Big Cranium Logo White.png
TrainingHelp Center
Find the insights and best practices about our product.
General
FAQs
System & Network Requirements
Getting Started
My AI Dashboard Overview
Release Notes
2026.4.2 Release Notes
2026.4.1 Release Notes
2026.3.1 Release Notes
2026.2.2 Release Notes
2026.2.1 Release Notes
2026.1.1 Release Notes
2025.12.1 Release Notes
2025.11.1 Release Notes
2025.10.3 Release Notes
2025.10.1 Release Notes
2025.9.1 Release Notes
2025.8.1 Release Notes
2025.7.1 Release Notes
2025.4.1 Release Notes
2025.3.1 Release Notes
2025.1.1 Release Notes
2024.12.1 Release Notes
AI Manager
My AI Systems
My AI Systems Overview
AI System Details Overview
Adding a New AI System
Self-Attesting to a Compliance Framework
Compliance Scoring
Compliance Agent [Beta]
My AI Supply Chain
Supply Chain Overview
Managing Outgoing AI Card Requests
Responding to an AI Card Request
Publishing an AI Card Without a Request
My Vendors Overview
Artifacts
Bill of Materials
Bill of Materials Overview
Creating a Bill of Materials with CodeSensor
Self-Attest to a Bill of Materials
AgentSensor Overview
Technology Search Overview
Document Library
Document Library Overview
Vulnerability Management
Arena Shield
Arena Shield Overview
Shield YAML Implementation Guide
Arena
AI Arena Overview
Vulnerability Assessment
Vulnerability Management
Vulnerability Assessment Overview
Accessing a Vulnerability Assessment
Adversarial Inputs Detector
Vulnerabilities Overview
Settings
User Manager Overview
Detect AI
Integrations
Accessing a Private VCS
Registering SSH for CodeSensor
Integrating Bitbucket with Cranium
Integrating GitHub with Cranium
Integrating GitLab with Cranium
Integrating Azure DevOps with Cranium
Continuous Monitoring Overview
VCS Service Rate Limits
CloudSensor
CloudSensor Overview
Public API
Public API Overview
Authentication & Generating Credentials
Pagination & Incremental Sync
Rate Limits & Error Handling
Endpoint Reference
Bills of Materials
Technology Vulnerabilities
Arena Models
Arena Model Vulnerabilities
Home
Vulnerability Manage...
Vulnerability Assess...
Vulnerabilities Over...
Vulnerabilities Overview

Introduction

The Vulnerabilities page provides a tenant-wide view of security findings across all Bills of Materials and Arena-tested models in your organization. Unlike a Vulnerability Assessment, which represents the findings for a single Bill of Materials, this page aggregates vulnerability data from every assessment in your tenant into a single interface. Use it to monitor risk exposure at scale, identify the most vulnerable models and technologies across your AI inventory, and take remediation action without navigating to individual assessments.

Navigate to the Vulnerabilities page by selecting Artifacts in the navigation drawer, then Vulnerabilities.

Models Tab

The Models tab displays all Arena-tested models with vulnerabilities detected across your tenant. Enable the Show Severity Statistics toggle to display the Severity Statistics module, which sows the total count of models with vulnerabilities and a breakdown of that count by severity level: Critical, High, Medium, Low, and Unknown.

The table displays each model's BOM name, model name, detection timestamp, Vulnerability Likelihood score, Vulnerable Attack Categories, and available actions. Model Name and Actions are locked in place. All other columns can be reordered or hidden using the Customize Table control. Filter the table by model name, severity, AI System, or Bill of Materials using the search bar and Filters controls.

The model name links directly to the model's details in the Arena. The Vulnerable Attack Categories column shows a colored severity tag representing the highest severity category detected for that model, along with the count of categories at that severity level. For example, a tag reading MEDIUM (2) indicated two medium-severity vulnerable attack categories. Additional categories at lower severity levels appear as hyperlinks beside the tag.

The Remove Model Vulnerable Attack Categories modal can be opened from the Vulnerable Attack Categories column or the Actions column. Clicking a severity tag or a lower-severity hyperlink in the Vulnerable Attack Categories column opens the modal filtered to the selected severity. Clicking the Resolve Vulnerabilities button in the Actions column opens the modal with all attack categories for the model, regardless of severity. The modal displays the attack categories with Ignore and Resolve columns, a Remediation Guidance column, and a mandatory Reason field for each selection. Remediation guidance appears truncated in the column. Hover over an entry to view the full text. Categories that do not yet have remediation guidance display a dash.

If any attack categories have been resolved, a "# Resolved" hyperlink also appears in the Vulnerable Attack Categories column. Clicking the hyperlink opens the Restore Model Vulnerable Attack Categories modal, which lists the resolved attack categories for that model. Select the items you want to restore using the checkboxes and confirm the action. The reason for removal is displayed as a read-only field. The current release provides category-level guidance applicable to all model types. For detailed steps on resolving and ignoring vulnerabilities, see the Vulnerability Management article.

Technologies Tab

The Technologies tab displays all technology vulnerabilities detected across your tenant. Enable the Show Severity Statistics toggle to display the Severity Statistics module, which shows the total count of technology vulnerabilities and a breakdown by severity level.

The table displays the BOM name, AI System name, CVE, source, detection timestamp, description, CVSS score, severity, identifier, version, and available actions. Source and Actions columns are locked in place. All other columns can be reordered or hidden using the Customize Table control. Filter the table by severity, AI System, or Bill of Materials using the Filters control.

The Identifier links to the associated entry in the OSV database. Hover over the info icon in the Version column to see the version in which the vulnerability was fixed.

Each row includes individual Ignore and Resolve buttons. To act on multiple vulnerabilities at once, select their checkboxes and use the Ignore Selected or Resolve Selected buttons. For detailed steps on resolving and ignoring vulnerabilities, see the Vulnerability Management article.

Restoring Technology Vulnerabilities

The Restore button opens the Restore Technology Vulnerabilities modal, which lists all previously resolved or ignored technology vulnerabilities. All items are pre-selected by default. Uncheck any items you want to exclude, then confirm to restore the selected vulnerabilities to the active list. Restoring a vulnerability returns it to your total vulnerability count and includes it in future scans. The modal displays each item's BOM name, source, severity, the user who removed it, and the reason for removal as a read-only field. The Restore Technology Vulnerabilities modal is only available when previously resolved or ignored technology vulnerabilities exist.

Exporting Vulnerability Reports

Click the Export Vulnerabilities button to open the export modal. Select Export all data to export all vulnerabilities from the active tab, or Export filtered data to limit the export to your current filters. Click Export to trigger the download. A confirmation message appears indicating the file will be available in the Document Library once complete. Exporting from the Models tab produces a CSV of model vulnerabilities. The CSV includes a Remediation column with category-level mitigation guidance for each finding. Exporting from the Technologies tab produces a CSV of technology vulnerabilities.

Attaching the Report to an AI System

Once the export is available in the Document Library, navigate to the AI System Details page for the relevant AI System and click Add Artifacts. Select Document Library and choose the report to attach it to the AI System.

Attaching the Report to an AI Card

Once the report is attached to an AI System, it becomes available as an artifact during AI Card publishing. Select it from the Additional Documentation dropdown when configuring the AI Card.

Did this answer your question?
Related Articles
Technology Search Overview