Declarative model definition
Describe scenarios, telemetry mappings, simulation pipelines, dependencies, and output requirements in a YAML or JSON format instead of spreading assumptions across spreadsheets or slides.
Overview
CRML (Cyber Risk Modeling Language) is an open-source declarative language for cyber risk modeling. It is designed to represent cyber risk models in YAML or JSON, with explicit descriptions of scenarios, telemetry mappings, simulation pipelines, dependencies, and output requirements.
The project positions CRML as a way to make quantified cyber risk work more repeatable and auditable across teams. It supports a Risk as Code approach, where assumptions, mappings, and model outputs are versioned and validated instead of being trapped in spreadsheets or proprietary tools.
Key features
Risk as Code workflow
Treat risk assumptions as versioned artifacts that can be reviewed, validated, and executed consistently across teams and tools.
Control effectiveness modeling
Model controls such as defense-in-depth and quantify how they reduce risk, rather than limiting analysis to static control lists.
Quantified risk parameterization
Use median-based parameterization, multi-currency support with automatic conversion, and auto-calibration from loss data for building quantified models.
Strict validation
Validate models with JSON Schema before simulation so structural errors are caught early.
Implementation-agnostic execution
Run the same CRML documents on different compliant engines, which keeps the model separate from any one simulation implementation.
Common use cases
Versioned risk models in Git
Use CRML to define cyber risk scenarios, assumptions, and outputs in a reviewable format that can live in source control alongside other operational code.
Quantified control analysis
Model control effectiveness and defense-in-depth assumptions when you need to understand how security controls change expected outcomes.
Portable engine workflows
Exchange the same model across FAIR-style Monte Carlo workflows, Bayesian or QBER engines, and other compliant runtimes without rewriting the source model.
Pre-simulation validation
Validate model structure before running simulation jobs so issues in mappings, parameters, or outputs are caught earlier in the workflow.
Catalog-driven model maintenance
Keep risk, control, and threat catalogs versioned separately from model logic so framework changes can be handled by updating mappings rather than rebuilding the whole model.
Pros and Cons
Pros
- Provides a structured, human-readable way to define cyber risk models.
- Supports both YAML and JSON for model authoring and exchange.
- Includes schema validation to catch model issues before simulation.
- Keeps models engine-agnostic, which helps separate model logic from runtime implementation.
- Covers practical quantified-risk needs such as control effectiveness, median-based parameters, and multi-currency modeling.
Cons
- The repository says the project is in draft status and under heavy development, so the API and behavior may change.
- Supported workflows depend on compliant simulation engines, so CRML is a modeling language rather than a full risk platform by itself.
FAQ
What is CRML used for?
CRML is a declarative language for describing cyber risk models in YAML or JSON. The repository also ships a reference runtime and CLI through `crml-engine`, plus a browser UI called CRML Studio for validation and simulation.
What kinds of risk models can CRML support?
The source describes CRML as engine-agnostic and compatible with different quantification approaches, including FAIR-style Monte Carlo engines, Bayesian/QBER models, and other compliant simulation engines.
What packages does the repository provide?
The repository states that `crml-lang` provides language/spec models, schema validation, and YAML I/O, while `crml-engine` provides the reference runtime and `crml` CLI. The web UI is under `web/` and is described as CRML Studio.
How do you install it?
Installation guidance in the repository says to install `crml-engine` if you want the CLI, or `crml-lang` if you only need the language library.
Is CRML stable enough for production use?
The project page says the codebase is under heavy development and may change without notice, and points readers to the `crml-dev-1.3` branch for the latest work in progress.
Quick Facts
- Category
- Developer Tool
- Primary use
- Cyber risk modeling
- Formats
- YAML, JSON
- Packages
- `crml-lang`, `crml-engine`
- Project status
- Draft / heavy development
- Source domain
- github.com
CRML 替代品
AakarDev AI
AakarDev AI helps teams manage AI provider access, project-level setups, logs, and analytics from one dashboard. It supports BYOK workflows and lists providers including OpenAI, Google Gemini, Anthropic, Groq, Mistral AI, and Perplexity AI.
Ably Chat
Ably Chat is a chat API platform for building custom realtime chat applications. It supports room-based messaging, typing indicators, presence, reactions, and message updates, with usage-based pricing options for different deployment stages.
garden-md
garden-md 是一款开源 Node.js CLI,可将会议记录转为本地公司 wiki;关联跨记录实体,保留原文不改写,并以可浏览的 wiki 形式展示。
Ghost
Ghost 是一款基于终端的 AI 助手,可在命令行中聊天、生成代码并运行任务。内置免费模型,支持 Linux、macOS 和 Windows,且为开源项目。
BookAI.chat
BookAI允许您通过简单提供书名和作者与您的书籍进行AI聊天。
DeepMotion
DeepMotion 是一款基于网页的 AI 动作捕捉与 3D 动画平台,提供 Animate 3D 视频转动画和 SayMotion 文本生成动画,支持浏览器创作并导出常用制作格式。