CRML is a declaritive language for writing cyberrisk as code
We have infrastructure as a code, network as a code but dont have anything as Risk As a Code. CRML is an open, declarative, engine-agnostic and Control / Attack framework–agnostic Cyber Risk Modeling Language. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements — without forcing you into a specific quantification method, simulation engine, or security-control / threat catalog.
I was looking for a cyber risk engine to incorporate in our platform. I was surprised to see that there does not exist one in the entire internet. I went deep to understand, why it does not exist. Then I figured out its because, there is no way someone can write the cyber risks in a machine readable format. There is no declaritive language for this. Thats when I thought of creating this.
CRML started from dozens of messy, real conversations with security leaders, risk teams, and CISOs who kept telling us the same thing:
“We have frameworks… but when the board asks a decision question, we still scramble.” CRML is our attempt to change that.
It turns scattered assumptions, spreadsheets, and narratives into structured, executable cyber-risk models — so teams can reason about scenarios, trade-offs, and investments with actual clarity instead of gut feel.
We’re launching CRML first because modeling is the foundation. Before dashboards, or automation… organizations need a clean way to think about risk.
We’d genuinely love your feedback: • What’s broken today in cyber risk analysis? • Where do models fall apart in practice? • What would make this actually useful in your day-to-day work?
We’re here in the comments all day — fire away.
About CRML on Product Hunt
“CRML is a declaritive language for writing cyberrisk as code”
CRML launched on Product Hunt on February 9th, 2026 and earned 134 upvotes and 21 comments, placing #9 on the daily leaderboard. We have infrastructure as a code, network as a code but dont have anything as Risk As a Code. CRML is an open, declarative, engine-agnostic and Control / Attack framework–agnostic Cyber Risk Modeling Language. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements — without forcing you into a specific quantification method, simulation engine, or security-control / threat catalog.
On the analytics side, CRML competes within Open Source, Languages and GitHub — topics that collectively have 123.8k followers on Product Hunt. The dashboard above tracks how CRML performed against the three products that launched closest to it on the same day.
Who hunted CRML?
CRML was hunted by SANKET SARKAR. A “hunter” on Product Hunt is the community member who submits a product to the platform — uploading the images, the link, and tagging the makers behind it. Hunters typically write the first comment explaining why a product is worth attention, and their followers are notified the moment they post. Around 79% of featured launches on Product Hunt are self-hunted by their makers, but a well-known hunter still acts as a signal of quality to the rest of the community. See the full all-time top hunters leaderboard to discover who is shaping the Product Hunt ecosystem.
SANKET SARKAR
I was looking for a cyber risk engine to incorporate in our platform. I was surprised to see that there does not exist one in the entire internet. I went deep to understand, why it does not exist. Then I figured out its because, there is no way someone can write the cyber risks in a machine readable format. There is no declaritive language for this. Thats when I thought of creating this.
CRML started from dozens of messy, real conversations with security leaders, risk teams, and CISOs who kept telling us the same thing:
“We have frameworks… but when the board asks a decision question, we still scramble.”
CRML is our attempt to change that.
It turns scattered assumptions, spreadsheets, and narratives into structured, executable cyber-risk models — so teams can reason about scenarios, trade-offs, and investments with actual clarity instead of gut feel.
We’re launching CRML first because modeling is the foundation. Before dashboards, or automation… organizations need a clean way to think about risk.
We’d genuinely love your feedback:
• What’s broken today in cyber risk analysis?
• Where do models fall apart in practice?
• What would make this actually useful in your day-to-day work?
We’re here in the comments all day — fire away.