CRML is an open, declarative, engine-agnostic and Control/Attack framework-agnostic Cyber Risk Modeling Language. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements without forcing users into a specific quantification method, simulation engine, or security-control/threat catalog.

Key features include control effectiveness modeling to quantify how controls reduce risk (including defense-in-depth), median-based parameterization for lognormal distributions, multi-currency support with automatic conversion, auto-calibration from loss data, strict JSON Schema validation, implementation-agnostic design that works with any compliant simulation engine, and human-readable YAML format.

The language enables RaC (Risk as Code) where risk and compliance assumptions become versioned, reviewable artifacts that can be validated and executed consistently across teams and tools. CRML addresses problems like risk models being locked in spreadsheets or proprietary tools, inconsistent documentation of control effectiveness, brittle mappings between changing threat frameworks, and fragmented audit-ready evidence.

Benefits include making models portable, assumptions explicit, and results reproducible. Use cases include justifying security spend by comparing risk with vs. without investments, comparing risk across business units or time periods, showing measured risk reduction from controls, connecting cyber risk to enterprise risk and financial planning, and producing repeatable audit-ready evidence.

Target users include cyber security, compliance, and risk management professionals who need standardized, quantifiable risk modeling. The platform supports integrations with frameworks like ATT&CK, CIS, NIST, ISO, SCF, and internal catalogs, and works with quantification engines including FAIR-style Monte Carlo, Bayesian/QBER, and actuarial models.