Declarative model definition
Describe scenarios, telemetry mappings, simulation pipelines, dependencies, and output requirements in a YAML or JSON format instead of spreading assumptions across spreadsheets or slides.
Overview
CRML (Cyber Risk Modeling Language) is an open-source declarative language for cyber risk modeling. It is designed to represent cyber risk models in YAML or JSON, with explicit descriptions of scenarios, telemetry mappings, simulation pipelines, dependencies, and output requirements.
The project positions CRML as a way to make quantified cyber risk work more repeatable and auditable across teams. It supports a Risk as Code approach, where assumptions, mappings, and model outputs are versioned and validated instead of being trapped in spreadsheets or proprietary tools.
Key features
Risk as Code workflow
Treat risk assumptions as versioned artifacts that can be reviewed, validated, and executed consistently across teams and tools.
Control effectiveness modeling
Model controls such as defense-in-depth and quantify how they reduce risk, rather than limiting analysis to static control lists.
Quantified risk parameterization
Use median-based parameterization, multi-currency support with automatic conversion, and auto-calibration from loss data for building quantified models.
Strict validation
Validate models with JSON Schema before simulation so structural errors are caught early.
Implementation-agnostic execution
Run the same CRML documents on different compliant engines, which keeps the model separate from any one simulation implementation.
Common use cases
Versioned risk models in Git
Use CRML to define cyber risk scenarios, assumptions, and outputs in a reviewable format that can live in source control alongside other operational code.
Quantified control analysis
Model control effectiveness and defense-in-depth assumptions when you need to understand how security controls change expected outcomes.
Portable engine workflows
Exchange the same model across FAIR-style Monte Carlo workflows, Bayesian or QBER engines, and other compliant runtimes without rewriting the source model.
Pre-simulation validation
Validate model structure before running simulation jobs so issues in mappings, parameters, or outputs are caught earlier in the workflow.
Catalog-driven model maintenance
Keep risk, control, and threat catalogs versioned separately from model logic so framework changes can be handled by updating mappings rather than rebuilding the whole model.
Pros and Cons
Pros
- Provides a structured, human-readable way to define cyber risk models.
- Supports both YAML and JSON for model authoring and exchange.
- Includes schema validation to catch model issues before simulation.
- Keeps models engine-agnostic, which helps separate model logic from runtime implementation.
- Covers practical quantified-risk needs such as control effectiveness, median-based parameters, and multi-currency modeling.
Cons
- The repository says the project is in draft status and under heavy development, so the API and behavior may change.
- Supported workflows depend on compliant simulation engines, so CRML is a modeling language rather than a full risk platform by itself.
FAQ
What is CRML used for?
CRML is a declarative language for describing cyber risk models in YAML or JSON. The repository also ships a reference runtime and CLI through `crml-engine`, plus a browser UI called CRML Studio for validation and simulation.
What kinds of risk models can CRML support?
The source describes CRML as engine-agnostic and compatible with different quantification approaches, including FAIR-style Monte Carlo engines, Bayesian/QBER models, and other compliant simulation engines.
What packages does the repository provide?
The repository states that `crml-lang` provides language/spec models, schema validation, and YAML I/O, while `crml-engine` provides the reference runtime and `crml` CLI. The web UI is under `web/` and is described as CRML Studio.
How do you install it?
Installation guidance in the repository says to install `crml-engine` if you want the CLI, or `crml-lang` if you only need the language library.
Is CRML stable enough for production use?
The project page says the codebase is under heavy development and may change without notice, and points readers to the `crml-dev-1.3` branch for the latest work in progress.
Quick Facts
- Category
- Developer Tool
- Primary use
- Cyber risk modeling
- Formats
- YAML, JSON
- Packages
- `crml-lang`, `crml-engine`
- Project status
- Draft / heavy development
- Source domain
- github.com
CRML 替代品
AakarDev AI
AakarDev AI helps teams manage AI provider access, project-level setups, logs, and analytics from one dashboard. It supports BYOK workflows and lists providers including OpenAI, Google Gemini, Anthropic, Groq, Mistral AI, and Perplexity AI.
Ably Chat
Ably Chat is a chat API platform for building custom realtime chat applications. It supports room-based messaging, typing indicators, presence, reactions, and message updates, with usage-based pricing options for different deployment stages.
garden-md
garden-md 是一款開源 Node.js CLI,可將會議逐字稿轉為本機公司 wiki,串接逐字稿來源、保留原文並建立可瀏覽的連結頁面。
Ghost
Ghost 是一款終端機 AI 助手,可在命令列中聊天、產生程式碼並執行任務。內建免費模型,支援 Linux、macOS、Windows,且為開源工具。
BookAI.chat
BookAI允許您透過簡單提供書名和作者與您的書籍進行AI聊天。
DeepMotion
DeepMotion 是一個基於網頁的 AI 動作捕捉與 3D 動畫平台,提供 Animate 3D 影片轉動畫與 SayMotion 文字轉動畫,讓創作者與團隊可在瀏覽器中產生動作並匯出常見製作格式。