Vision for CRML

Cyber risk today is mostly documented in spreadsheets, PDFs, and slide decks — formats that are hard to version, automate, or integrate with tooling.

CRML (Cyber Risk Modeling Language) aims to represent cyber risk as structured, machine-readable models instead of documents. This allows risk scenarios to be version-controlled, generated by tools, and executed through simulations.

Over time, CRML can become the default contract format for sharing risk information across organizations, industries, and nations — without exposing confidential internal data. And if things go really well, maybe even interplanetary or intergalactic systems too. 🤓

Tools like CRML Code exist to make this easier, allowing practitioners to generate and execute CRML models without needing to manually write the language.

The goal is simple: make cyber risk something machines can understand and operate on, not just something humans write reports about.