We have infrastructure as a code, network as a code but dont have anything as Risk As a Code. CRML is an open, declarative, engine-agnostic and Control / Attack framework–agnostic Cyber Risk Modeling Language. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements — without forcing you into a specific quantification method, simulation engine, or security-control / threat catalog.
CRML
I was looking for a cyber risk engine to incorporate in our platform. I was surprised to see that there does not exist one in the entire internet. I went deep to understand, why it does not exist. Then I figured out its because, there is no way someone can write the cyber risks in a machine readable format. There is no declaritive language for this. Thats when I thought of creating this.
CRML started from dozens of messy, real conversations with security leaders, risk teams, and CISOs who kept telling us the same thing:
“We have frameworks… but when the board asks a decision question, we still scramble.”
CRML is our attempt to change that.
It turns scattered assumptions, spreadsheets, and narratives into structured, executable cyber-risk models — so teams can reason about scenarios, trade-offs, and investments with actual clarity instead of gut feel.
We’re launching CRML first because modeling is the foundation. Before dashboards, or automation… organizations need a clean way to think about risk.
We’d genuinely love your feedback:
• What’s broken today in cyber risk analysis?
• Where do models fall apart in practice?
• What would make this actually useful in your day-to-day work?
We’re here in the comments all day — fire away.
@faux16 Great initiative. The hardest part of risk is usually the 'human factor.' If CRML can help us structure behavioral risk as clearly as technical vulnerabilities, it will be a massive win for the industry.
CRML
@soubangi_rajkhowa Thats a good suggestion. We will work on it.
@soubangi_rajkhowa
Hey, I'm the co-author of the project. Just wanted to say that CRML can already do this today.
We have a control and scenario centric approach, which means you can easily create a behavior based (or behavior + technical vuln) scenario and then specify which controls are in place, which could mitigate this scenario. And the best is that scenarios are interchangeable. So researchers could publish scenarios everyone can then calibrate with the controls they have in place and their specific attack surface. :)
CRML
@soubangi_rajkhowa @jens_attenberger I think the angle that she is trying to put here is the emotional, and mental state of things. As we speak, this thing is becoming an important factor on how people make decisions now
@soubangi_rajkhowa @faux16 Ohhh! I see.
Hm. I think unless we start giving everyone psychological questionnaires, it is extremely hard to quantify or judge the emotional/mental state of people. Also you would need the data about e.g. how depression or stress/burnout affect the financial risk of an organization. Maybe I don't quite understand it, but that seems very abstract. On the other hand I believe security culture in organizations can be determined and quantified through the lack of controls, which is something we can represent with CRML.
Congrats on your launch guys!
CRML
@cathcorm Thank You So much
Risk models living in spreadsheets means every assumption is implicit and nobody can diff them. CRML putting FAIR Monte Carlo and Bayesian modeling into the same YAML spec makes those assumptions versioned and reviewable, which is what most GRC tools still don't do. The real test is whether security teams adopt the spec or keep building bespoke models in Python notebooks.
CRML
@piroune_balachandran Absolutely on point. Its on all of us in the community to spread it and help them adopt it maybe. The initial adaoption will be a friction for sure but once they get the hang of it, I feel they would love it.
@faux16 Any example CRML specs in the repo to fork? That'd lower the adoption curve fast.
CRML
@piroune_balachandran Here you can find the examples: Faux16/crml at crml-dev-1.3
If you want to understand what they all mean, best read the docu.
But TLDR is: all those different document types are being merged into portfolio bundles.
So an engine is executing portfolio bundles.
I think this example is the best to get an overview: crml/examples/portfolio_bundles/portfolio-bundle-documented.yaml at crml-dev-1.3 · Faux16/crml
Migma AI
The "Risk as Code" approach is brilliant - moving from spreadsheets to Git-versioned YAML/JSON solves so many problems with audit trails and collaboration. CISOs struggle to give boards concrete answers because risk models are scattered across different tools and people's heads. Making it declarative and engine-agnostic means you're not locked into one framework. How does CRML handle sensitivity analysis? When boards ask "what if X happens", can you fork the model and compare scenarios side by side?
CRML
@adam_lab Thank you for the appreciation. To answer the query, yes that can absolutely be done.
@adam_lab I might add, you can even do that in CRML Studio (The web interface). You can click your scenarios together there. It's like a building kit. Direct side by side could easily be added but I believe it makes more sense to use an IDE and diffs for that.
This is so good. Exactly what I needed.
CRML
@jaydev13 Glad to know that. Would be great if you could share, how this will help you?
Congrats on the launch!
The engine-agnostic nature of CRML is a huge plus.
I have a quick question regarding the workflow: risk managers are often more comfortable with spreadsheets or GRC tools than with code.
Do you have plans for a visual editor or a UI that translates these declarative models into something more 'board-room friendly'?
Love the open-source approach.
Good luck!
@new_user___04120267fd9236e85e61ea1 That's already part of the repo. We call the web interface CRML studio and it's mainly a demonstration as of now, but it absolutely could be utilized in board rooms as it is.
Congratulations on the launch! At what stage of development does this solution work? During the coding process? It would be interesting if the service could immediately recommend the correct architecture for ensuring security, even at an early stage of development, possibly just after describing the idea.
@mykyta_semenov_ Thank you. But I am afraid you misunderstood the concept.
It is not a service in the sense you described it, but rather a foundation which enables the creation of services.
Let me put it this way:
The CRML language is comparable to a contract. Let's compare it with the format of a Dockerfile.
Someone sat down and created a "language contract", so people are able to describe containers in a certain format.
If you run docker build on the same docker file, you will always get the same container.
Every Dockerfile needs to contain certain content for this to work and the format needs to be standardized.
But a Dockerfile itself does nothing, without the Docker engine, executing it.
Same with CRML.
The CRML engine does things with CRML files, which describe threat scenarios, your assets, controls, the threat landscape, how controls affect scenarios and so on. Basically all information you need for cyber risk modelling.
We ship the project with a reference engine, but you could build your own.
Same as the docker engine, podman or kaniko can all interpret Dockerfiles, everyone is free to apply their own math and build their own engines with their own models to interpret the same risk data.
So it is not a solution in a development/project pipeline but it could be fed information about a project (e.g. vulnerabilities, assessment/audit results) and then model the financial security risk for the organization.
I hope that helps to understand the project better.
If you want to dive deeper, I recommend this documentation: crml/wiki/Concepts/Architecture.md at main · Faux16/crml
@jens_attenberger Thanks for the detailed explanation, I’m not that technical. Security is more of a theoretical field for me. I’ve long had the idea to build a quick audit service, including security: you connect Git and the AI runs an audit based on predefined rules and provides recommendations. It would be like external port scanners or admin URL scanners, but with an intelligent approach powered by AI. If combined with standard external vulnerability scanners, it could become a highly востребованный service.
@mykyta_semenov_ No worries :)
I see. Yeah I think that is a very simplified view on the complexity we face in the field.
If it would be that simple, it would already exist and I'd be out of a job ;)
But it reminds me of services like Github advanced security, sonarqube, trufflehog, acunetix and defender for DevOps. They all have their place in a secure software development lifecycle and together, they basically do what you describe.
@jens_attenberger By the way, it’s believed that security specialists will be the last to be replaced by AI) For now, AI is taking jobs from regular programmers.