Declarative model definition
Describe scenarios, telemetry mappings, simulation pipelines, dependencies, and output requirements in a YAML or JSON format instead of spreading assumptions across spreadsheets or slides.
CRML
CRML is an open-source declarative language for cyber risk modeling. It helps teams define, validate, and exchange quantified risk models in YAML or JSON, with support for different simulation engines.
Overview
CRML (Cyber Risk Modeling Language) is an open-source declarative language for cyber risk modeling. It is designed to represent cyber risk models in YAML or JSON, with explicit descriptions of scenarios, telemetry mappings, simulation pipelines, dependencies, and output requirements.
The project positions CRML as a way to make quantified cyber risk work more repeatable and auditable across teams. It supports a Risk as Code approach, where assumptions, mappings, and model outputs are versioned and validated instead of being trapped in spreadsheets or proprietary tools.
Key features
Risk as Code workflow
Treat risk assumptions as versioned artifacts that can be reviewed, validated, and executed consistently across teams and tools.
Control effectiveness modeling
Model controls such as defense-in-depth and quantify how they reduce risk, rather than limiting analysis to static control lists.
Quantified risk parameterization
Use median-based parameterization, multi-currency support with automatic conversion, and auto-calibration from loss data for building quantified models.
Strict validation
Validate models with JSON Schema before simulation so structural errors are caught early.
Implementation-agnostic execution
Run the same CRML documents on different compliant engines, which keeps the model separate from any one simulation implementation.
Common use cases
Versioned risk models in Git
Use CRML to define cyber risk scenarios, assumptions, and outputs in a reviewable format that can live in source control alongside other operational code.
Quantified control analysis
Model control effectiveness and defense-in-depth assumptions when you need to understand how security controls change expected outcomes.
Portable engine workflows
Exchange the same model across FAIR-style Monte Carlo workflows, Bayesian or QBER engines, and other compliant runtimes without rewriting the source model.
Pre-simulation validation
Validate model structure before running simulation jobs so issues in mappings, parameters, or outputs are caught earlier in the workflow.
Catalog-driven model maintenance
Keep risk, control, and threat catalogs versioned separately from model logic so framework changes can be handled by updating mappings rather than rebuilding the whole model.
Pros and Cons
Pros
- Provides a structured, human-readable way to define cyber risk models.
- Supports both YAML and JSON for model authoring and exchange.
- Includes schema validation to catch model issues before simulation.
- Keeps models engine-agnostic, which helps separate model logic from runtime implementation.
- Covers practical quantified-risk needs such as control effectiveness, median-based parameters, and multi-currency modeling.
Cons
- The repository says the project is in draft status and under heavy development, so the API and behavior may change.
- Supported workflows depend on compliant simulation engines, so CRML is a modeling language rather than a full risk platform by itself.
FAQ
What is CRML used for?
CRML is a declarative language for describing cyber risk models in YAML or JSON. The repository also ships a reference runtime and CLI through `crml-engine`, plus a browser UI called CRML Studio for validation and simulation.
What kinds of risk models can CRML support?
The source describes CRML as engine-agnostic and compatible with different quantification approaches, including FAIR-style Monte Carlo engines, Bayesian/QBER models, and other compliant simulation engines.
What packages does the repository provide?
The repository states that `crml-lang` provides language/spec models, schema validation, and YAML I/O, while `crml-engine` provides the reference runtime and `crml` CLI. The web UI is under `web/` and is described as CRML Studio.
How do you install it?
Installation guidance in the repository says to install `crml-engine` if you want the CLI, or `crml-lang` if you only need the language library.
Is CRML stable enough for production use?
The project page says the codebase is under heavy development and may change without notice, and points readers to the `crml-dev-1.3` branch for the latest work in progress.
Quick Facts
- Category
- Developer Tool
- Primary use
- Cyber risk modeling
- Formats
- YAML, JSON
- Packages
- `crml-lang`, `crml-engine`
- Project status
- Draft / heavy development
- Source domain
- github.com
CRML Alternatives
AakarDev AI
AakarDev AI helps teams manage AI provider access, project-level setups, logs, and analytics from one dashboard. It supports BYOK workflows and lists providers including OpenAI, Google Gemini, Anthropic, Groq, Mistral AI, and Perplexity AI.
Ably Chat
Ably Chat is a chat API platform for building custom realtime chat applications. It supports room-based messaging, typing indicators, presence, reactions, and message updates, with usage-based pricing options for different deployment stages.
garden-md
garden-md is an open-source Node.js CLI that turns meeting transcripts into a local company wiki. It links entities across transcripts, keeps the original text intact, and renders the result as a browsable wiki.
Ghost
Ghost is a terminal-based AI assistant for chatting, code generation, and CLI tasks. Includes free models, supports Linux, macOS, Windows, and is open source.
BookAI.chat
BookAI allows you to chat with your books using AI by simply providing the title and author.
DeepMotion
DeepMotion is a web-based AI motion capture and 3D animation platform with Animate 3D for video-to-animation and SayMotion for text-to-animation. It helps creators and teams generate motion in a browser and export results in common production formats.