We have infrastructure as a code, network as a code but dont have anything as Risk As a Code. CRML is an open, declarative, engine-agnostic and Control / Attack framework–agnostic Cyber Risk Modeling Language. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements — without forcing you into a specific quantification method, simulation engine, or security-control / threat catalog.
We ve standardized infrastructure, deployments, and networks using code, but risk has largely remained trapped in spreadsheets, static registers, and fragmented tooling. CRML feels like a strong step toward making cyber risk portable, machine-readable, and automation-ready.
What stands out is the framework-agnostic approach. Organizations today don t operate in a single control universe they juggle ISO, NIST, CIS, regulatory mandates, and internal models. A declarative layer that can sit above these and enable simulation, telemetry mapping, and quantification could significantly improve how leaders understand and act on cyber exposure.
Excited to see where this goes especially the possibilities around integrating risk models into real-time decision systems and bridging the gap between security operations and business risk.
