logo
ProductCool
CRML logo

CRML

CRML is a declaritive language for writing cyberrisk as code

Open SourceLanguagesGitHub
2026-02-09
github.com
Visit Website

Product Introduction

  1. Definition: CRML (Cyber Risk Modeling Language) is an open-source, declarative YAML/JSON-based language for standardizing cyber risk quantification models. It falls under the technical category of domain-specific languages (DSLs) for cybersecurity risk management.
  2. Core Value Proposition: CRML enables "Risk as Code" (RaC), transforming risk assumptions into version-controlled, engine-agnostic artifacts. It solves interoperability issues across quantification methods (FAIR, QBER, actuarial), control frameworks (NIST, CIS, MITRE ATT&CK), and simulation engines.

Main Features

  1. Declarative Scenario Modeling:

    • How it works: Users define risk scenarios (e.g., data breaches, ransomware) using probabilistic distributions (lognormal, Poisson) in YAML. Parameters like median and sigma directly specify loss magnitudes and frequencies.
    • Technology: Built on JSON Schema validation with Python/TypeScript tooling (crml-lang package). Supports multi-currency inputs (e.g., median: "250 000" currency: USD).

  2. Control Effectiveness Quantification:

    • How it works: Maps security controls (e.g., MFA, encryption) to threat mitigation via effectiveness_against_threat ratios (0–1 scale). Models defense-in-depth through additive/multiplicative relationships.
    • Technology: Integrates with catalogs like SCF (Security Control Framework) via scf-import-catalog CLI for Excel-to-CRML conversion.

  3. Engine-Agnostic Execution:

    • How it works: CRML documents decouple model logic from simulation runtimes. The reference engine (crml-engine) runs Monte Carlo simulations, but any compliant engine (Bayesian, actuarial) can parse CRML.
    • Technology: Python-based runtime with parallel processing. Outputs metrics like EAL (Expected Annual Loss) and ALE.

  4. Framework Interoperability:

    • How it works: Supports OSCAL (Open Security Controls Assessment Language) for compliance mapping and SCF for control taxonomy alignment.
    • Technology: UUID-based asset/control identifiers and versioned catalog imports (e.g., datasets/CIS_v8.yaml).

Problems Solved

  1. Pain Point: Siloed risk models trapped in spreadsheets or proprietary tools, hindering auditability and reproducibility. CRML’s Git-friendly YAML enables versioning, peer review, and CI/CD integration.
  2. Target Audience:
    • Cybersecurity Architects (designing control frameworks)
    • GRC (Governance, Risk, Compliance) Analysts
    • Cyber Risk Quantification (CRQ) Engineers
    • Insurers and Financial Auditors
  3. Use Cases:
    • Justifying security investments via cost/benefit simulations.
    • Generating audit-ready evidence for regulatory compliance (e.g., SEC, DORA).
    • Standardizing risk reporting across business units or supply chains.

Unique Advantages

  1. Differentiation: Unlike proprietary CRQ platforms (e.g., RiskLens, Kovrr), CRML is framework-agnostic and open-source. It avoids vendor lock-in while supporting FAIR, QBER, and custom engines.
  2. Key Innovation:
    • Auto-Calibration: Converts historical loss data into distribution parameters.
    • Portfolio Modeling: Aggregates organizational risk via crml_portfolio documents.
    • Telemetry Mappings: Links model inputs to SIEM/observability data sources.

Frequently Asked Questions (FAQ)

  1. How does CRML compare to FAIR analysis?
    CRML is not a replacement for FAIR but a standardized implementation format for FAIR (and other) models. It encodes FAIR’s frequency/severity distributions in reusable YAML.

  2. Can CRML model defense-in-depth for security controls?
    Yes, it quantifies cumulative control effectiveness via explicit relationships (e.g., requires or enhances dependencies between controls), calculating residual risk after layered mitigations.

  3. What engines support CRML besides the reference runtime?
    CRML’s schema allows integration with any simulation engine. Community-driven adapters exist for Bayesian networks (QBER) and actuarial platforms.

  4. Is CRML suitable for small businesses?
    Absolutely. Prebuilt examples (examples/scenarios/data-breach-simple.yaml) and the CRML Studio web UI lower entry barriers for resource-constrained teams.

  5. How does CRML handle framework updates like new MITRE ATT&CK techniques?
    Version-controlled catalogs (risk/catalogs/) and automated mappings (risk/mappings/) ensure models stay current. The validate command checks catalog compatibility.

Related Products

Moltbot

Moltbot

The AI that actually does things

Supabase UI Library

Supabase UI Library

Drop-in components based on shadcn/ui & powered by Supabase

LobeHub

LobeHub

Agent teammates that grow with you

Subscribe to Our Newsletter

Get weekly curated tool recommendations and stay updated with the latest product news