Cyber risk today is mostly documented in spreadsheets, PDFs, and slide decks formats that are hard to version, automate, or integrate with tooling.
CRML (Cyber Risk Modeling Language) aims to represent cyber risk as structured, machine-readable models instead of documents. This allows risk scenarios to be version-controlled, generated by tools, and executed through simulations.
We have infrastructure as a code, network as a code but dont have anything as Risk As a Code. CRML is an open, declarative, engine-agnostic and Control / Attack framework–agnostic Cyber Risk Modeling Language. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements — without forcing you into a specific quantification method, simulation engine, or security-control / threat catalog.
CRML Code is an AI-powered CLI that brings CRML to practitioners who don’t want to write YAML. Give it a company name, vulnerability scan, or simple prompt, and it automatically generates structured CRML scenarios. It resolves organizational context, builds realistic cyber risk models, and runs large-scale simulations to produce financially grounded risk insights and control impact analysis.
We ve standardized infrastructure, deployments, and networks using code, but risk has largely remained trapped in spreadsheets, static registers, and fragmented tooling. CRML feels like a strong step toward making cyber risk portable, machine-readable, and automation-ready.
What stands out is the framework-agnostic approach. Organizations today don t operate in a single control universe they juggle ISO, NIST, CIS, regulatory mandates, and internal models. A declarative layer that can sit above these and enable simulation, telemetry mapping, and quantification could significantly improve how leaders understand and act on cyber exposure.
Excited to see where this goes especially the possibilities around integrating risk models into real-time decision systems and bridging the gap between security operations and business risk.
