Skip to content

Roadmap

Jump to bottom
SANKET SARKAR edited this page Dec 15, 2025 · 1 revision

CRML Roadmap

This roadmap outlines the planned features and enhancements for CRML. Items are organized by release version and priority.

✅ Released

v1.2.0 - Control Effectiveness Modeling (December 2024)

Status: ✅ Released

Comprehensive security control effectiveness modeling to quantify how controls reduce cyber risk.

Features:

  • ✅ Control layers (preventive, detective, recovery)
  • ✅ Effectiveness, coverage, and reliability parameters
  • ✅ Defense-in-depth calculations
  • ✅ Control dependencies and correlations
  • ✅ ROI calculations
  • ✅ Web UI integration
  • ✅ 19 comprehensive tests
  • ✅ Full documentation

Example:

controls:
  layers:
    - name: "email_security"
      controls:
        - id: "email_filtering"
          effectiveness: 0.90
          coverage: 1.0
          reliability: 0.95

Impact: Enables quantifying security investments and optimizing control portfolios.

v1.1.0 - Enhanced Usability (2024)

Status: ✅ Released

  • ✅ Median-based parameterization for lognormal distributions
  • ✅ Multi-currency support (15+ currencies)
  • ✅ Auto-calibration from raw loss data
  • ✅ JSON Schema validation
  • ✅ CRML CLI tool
  • ✅ Web playground

🚧 In Progress

v1.3.0 - Attack Chain Modeling (Q1 2025)

Status: 🚧 Planning

Priority: High

Model multi-stage cyber attacks with sequential probabilities and control impact at each stage.

Planned Features:

  • Attack chain / kill chain modeling
  • Stage-by-stage probability calculations
  • Control effectiveness per stage
  • Branching attack paths
  • Time-to-compromise modeling

Example:

attack_chain:
  stages:
    - name: "initial_access"
      probability: 0.15
      controls: ["email_filtering", "mfa"]
    
    - name: "lateral_movement"
      probability: 0.40
      controls: ["network_segmentation", "edr"]
    
    - name: "data_exfiltration"
      probability: 0.60
      controls: ["dlp", "monitoring"]

Use Cases:

  • Ransomware attack modeling
  • APT scenario analysis
  • Incident response planning

Estimated Effort: 40-50 hours

📋 Planned

v1.4.0 - Threat Actor Modeling (Q2 2025)

Status: 📋 Planned

Priority: High

Differentiate risk based on threat actor sophistication, motivation, and tactics.

Planned Features:

  • Threat actor profiles (nation-state, cybercrime, insider)
  • Sophistication levels affecting control effectiveness
  • Motivation-based targeting
  • TTPs (Tactics, Techniques, Procedures) mapping
  • MITRE ATT&CK integration

Example:

threat_actors:
  - name: "ransomware_gang"
    sophistication: "medium"
    motivation: "financial"
    frequency_multiplier: 1.5
    control_bypass_probability: 0.20

Estimated Effort: 30-40 hours

v1.5.0 - Data-Driven Calibration (Q2 2025)

Status: 📋 Planned

Priority: Medium

Automate parameter estimation from historical incident data.

Planned Features:

  • Maximum Likelihood Estimation (MLE)
  • Bayesian parameter inference
  • Goodness-of-fit testing
  • Confidence intervals
  • Data import from CSV/JSON

Example:

data:
  sources:
    - type: "csv"
      path: "incidents.csv"
      columns:
        date: "incident_date"
        loss: "total_loss"
  
  calibration:
    method: "mle"
    distribution: "lognormal"

Estimated Effort: 50-60 hours

v1.6.0 - Temporal Dynamics (Q3 2025)

Status: 📋 Planned

Priority: Medium

Model time-varying parameters for frequency and severity.

Planned Features:

  • Time-series frequency modeling
  • Seasonal patterns
  • Trend analysis
  • Control degradation over time
  • Inflation adjustment for severity

Example:

temporal:
  frequency:
    trend: "increasing"
    rate: 0.05  # 5% annual increase
    seasonality:
      pattern: "quarterly"
      peaks: [1, 4]  # Q1 and Q4
  
  controls:
    - id: "antivirus"
      degradation_rate: 0.10  # 10% annual degradation

Estimated Effort: 40-50 hours

v1.7.0 - Vulnerability & Exposure Modeling (Q3 2025)

Status: 📋 Planned

Priority: Medium

Integrate CVE/CVSS data and asset exposure factors.

Planned Features:

  • CVE database integration
  • CVSS score impact on frequency
  • Asset exposure modeling
  • Patch management simulation
  • Zero-day risk modeling

Example:

assets:
  - name: "web_servers"
    count: 50
    exposure: "internet_facing"
    vulnerabilities:
      - cve: "CVE-2024-1234"
        cvss: 9.8
        patched: false

Estimated Effort: 30-40 hours

v1.8.0 - Breach Cost Modeling (Q4 2025)

Status: 📋 Planned

Priority: Low

Structure severity models around specific breach cost components.

Planned Features:

  • Detection and escalation costs
  • Notification costs
  • Legal and regulatory costs
  • Business disruption costs
  • Reputation damage modeling

Example:

severity:
  model: "breach_cost"
  components:
    detection:
      median: "50 000"
      sigma: 1.2
    
    notification:
      per_record: 5
      records_at_risk: 100000
    
    legal:
      median: "200 000"
      sigma: 1.8

Estimated Effort: 25-35 hours

v1.9.0 - Insurance & Risk Transfer (Q4 2025)

Status: 📋 Planned

Priority: Medium

Model cyber insurance policies and risk transfer mechanisms.

Planned Features:

  • Insurance policy modeling
  • Deductibles and limits
  • Coinsurance percentages
  • Aggregate limits
  • Premium calculations

Example:

insurance:
  policy:
    deductible: "100 000"
    limit: "5 000 000"
    coinsurance: 0.20  # 20% coinsurance
    aggregate_limit: "10 000 000"

Estimated Effort: 30-40 hours

🔮 Future (v2.0+)

v2.0.0 - Bayesian Inference with MCMC (2026)

Status: 🔮 Research

Priority: High

Full uncertainty quantification using Markov Chain Monte Carlo methods.

Planned Features:

  • MCMC sampling (Metropolis-Hastings, NUTS, HMC)
  • Prior distribution specification
  • Posterior distribution analysis
  • Convergence diagnostics
  • Credible intervals

Example:

pipeline:
  simulation:
    mcmc:
      enabled: true
      algorithm: "nuts"
      iterations: 10000
      burn_in: 1000
      chains: 4

Estimated Effort: 80-100 hours

v2.1.0 - Portfolio Aggregation (2026)

Status: 🔮 Research

Priority: Medium

Aggregate multiple correlated risk models at enterprise level.

Planned Features:

  • Multi-scenario aggregation
  • Correlation modeling between scenarios
  • Portfolio-level VaR
  • Diversification benefits
  • Concentration risk analysis

Estimated Effort: 60-80 hours

v2.2.0 - Advanced Copulas (2026)

Status: 🔮 Research

Priority: Low

Enhanced dependency modeling with advanced copula functions.

Planned Features:

  • Vine copulas
  • Time-varying copulas
  • Tail dependency modeling
  • Copula selection algorithms

Estimated Effort: 40-50 hours

🎯 Priority Legend

  • High - Core functionality, high user demand
  • Medium - Important features, moderate demand
  • Low - Nice-to-have, specialized use cases

📊 Timeline Overview

2024 Q4: ✅ v1.2.0 Control Effectiveness
2025 Q1: 🚧 v1.3.0 Attack Chain Modeling
2025 Q2: 📋 v1.4.0 Threat Actor Modeling
2025 Q2: 📋 v1.5.0 Data-Driven Calibration
2025 Q3: 📋 v1.6.0 Temporal Dynamics
2025 Q3: 📋 v1.7.0 Vulnerability Modeling
2025 Q4: 📋 v1.8.0 Breach Cost Modeling
2025 Q4: 📋 v1.9.0 Insurance Modeling
2026+:   🔮 v2.0.0 Bayesian Inference

🤝 Contributing

Want to help implement these features?

  1. Check the Issues for open tasks
  2. Comment on features you're interested in
  3. Submit PRs for roadmap items
  4. Suggest new features in Discussions

📝 Notes

  • Timeline estimates are subject to change based on community feedback and priorities
  • Effort estimates assume experienced Python developer
  • Features may be released in different order based on demand
  • Breaking changes will follow semantic versioning (major version bumps)

Last Updated: December 15, 2024
Current Version: 1.2.0
Next Release: 1.3.0 (Q1 2025)

Clone this wiki locally