AiVRIC Academy
Program Guide

CRPM Training Program

The CloudSignals+RiskOps Continuous Risk Posture Management (CRPM) training program equips provider teams, provider administrators, and security practitioners with the knowledge and workflows to launch, operate, and scale a CloudSignals-powered risk management service.

3 courses ~2.5 hrs total Provider + Practitioner tracks Self-paced & instructor-led

Program overview

CRPM is not a single compliance posture check — it is an operational discipline that requires continuous execution across five linked stages: asset inventory, findings triage, business process mapping, risk treatment, and governance closure. For white-label providers, CRPM also requires a second operational layer: managing the platform itself, onboarding clients, configuring entitlements, and running a repeatable support and reporting process.

This training program addresses both layers:

Provider layer

How to stand up, operate, and grow a CloudSignals-powered service. Covers launch phases, client onboarding, GRC administration, RiskOps entitlements, branding, and operating cadence.

Practitioner layer

How to execute the end-to-end RiskOps flow inside a CloudSignals tenant — assets, findings, business processes, treatments, and governance — as a repeatable operational process.

CloudSignals+RiskOps — Live app Expand CloudSignals Command Center dashboard showing posture threat score, active findings by severity, threat map with global signal coverage, and control plane activity panels
CloudSignals+RiskOps — the platform this training program teaches. Every course in the CRPM program maps to a specific workflow visible from this command center: assets, findings, risk governance, treatments, and governance closure.
How to use this guide: Program managers and training leads should read this document first. Individual learners should go directly to the Learning Paths section to find their recommended course sequence, then start with the first course in their path.

Audience guide

The CRPM program serves four primary audience groups. Use the table below to route individuals to the correct courses before training begins.

AudienceRole examplesRecommended coursesEst. time
Provider launch team Provider admin, operations lead, delivery manager, client success manager Provider Onboarding Foundations → Provider Admin & CRPM Ops → Getting Started with RiskOps ~2.5 hrs
Provider administrator IT/platform admin, tenant owner, GRC admin, support lead Provider Admin & CRPM Ops → Getting Started with RiskOps ~1.75 hrs
Provider operator Security analyst, cloud risk analyst, GRC analyst, compliance specialist Provider Onboarding Foundations (Modules 4–6 only) → Getting Started with RiskOps ~1.25 hrs
Client practitioner Security engineer, risk owner, compliance analyst, CISO/vCISO Getting Started with RiskOps ~45 min

Curriculum map

The program consists of three courses, designed to be taken in sequence within each learning path. Each course is self-contained and may also be taken independently based on role.

P1
The provider operating model, launch phases, branding, client onboarding workflow, findings quality, and reporting cadence. Builds the foundation for operating CloudSignals as a provider service.
~45 min
6 modules
Provider team
P2
Provider Console administration, client lifecycle management, branding configuration, GRC Administration (managed entities, GRC users), RiskOps entitlement control, AI configuration, and operating cadence.
~60 min
7 modules
Admin

Module index

The following table maps every module across all three courses, its learning objective, and the role it is most relevant to.

CourseModulePrimary learning objectiveAudience
P11 — The Provider ModelUnderstand what a white-label provider tenant is, the core role hierarchy, and where responsibility liesAll provider staff
P12 — Launch PhasesExecute the five launch phases from tenant readiness through operational rolloutProvider admin, delivery lead
P13 — Branding & Portal SetupComplete the branding checklist and verify a client-ready portalProvider admin
P14 — Client Onboarding WorkflowFollow the nine-step workflow to connect a client environment and validate the first scanProvider operator
P15 — Operating Findings & Risk RegisterTriage findings to the correct disposition and populate the Risk Register with business contextProvider operator
P16 — Reporting & Client ReviewsPlan and deliver client-facing operating reviews at the correct cadenceProvider operator, client success
P21 — Provider ConsoleNavigate and use the Provider Console dashboard as a daily operations toolProvider admin
P22 — Client Lifecycle ManagementManage clients across all lifecycle states from onboarding through offboardingProvider admin
P23 — Branding AdministrationConfigure, publish, and validate provider branding including logo, colors, and light/dark modeProvider admin
P24 — GRC AdministrationCreate managed entities and GRC users in the correct order and maintain entity associationsGRC admin
P25 — RiskOps EntitlementEnable or disable RiskOps for a tenant and verify the expected navigation and GRC behavior after each state changeProvider admin
P26 — AI ConfigurationDistinguish Vision AI from GRC AI, configure both areas, and validate each independentlyProvider admin, GRC admin
P27 — Operating Cadence & QualityRun the daily, weekly, monthly, and quarterly admin review rhythms and apply provider quality standardsProvider admin
R11 — Asset InventoryUnderstand the role of assets as the anchor for the risk chain and identify ownership gapsAll
R12 — Findings TriageDisposition every Critical and High finding using the Remediate / Mitigate / Accept frameworkAll
R13 — Business Process MappingCreate business process records, link supporting assets, and close mapping gapsRisk owner, GRC analyst
R14 — Treatment PlanningCreate treatment plans for every dispositioned finding with an owner, type, and target dateRisk owner, security analyst
R15 — Governance & ClosureWork the pending decisions queue and establish a recurring governance approval cadenceRisk owner, provider admin

Learning paths

Three defined learning paths route learners through the curriculum based on their role and time horizon.

Provider Launch Path
For: Provider admin, delivery manager, client success lead • ~2.5 hrs • Complete before go-live
P1 Provider Onboarding Foundations
P2 Provider Admin & CRPM Ops
R1 Getting Started with RiskOps

Take all three courses in sequence before the first client onboarding. P1 and P2 establish the provider operating model; R1 builds the practitioner capability needed to operate findings and risk workflows with and for clients.

Provider Admin Path
For: Platform admin, GRC admin, support lead • ~1.75 hrs • Complete within first week
P2 Provider Admin & CRPM Ops
R1 Getting Started with RiskOps

Start with P2 to master the Provider Console, GRC Administration, and RiskOps entitlement controls. Follow with R1 to understand the operational risk workflows your users will run — required context for effective support and escalation.

Practitioner Path
For: Security analyst, risk owner, GRC analyst, client practitioner, vCISO • ~45–75 min • Complete before first triage session
R1 Getting Started with RiskOps
(Optional) P1 Modules 4–6

Start with R1 for the end-to-end practitioner RiskOps flow. Provider-side operators may also want P1 Modules 4, 5, and 6 for findings quality and reporting context — especially if they present results directly to clients.

Prerequisites

For all courses

For P2 — Provider Admin & CRPM Operations

For R1 — Getting Started with RiskOps

Delivery guide

Self-paced delivery

All courses are available as self-paced HTML training on this Academy. Each course includes interactive checklists, knowledge check quizzes, and a progress bar that persists across sessions via browser storage. Learners can complete modules across multiple sessions.

Recommended self-paced schedule:

Instructor-led delivery (90-minute format)

For provider launch training events, the following 90-minute agenda covers the most critical operational content from all three courses:

SegmentContentTime
WelcomeProgram overview, learning path for audience, what to expect from today.5 min
Provider modelP1 Module 1 — White-label tenant, roles, responsibilities, where the boundaries are.10 min
Launch phasesP1 Module 2 — Five phases, first 30-day plan, what "ready" looks like per phase.10 min
Admin demoP2 Modules 1–3 — Provider Console live walk, branding publish, client record creation.15 min
GRC & RiskOps adminP2 Modules 4–5 — Managed entity setup, GRC user creation, RiskOps entitlement toggle.10 min
RiskOps practitioner flowR1 Modules 1–5 — Full RiskOps chain demonstration in live or demo tenant.20 min
Client onboarding & findingsP1 Modules 4–5 — Connect an environment, triage findings, Risk Register entry.10 min
Q&A and next stepsOpen questions. Each attendee confirms their learning path and next action.10 min

Hands-on exercises (post-training)

After completing training, each attendee should execute the following exercises in their assigned tenant:

  1. Confirm sign-in and verify their role grants correct navigation access.
  2. Review the Provider Console dashboard and identify the RiskOps module state.
  3. Verify or update branding in light and dark mode.
  4. Create one managed entity for a pilot client.
  5. Create one GRC user and associate them to the managed entity.
  6. Run a scan on the pilot client environment and review findings.
  7. Triage three findings using the Remediate / Mitigate / Accept framework.
  8. Create one treatment plan for a Critical or High finding.
  9. Process one pending governance decision.
  10. Prepare a one-page client findings summary and confirm the report format.

Training success metrics

Use the following metrics to assess training effectiveness and identify gaps that need reinforcement.

MetricTargetHow to measure
Course completion rate100% of launch team completes P1 and P2 before go-live; 100% of operators completes R1 before first client scanAcademy progress bar; completion certificate download
Time to first client scanWithin 5 business days of provider tenant provisioningProvider Console scan history
Findings triage rate — Week 1All Critical findings triaged within 24 hours of first scanFindings queue; pending decisions count
Managed entity completenessAt least one managed entity per client, with assigned owner, before first client reviewGRC Administration — Managed Entities list
Treatment plan coverageAll Critical findings have a treatment plan before first governance reviewRiskOps — Treatments
First client review deliveryWithin 7 days of initial scanReport distribution log; client confirmation
Quiz pass rate (knowledge checks)Correct answer on first attempt >80% across all modulesModule quiz results
Support escalation rate — Month 1No more than one platform escalation per provider per week after go-liveSupport case log

Resources and reference

Provider Onboarding
Foundations

Provider model, launch phases, client onboarding, findings quality, reporting cadence.

Start course →

Provider Admin &
CRPM Operations

Provider Console, GRC Admin, RiskOps entitlement, AI config, operating cadence.

Start course →

Getting Started
with RiskOps

Asset inventory, findings triage, business process mapping, treatments, governance.

Start course →

CloudSignals Platform
Guide

Full reference documentation including connector setup, compliance mapping, and API reference.

Open guide →

Connector Setup

Step-by-step instructions for connecting AWS, Azure, GCP, Kubernetes, GitHub, and more.

View connectors →

Support

Live working sessions, guided setup, and escalation to AiVRIC for platform issues.

Get support →
Training content updates: Course content is reviewed when major product changes are released. If you find content that doesn't match the current platform experience, contact support@aivric.com with the page and section.