Actions column
  5. Enter mandatory justification text explaining the decision
  6. Confirm the action

Technology Vulnerabilities

To resolve or ignore a technology vulnerability in a Vulnerability Assessment:

  1. Navigate to the Technologies tab
  2. Select the vulnerabilities you want to mark
  3. Choose Resolve or Ignore from the Actions column
  4. Enter mandatory justification text explaining the decision
  5. Confirm the action

Viewing and Restoring Resolved Vulnerabilities

The Resolved Vulnerabilities tab, accessible from the Bill of Materials page, provides a centralized view of all previously resolved or ignored vulnerabilities for a selected BOM. Use the artifact selector to choose a BOM, then use the Models and Technologies tabs to review resolved items by category. Each entry shows the source, detection timestamp, user who took the action, and the justification provided.

To restore one or more resolved vulnerabilities, select the items using the checkboxes and click Restore Selected. Restoring a vulnerability returns it to the active Vulnerability Assessment and includes it in future assessments.

Managing Vulnerabilities on the Vulnerabilities Page

The Vulnerabilities page aggregates findings across all Vulnerability Assessments and Arena-tested models in your tenant. Resolve and ignore actions taken here apply to the underlying Vulnerability Assessment for the relevant BOM.

Model Vulnerabilities

To resolve or ignore a model vulnerability on the Vulnerabilities page:

  1. Navigate to the Models tab
  2. Locate or search for the model in the table
  3. Click the Resolve Vulnerabilities button on the model row
  4. In the Remove Model Vulnerable Attack Categories modal, use the Ignore and Resolve columns to mark one or more attack categories
  5. Enter mandatory justification text for each selection
  6. Confirm the action

Resolved attack categories appear as a # Resolved hyperlink in the Vulnerable Attack Categories column. Clicking this hyperlink opens the Restore Model Vulnerable Attack Categories modal, which lists the resolved attack categories for that model. Select the items you want to restore using the checkboxes and confirm the action. The reason for removal is displayed as a read-only field.

Technology Vulnerabilities

To resolve or ignore a technology vulnerability on the Vulnerabilities page:

  1. Navigate to the Technologies tab
  2. To act on a single vulnerability, click the Ignore or Resolve button on its row. To act on multiple vulnerabilities, select their checkboxes and click Ignore Selected or Resolve Selected
  3. In the modal, your selection is pre-applied. Enter mandatory justification text for each vulnerability
  4. Confirm the action

To restore previously resolved or ignored technology vulnerabilities, click the Restore button to open the Restore Technology Vulnerabilities modal. The modal lists all removed technology vulnerabilities across your tenant. All items are pre-selected by default. Uncheck any items you want to exclude, then confirm to restore the selected vulnerabilities to the active list. The modal displays each item's BOM name, source, severity, the user who removed it, and the reason for removal as a read-only field.

Best Practices

  • Document comprehensive justifications when resolving or ignoring vulnerabilities to support future audits and compliance reviews.
  • Establish a consistent process for reviewing and reapplying attestations after model rescans to maintain accurate vulnerability tracking.
  • Use the Resolved Vulnerabilities tab and the Restore modals regularly to audit past decisions and restore items if circumstances change.
  • Coordinate vulnerability management activities across your security team to maintain clear accountability and avoid duplicate efforts.
Did this answer your question?