CRML

CRML is a declaritive language for writing cyberrisk as code

5.0•1 review•

257 followers

CRML is a declaritive language for writing cyberrisk as code

5.0•1 review•

257 followers

Visit website

Security software

We have infrastructure as a code, network as a code but dont have anything as Risk As a Code. CRML is an open, declarative, engine-agnostic and Control / Attack framework–agnostic Cyber Risk Modeling Language. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements — without forcing you into a specific quantification method, simulation engine, or security-control / threat catalog.

This is the 2nd launch from CRML. View more

CRML Code

Launched this week

The AI CLI for CRML practitioners.

CRML Code is an AI-powered CLI that brings CRML to practitioners who don’t want to write YAML. Give it a company name, vulnerability scan, or simple prompt, and it automatically generates structured CRML scenarios. It resolves organizational context, builds realistic cyber risk models, and runs large-scale simulations to produce financially grounded risk insights and control impact analysis.

Free

Launch tags:Open Source•Artificial Intelligence•GitHub

Launch Team / Built With

Littlebird — The only full-context AI

The only full-context AI

Promoted

CRML

Maker

📌

Hey everyone 👋 A few weeks ago I introduced CRML (Cyber Risk Modeling Language) — an open standard to move cyber risk modeling out of spreadsheets and into something structured, version-controlled, and machine readable. But one piece of feedback kept coming up: "This is great… but I don’t want to write YAML." So we built CRML Code. CRML Code is an AI-powered CLI that generates and runs CRML scenarios for you. Instead of writing models manually, you can simply give it: • a company name • a vulnerability scan report • or even a plain English prompt …and it will generate validated CRML scenarios, resolve organization context, and run large-scale Monte Carlo simulations to produce financially grounded risk insights. The goal here is simple: Make cyber risk modeling accessible to practitioners, not just risk analysts or spreadsheet experts. If you work in security, risk, or GRC, I’d love to hear: - What inputs would you want to model risk from? - What outputs would actually help you make decisions? Happy to answer any technical questions here. Thanks for checking it out 🙏

Report

2d ago

This looks like a really strong way to make CRML much more approachebale for practicioners who don't want to deal with YAML directly. Just curious, how you help users understand the assumptions behind the generated scenarios though – it feels like making this easier is a huge win, and at the same time transparency becomes even more important for trust

Report

1d ago

Have a question about CRML? Ask it here and get a real answer.

Previous CRML Launches

CRML CRML is a declaritive language for writing cyberrisk as code

Launched on February 9th, 2026

Do you use CRML?

Forum Threads

p/crml

•

2d ago

Vision for CRML

Cyber risk today is mostly documented in spreadsheets, PDFs, and slide decks formats that are hard to version, automate, or integrate with tooling.

CRML (Cyber Risk Modeling Language) aims to represent cyber risk as structured, machine-readable models instead of documents. This allows risk scenarios to be version-controlled, generated by tools, and executed through simulations.

p/crml

•

25d ago

Cyber risk is finally getting the “as-code” treatment — and it’s about time.

We ve standardized infrastructure, deployments, and networks using code, but risk has largely remained trapped in spreadsheets, static registers, and fragmented tooling. CRML feels like a strong step toward making cyber risk portable, machine-readable, and automation-ready.

What stands out is the framework-agnostic approach. Organizations today don t operate in a single control universe they juggle ISO, NIST, CIS, regulatory mandates, and internal models. A declarative layer that can sit above these and enable simulation, telemetry mapping, and quantification could significantly improve how leaders understand and act on cyber exposure.

Excited to see where this goes especially the possibilities around integrating risk models into real-time decision systems and bridging the gap between security operations and business risk.

View all

CRML

CRML is a declaritive language for writing cyberrisk as code

CRML is a declaritive language for writing cyberrisk as code

CRML Code

Have a question about CRML? Ask it here and get a real answer.

Previous CRML Launches

Do you use CRML?

Forum Threads

Vision for CRML

Cyber risk is finally getting the “as-code” treatment — and it’s about time.

Have a question about CRML? Ask it here and get a real answer.

Previous CRML Launches

Do you use CRML?

Forum Threads

Vision for CRML

Cyber risk is finally getting the “as-code” treatment — and it’s about time.

What's great

What needs improvement

vs Alternatives

Did JSON Schema validation catch common modeling mistakes?

Did you successfully run 10k+ Monte Carlo simulations?

Was the Python API well-documented and stable?

What's great

What needs improvement

vs Alternatives

Did JSON Schema validation catch common modeling mistakes?

Did you successfully run 10k+ Monte Carlo simulations?

Was the Python API well-documented and stable?