CRML – Declarative language for cyber risk as code

Summary: CRML is an open, declarative language that enables writing cyber risk models in YAML/JSON format. It supports describing telemetry mappings, simulation pipelines, dependencies, and output requirements without binding users to specific quantification methods, engines, or frameworks.

What it does

CRML provides a machine-readable format for cyber risk modeling that is engine-agnostic and framework-agnostic. It converts scattered assumptions and narratives into structured, executable models for analyzing cyber risk scenarios and dependencies.

Who it's for

It is designed for security leaders, risk teams, and CISOs seeking a standardized way to model and reason about cyber risk beyond existing frameworks and spreadsheets.

Why it matters

CRML addresses the lack of a declarative language for cyber risk, enabling clearer, data-driven decision-making instead of relying on gut feel or fragmented information.