CRML

We have infrastructure as a code, network as a code but dont have anything as Risk As a Code. CRML is an open, declarative, engine-agnostic and Control / Attack framework–agnostic Cyber Risk Modeling Language. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements — without forcing you into a specific quantification method, simulation engine, or security-control / threat catalog.

• Organization requires proprietary, closed-source risk modeling tools with vendor lock-in and commercial support contracts
• Team lacks Python expertise or comfort with YAML/JSON configuration and command-line interfaces
• Business needs real-time, out-of-the-box risk dashboards without requiring custom simulation engine integration
• Regulatory compliance requires certified, audited quantification engines rather than community-maintained reference implementations
• Organization uses only legacy spreadsheet-based or proprietary GRC platforms with no API integration capability