PH
Back to Explore

CRML

CRML is a declarative language for writing cyberrisk as code

💡 CRML (Cyber Risk Modeling Language) is an open-source, declarative language designed to standardize and automate cyber risk quantification. By moving away from fragmented spreadsheets and subjective assessments, CRML allows security teams to define risk models using YAML or JSON. This "Risk as Code" approach enables version control, transparency in assumptions, and seamless integration with various simulation engines like FAIR or Bayesian models, making it easier to communicate the financial impact of cyber threats to stakeholders.

"CRML is the "Terraform" of cyber risk, replacing fragile Excel sheets with scalable, version-controlled code."

30-Second Verdict
What is it: CRML is an open-source declarative language that lets you define cyber risk models just like you write YAML code.
Worth attention: If you're in Cybersecurity or GRC, it's worth watching. This is the first serious attempt to move risk quantification from Excel hell into code repositories. The vision is ahead of its time.
7/10

Hype

8/10

Utility

149

Votes

Product Profile
Full Analysis Report

CRML: Cybersecurity Finally Gets Its Own "Terraform"

2026-02-10 | Product Hunt | GitHub | Official Website

CRML Interface

Interface Breakdown: On the left is the core "Risk as Code" value proposition; on the right is a YAML code editor featuring VALIDATE, SIMULATE, and PORTFOLIO tabs. The design is developer-centric, using a classic SaaS layout with a dark code editor and a bright results panel.

30-Second Quick Judgment

What it does: CRML is an open-source declarative language that lets you define cyber risk models using YAML—much like Terraform defines infrastructure or SQL defines data queries, CRML defines cyber risk.

Is it worth your attention?: If you are in Cybersecurity or GRC (Governance, Risk, and Compliance), yes. This is the first attempt to move "risk quantification" from Excel spreadsheets into code repositories. The concept is visionary, but the product is in its infancy (15 GitHub stars). It’s better viewed as an industry trend rather than a tool for immediate production use.

Three Key Questions

1. Is it relevant to me?

Target Audience: CISOs, Security Engineers, GRC teams, and Cyber Risk Analysts. Basically, the people who have to explain to the board exactly how much money is at stake due to cyber risks.

Should you care?: You are the target user if:

  • Your job involves Cyber Risk Quantification (CRQ) and you deal with FAIR or Monte Carlo simulations.
  • You work in security compliance and are tired of managing risk models in Excel.
  • You are a developer of security products needing a standardized format for risk descriptions.

If you aren't in the cybersecurity industry, this won't mean much to you.

Use Cases:

  • Scenario 1: Quarterly board reports --> Use CRML to codify risk models; run simulations instead of manually updating Excel cells.
  • Scenario 2: Cross-team collaboration --> Store CRML files in Git so everyone can see who changed what and why.
  • Scenario 3: Integrating different risk engines --> CRML is engine-agnostic; one model can run on FAIR or Bayesian engines.
  • Scenario 4: You're a general developer --> You probably don't need this.

2. Is it useful?

DimensionBenefitCost
TimeVersioned, reproducible risk models; no more building Excels from scratch.Learning YAML syntax + CRML schema (approx. 2-4 hours).
MoneyCompletely free and open-source (MIT License).Zero cost, but you need to set up your own engine.
EffortTransparent assumptions and easy diffs; improved team collaboration.Small community and limited docs; you'll have to figure things out yourself.

ROI Judgment: If you're already doing CRQ, spending half a day on CRML is worth it to stay ahead of industry trends. Otherwise, feel free to skip.

3. Is it a "delightful" experience?

The "Aha!" Moment:

  • "Finally, I can diff a risk model": Previously, risk assumptions were buried in Excel cells, making changes impossible to track. CRML gives risk models a version history just like code.
  • FAIR + Bayesian Unity: Usually, you have to choose between FAIR (static) or Bayesian (complex). CRML attempts to fit both into a single YAML specification.

What users are saying:

"The Risk as Code approach is brilliant—moving from spreadsheets to Git-versioned YAML/JSON solves so many audit trail and collaboration issues." — Product Hunt Reviewer

"Risk models living in spreadsheets means every assumption is implicit; no one can diff them. We have infrastructure as code, network as code, but risk has always been left behind." — Product Hunt Reviewer

For Developers

Tech Stack

  • Language: Python
  • Data Format: YAML / JSON (Declarative)
  • Validation: Strict JSON Schema validation (crml_validator.py)
  • Version: CRML 1.1 Specification
  • License: MIT License
  • Installation: pip install crml-lang

CRML Validator Interface

Interface Breakdown: This is the CRML Web Validator tool. The left side is a dark YAML editor, and the right side shows the validation results, displaying "Validation Passed" and model metadata. It supports file uploads, real-time validation, and downloads.

Core Implementation

CRML is essentially a YAML schema specification. You use YAML to describe assets, controls, dependencies, uncertainty assumptions, and impact paths, which are then processed by a compatible simulation engine. Core capabilities include:

  • Control Effectiveness Modeling: Quantifying how security controls reduce risk.
  • Lognormal Distribution Parameterization: Median-based inputs.
  • Multi-currency Support: 15+ currencies.
  • Raw Loss Data Calibration: Automatic calibration from historical data.
  • Scenario-based Modeling: Interchangeable scenarios that researchers can publish for others to use.

Open Source Status

  • Open Source?: Yes, MIT License, fully open.
  • GitHub: Faux16/crml (15 Stars, 9 Forks, 3 Contributors).
  • Similar Projects: No direct open-source competitors—this is the first DSL for "Risk as Code."
  • Build Difficulty: Medium. The core is a schema + validator, which isn't technically massive. The real challenge is industry adoption. A similar validator could be built in 1-2 months, but building the ecosystem takes years.

Business Model

  • CRML itself: Completely free.
  • The Company (Zeron): A SaaS subscription-based cyber risk intelligence platform. CRML acts as the open-source infrastructure layer, while Zeron is the commercial application—a classic "open-core" strategy.
  • Revenue: Approximately 927k INR (~$11K) annually as of March 2024—very early stage.

Big Player Risk

This space has heavy hitters. SAFE Security has raised $170M+, and RiskLens (the commercial arm of the FAIR framework) is well-established. However, CRML positions itself differently—it's a language, not just a platform. If SAFE or RiskLens releases their own open spec, CRML's head start might vanish. CRML needs to prove it's more usable than pure FAIR.

For Product Managers

Pain Point Analysis

  • Problem: CISOs give vague reports because risk models are siloed in different tools, people's heads, or disparate Excels. There is no "lingua franca" for risk.
  • Severity: High frequency + High necessity for CISOs. 95% of executives value CRQ, but only 15-20% have automated it—indicating a massive supply-demand gap.

User Persona

  • Primary: CISOs and Risk teams needing financialized risk reporting for boards/regulators.
  • Secondary: Security product developers needing a standard risk modeling format.

Feature Breakdown

FeatureTypeDescription
YAML/JSON Risk ModelingCoreDeclarative syntax for risk scenarios, assets, and controls.
JSON Schema ValidationCoreEnsures model formatting is correct.
FAIR + Bayesian ModesCoreFirst to unify both methodologies in one spec.
Multi-currency SupportCore15+ currencies for multinational needs.
Control EffectivenessCoreNew in v1.1; quantifies risk reduction from security controls.
Real-time TelemetryBonusDirect integration with data sources for continuous updates.
Web ValidatorBonusIn-browser editing and validation.

Competitive Differentiation

vsCRMLFAIR/RiskLensSAFE SecurityKovrr
TypeOpen Language/SpecStandard + PlatformAI-driven SaaSCommercial CRQ
PriceFreePaidEnterprise PaidEnterprise Paid
Key DiffEngine-agnosticIndustry standardAutomation + AIActuarial models
Lock-inZero (Open)FAIR-boundProprietaryProprietary

Takeaways

  1. "X as Code" Paradigm: Moving any domain from GUI/Excel to declarative code is a winning pattern (IaC, GitOps). If your domain still relies on Excel, this is a path to consider.
  2. Open-Core Strategy: Use a free spec to build an ecosystem and a paid platform for monetization.
  3. Modular Design: CRML’s interchangeable scenarios mirror the Terraform Registry’s module-sharing logic.

For Tech Bloggers

Founder Story

  • Founder: Sanket Sarkar (Harvard Cybersecurity, Wharton Entrepreneurship).
  • Background: A self-described "entrepreneur, hacker, and math geek." Formerly CEO of TeamCognito.
  • The "Why": After exposing vulnerabilities in 86 websites, Sanket realized business leaders ignored the warnings because risk models were too vague. He couldn't find a risk engine to integrate into his platform, so he built one.
  • Partners: Already working with KPMG India to push cyber risk assessments.

Discussion Angles

  • Angle 1 - Is "Risk as Code" too idealistic?: Most security teams aren't developers. Will they actually write YAML?
  • Angle 2 - Open Source vs. The Giants: Can a project with $1.5M in funding compete with giants like SAFE Security ($170M+)?
  • Angle 3 - The Terraform Analogy: Terraform succeeded because infrastructure needed standardization. Is cyber risk fragmented enough to require a standard language?

Content Suggestions

  • The Evolution: "Why Cybersecurity is the Last Frontier for 'As Code'"—tracing the path from IaC to Policy as Code to Risk as Code.
  • Regulatory Hook: How SEC/EU disclosure rules are creating a massive window for standardized risk reporting.

For Early Adopters

Getting Started

  • Learning Curve: Medium-High (requires cybersecurity + risk quantification background).
  • Steps:
    1. pip install crml-lang
    2. Clone the GitHub repo and check spec/examples/.
    3. Use crml_validator.py to check your YAML.
    4. Try the Web Validator in your browser.

The "Catch"

  1. Tiny Community: With only 15 stars, you're mostly on your own or talking directly to the founder.
  2. No Simulation Engine: CRML defines the language, but you still need an engine to run the math. It's engine-agnostic, which is a double-edged sword.
  3. Documentation: It's a v1.1 project; docs are still being fleshed out.

For Investors

Market Analysis

  • Market Size: CRQ market $1.2B (2024) -> ~$7.9B (2033).
  • Drivers: Rising cyberattacks, regulatory pressure (SEC, EU CRA), and the jump in FAIR framework adoption (52% to 68%).
  • Gap: 95% of execs want CRQ, but only ~20% have automated it. This is a classic early-market window.

Conclusion

CRML is doing the "right thing, but very early": creating a language for cybersecurity. Just as SQL is for data and Terraform is for infrastructure, CRML wants to be the universal language for risk. The vision is top-tier, but execution is at Day 1.

User TypeRecommendation
DevelopersStar the repo. If you build security products, study the schema. Not ready for production yet.
PMsStudy the "X as Code" shift. It's a great blueprint for digitizing manual processes.
Early AdoptersWait and watch unless you are a security engineer with FAIR experience.
InvestorsCautious interest. Great sector, but the company is extremely early ($11K revenue). The path from open DSL to commercial success needs validation.

2026-02-10 | Trend-Tracker v7.3

One-line Verdict

CRML is doing something 'right but very early': building a language for the cybersecurity domain. The concept is top-tier, but execution is at Day 1—the community is tiny, the company is early-stage, and adoption will take time.

FAQ

Frequently Asked Questions about CRML

CRML is an open-source declarative language that lets you define cyber risk models just like you write YAML code.

The main features of CRML include: YAML/JSON Risk Modeling, JSON Schema Validation.

Open-source version is free; Zeron platform pricing is undisclosed.

CISOs, Security Engineers, GRC Compliance teams, and Cyber Risk Analysts—basically, anyone who has to explain 'how much our cyber risk is actually worth' to the board.

Alternatives to CRML include: FAIR/RiskLens, SAFE Security, Kovrr.

Data source: ProductHuntFeb 10, 2026
Last updated: