Navigate the Cyber Universe with Precision
Breach? Get Help Now
Log in
Get a Demo

What is CRML? The New Standard for Cyber Risk Quantification

CRML High-Level Architecture diagram showing the flow from Security Telemetry to Risk Metrics.

For years, cybersecurity has advanced at an extraordinary pace. However, the industry has lacked the foundational Cyber Risk Modeling Language (CRML) needed to make sense of it all.

Currently, our tools generate more data than ever. In addition, detection systems are getting smarter, providing deeper and more real-time visibility. Despite this progress, one critical area has barely evolved: Quantifying cyber risk.

When boards, regulators, or investors ask the most important question “What is our actual cyber risk, financially?” the answers often fall short. Unfortunately, they are still built on spreadsheets, assumptions, annual consulting exercises, and inconsistent frameworks.

Consequently, there is no common standard. There is no reproducibility, nor is there a shared modeling language. Furthermore, there is no integration with real telemetry.

Today, cyber risk faces the same chaos finance faced before GAAP. Similarly, it resembles the state of data before SQL or infrastructure before Terraform.

That is exactly why we built CRML.

What Is CRML?

CRML: Cyber Risk Modeling Language is the first domain-specific language (DSL) purpose-built to describe cyber risk as code.

Specifically, it provides a structured, machine-readable way to express risk models. Previously, these models were scattered across spreadsheets, slides, and assumption-heavy documents. Now, with CRML, you can define:

  • Assets

  • Threat events

  • Frequency models

  • Severity models

  • Dependencies

  • Criticality

  • Output metrics

You can do all of this via declarative YAML/JSON, backed by a full quantitative runtime. Ultimately, this is not just a tool. This is a foundation and a new standard for how cyber risk should be modeled.

Why the Industry Needs This Now?

Despite the massive growth of cybersecurity technology, the risk domain has been left behind. While every other area of enterprise engineering has matured into code-driven standards from IaC to MLOps cyber risk remains qualitative, subjective, and opaque.

Therefore, CRML changes that along four fundamental dimensions:

 

1. Cyber Risk Becomes Code

Just like SQL standardized data and terraform standardized infrastructure, CRML standardizes cyber risk modeling. As a result, models become:

  • Readable

  • Versioned

  • Peer-reviewable

  • Testable

  • Reproducible

For the first time, cyber risk calculations can be audited and trusted.

 

2. Unifying FAIR and Bayesian Worlds

Until now, organizations faced a difficult choice. On one hand, FAIR offered good structure but was static. On the other hand, Bayesian/QBER models were dynamic but too complex.

CRML bridges both. Its runtime supports:

  • Monte Carlo simulations

  • Gamma–Poisson frequency models

  • Lognormal/Gamma severity

  • Gaussian copulas

  • Shannon entropy for criticality

In short, this is the first time FAIR-style and Bayesian-style modeling coexist in a single language. This allows teams to evolve their risk models without retooling.

 

3. Real Telemetry Finally Feeds Risk Models

Cyber-risk quantification has always been disconnected from real operations. In contrast, CRML directly ingests data from:

  • IAM & PAM systems

  • XDR detections

  • WAF/DLP alerts

  • Identity hygiene

  • Misconfigurations

  • Attack paths

This makes cyber risk live. It is continuously updated as environments change. Thus, risk becomes a system, not a workshop exercise.

 

4. Enables the “Cyber Risk Brain”

By converting risk into structured code, CRML lays the foundation for a true Cyber Risk Brain. This engine unifies telemetry, business context, and threat statistics.

This unlocks:

  • Automated risk updates

  • Pipeline-driven model refreshes

  • AI copilots for risk teams

  • Defensible board-ready outputs

Essentially, it marks the shift from reactive cybersecurity to quantitative, predictive cybersecurity.

Comparison of legacy manual risk assessment versus modern CRML risk-as-code

Why CRML Is Groundbreaking

CRML brings to cyber risk what every mature discipline eventually builds:
a universal language to model reality.

Finance has it.
Data science has it.
Infrastructure engineering has it.
Cybersecurity, until now, did not.

This launch is not just about releasing a spec or a runtime.

It’s about establishing a shared standard the world can build on one that integrates deeply with today’s telemetry and tomorrow’s AI-driven ecosystems.

The Beginning of a New Phase for Cyber Risk

CRML brings to cyber risk what every mature discipline eventually builds: a universal language to model reality.

Consider that Finance has it. Data science has it. Infrastructure engineering has it. Yet, cybersecurity did not until now. This launch is not just about releasing a spec. Rather; it is about establishing a shared standard the world can build on.

To summarize, CRML marks a turning point. It transforms risk modeling from assumptions into simulations. It moves from opinions to defensible metrics.

On Saturday, we are opening this foundation to the world. This is only the beginning, but it is the start of something the industry has missed for decades.

Ready to define risk as code?

The full specification is live. Dive into the schema, the math, and the runtime environment.

>_ Start Modeling