CRML is an open-source cyber risk modeling language that enables Risk as Code (RaC). It targets cybersecurity risk professionals, GRC analysts, and security architects who need to standardize and automate their risk models. The language uses a declarative YAML/JSON format to describe scenarios, telemetry mappings, simulation pipelines, and dependencies without forcing a specific quantification method or security framework. Its core value is portability: risk models become versioned, reviewable artifacts that can be validated and executed consistently across teams and tools. By treating risk as code, CRML brings software engineering practices like Git-based reviews and CI validation to cyber risk management.
Cyber risk models are often trapped in spreadsheets, slide decks, or proprietary tools, making them difficult to review, audit, and reproduce. Control effectiveness and defense-in-depth assumptions are documented inconsistently, leading to varying results by analyst and by quarter. Threat and control frameworks such as ATT&CK, CIS, NIST, and ISO change over time, and their mappings are brittle and rarely versioned. Quantification engines differ—FAIR-style Monte Carlo, Bayesian QBER, actuarial models—causing costly rewrites and reinterpretation. Audit-ready evidence is fragmented, with unclear provenance of model inputs and outputs. CRML addresses these pain points by standardizing the description of cyber risk models, so different engines and organizations can exchange and execute the same model with clear validation and traceability.
A major feature of CRML is control effectiveness modeling, which allows users to quantify how security controls reduce risk, including defense-in-depth effects. Users define controls with an effectiveness coefficient against a specific threat. For example, in a ransomware scenario, multi-factor authentication can be modeled with a 0.35 effectiveness reduction, reducing the frequency or severity of loss. This enables precise evaluation of security investments by comparing expected risk with and without controls. The feature also integrates with control catalogs like SCF, making mappings explicit and versioned. This approach supports evidence-based security spending and demonstrates risk reduction to auditors and executives.
CRML introduces median-based parameterization for lognormal distributions, allowing users to specify median values directly instead of mean or custom parameters. This aligns with how risk practitioners intuitively think about losses, as median is often easier to estimate from experience or data. Multi-currency support enables modeling across different currencies with automatic conversion, which is essential for global organizations. These features reduce ambiguity and improve reproducibility of risk calculations across regions and business units. The median parameterization also simplifies calibration when historical data is sparse, as a single median estimate with a reasonable sigma can produce meaningful distributions for simulation.
admin
Auto-calibration in CRML allows the language to calibrate loss distributions from actual loss data, using either a given sigma or deriving sigma from the data. This adapts models to empirical evidence, increasing their accuracy. Strict validation via JSON Schema catches structural errors before simulation, ensuring model integrity. The validation CLI command (`crml-lang validate`) can be integrated into CI pipelines, so every model change is automatically checked. This reduces manual review overhead and increases trust in the results. Additionally, the validation process produces clear error reports, helping users quickly fix issues and maintain model quality across many scenarios.
CRML follows a modular architecture with two core Python packages: `crml-lang` for language models and schema validation, and `crml-engine` for the reference runtime and CLI. A typical workflow involves creating CRML scenario or portfolio documents in YAML, validating them with `crml-lang validate`, and running simulations with `crml simulate`. The language supports frequency models like Poisson and severity models like lognormal, with optional controls. The reference engine uses Monte Carlo methods to compute loss distributions. Additionally, CRML Studio provides a web-based UI (Next.js) for visual validation and simulation. The entire process is code-driven, enabling integration into GitOps pipelines for automated testing and deployment of risk models.
A security architect can propose a new control program by updating CRML documents in a Git repository; the change is peer-reviewed with clear diffs, and CI validates each pull request. A GRC analyst can trace every risk metric back to a versioned model with explicit assumptions, simplifying audit responses. A quant team can run the same model across FAIR Monte Carlo and Bayesian engines without rewriting code, comparing results and identifying sensitivities. Organizations can exchange risk models with insurers or regulators in a standardized CRML format, replacing email chains with spreadsheets. These scenarios demonstrate how CRML makes cyber risk reproducible, comparable, and automatable.
CRML targets cybersecurity risk managers, GRC analysts, security architects, quantitative risk analysts, compliance officers, and insurance modelers. It is built for Python 3.9+ and distributed via PyPI as two packages: `crml-lang` and `crml-engine`. The web UI CRML Studio runs on Next.js. CRML is open source under the MIT License, currently in draft but actively developed by Zeron Research Labs and CyberSec Consulting LLC. It does not require any paid license, though enterprise support may be provided by the maintainers. The core takeaway: CRML standardizes cyber risk modeling, enabling Risk as Code that is portable, auditable, and ready for automation across diverse teams and tools.
Cybersecurity risk managers, GRC analysts, security architects, quantitative risk analysts, compliance officers, and insurance modelers who need to standardize and automate cyber risk modeling across teams. Also suitable for developers building risk quantification pipelines and DevOps teams integrating risk validation into CI workflows. CRML is designed for professionals who require reproducible, versioned risk models that can be executed by multiple simulation engines and audited by regulators.