01Overview
Cyber Risk Quantification (CRQ) Engine translates technical cyber risk into the language boards actually fund against: money. It implements the FAIR (Factor Analysis of Information Risk) taxonomy end-to-end — Risk = Loss Event Frequency x Loss Magnitude — and runs Monte Carlo simulation over min/likely/max inputs to produce annualized loss expectancy (ALE) with full percentile distributions, loss exceedance curves, and per-control ROI. Instead of a red/amber/green heat square, a CISO gets 'this ransomware scenario carries a P90 annual loss of $X, which is Y% of revenue.'
Every uncertain input — threat contact frequency, probability of action, threat capability, resistance strength, and each loss component — is expressed as a three-point estimate and sampled through a PERT (modified beta) distribution, so the output honestly models uncertainty rather than pretending to a single false-precision number. Ten thousand iterations per scenario (configurable, seedable for reproducibility) yield the ALE mean, standard deviation, and a seven-point percentile band from P5 (best case) to P95 (worst case).
Beyond raw exposure, the engine analyzes security controls as investments: it computes each control's resistance-strength boost (with diminishing returns for overlapping controls), estimated ALE reduction across the scenarios it applies to, and a dollar ROI ranking so teams can prioritize spend. Results ship as a colored console executive summary, a fully structured JSON report for pipelines and dashboards, and a dark-themed HTML dashboard with inline SVG charts (risk-score donut gauge, likelihood x impact heatmap, aggregate loss exceedance curve, and control-effectiveness bars).
It is a single Python file with zero external dependencies — no pandas, no numpy, no pip install — making it trivial to drop into an air-gapped GRC environment or a CI job. Severity-based exit codes and the Phalanx Cyber scanner CLI convention (--json / --html / --severity / --seed / --verbose) make it as automatable as a vulnerability scanner, while the bundled sample models a realistic financial-services organization across eight threat scenarios.
02Key Capabilities
Full FAIR Taxonomy
Implements the complete FAIR decomposition — TEF (Contact Frequency x Probability of Action), Vulnerability from Threat Capability vs Resistance Strength, LEF, and primary/secondary Loss Magnitude — not just a top-line formula.
Monte Carlo Simulation
Runs 10,000 iterations per scenario by default (configurable via --simulations) to build a full probability distribution of annual loss rather than a single point estimate.
PERT Distribution Sampling
Every min/likely/max input is sampled through a modified-beta PERT distribution, capturing real-world uncertainty and weighting toward the most-likely value.
Loss Exceedance Curves
Computes the probability of exceeding any given loss threshold, per scenario and aggregated, so leaders can reason about tail risk instead of averages.
Control Effectiveness & ROI Analysis
Models each security control's resistance-strength boost with diminishing returns, estimates its ALE reduction, and ranks controls by dollar ROI for investment decisions.
Log-Scale Risk Scoring
Normalizes each scenario's P90 loss against organization revenue into a 0-100 risk score with CRITICAL/HIGH/MEDIUM/LOW severity bands.
Industry-Calibrated Threat Modeling
Applies per-industry loss multipliers (financial services, healthcare, energy, government and more) and seven pre-defined threat-community capability profiles.
Interactive HTML Dashboard
Generates a self-contained dark-themed dashboard with inline SVG risk gauge, likelihood x impact heatmap, loss exceedance curve, and control bars — no JS libraries or CDN.
Structured JSON Reporting
Emits a full machine-readable report (percentiles, loss breakdowns, exceedance points, control analysis) for ingestion into GRC platforms, SIEMs, or BI dashboards.
Reproducible & Deterministic
A --seed flag pins the RNG so a given scenario file yields identical numbers across runs — essential for audit trails and regression testing.
Zero Dependencies
Pure Python 3.10+ standard library in a single file — deployable in air-gapped or locked-down environments with no pip install.
Automation-Friendly CLI
Severity filtering plus exit codes (0 clean, 1 CRITICAL/HIGH found, 2 input error) let it gate CI pipelines just like a security scanner.
03Architecture
A single-file Python application layered into a pure-math FAIR engine and an orchestration/reporting engine. Data flows: JSON scenario file -> validation/load -> per-scenario Monte Carlo simulation (PERT sampling of FAIR factors) -> percentile/exceedance/risk-score computation -> control cost-effectiveness analysis -> render to console, JSON, and HTML/SVG. Typed dataclasses carry results between stages.
04Project Structure
crq_engine.pyThe entire engine (~1,521 LOC): FAIREngine, CRQEngine, dataclasses, SVG chart builders, and the CLI.sample_scenarios.jsonReference input modeling Acme Financial Corp ($500M revenue) with 8 threat scenarios, 8 assets, and 12 controls.README.mdOverview, FAIR model diagram, quick-start commands, CLI options, JSON schema, and the sample-scenario table.CLAUDE.mdArchitecture notes: component table, FAIR formulas, key constants, severity thresholds, and conventions.crq_report.jsonSample generated JSON report showing the full structured output shape.crq_report.htmlSample generated HTML dashboard demonstrating the SVG chart output.banner.svgProject banner with dashboard-style visualization.LICENSEMIT license.05Security Controls
06Technology Stack
- Language
- Python 3.10+ (uses PEP 604 union syntax)
- Dependencies
- None — Python standard library only (argparse, json, math, random, dataclasses)
- Risk model
- FAIR (Factor Analysis of Information Risk); PERT/beta Monte Carlo sampling
- Reporting
- ANSI console, structured JSON, self-contained HTML with hand-built inline SVG charts
- Testing
- No test suite; reproducibility via --seed and bundled sample_scenarios.json
- CI/CD
- None configured in repo
- Distribution
- Single-file CLI script; MIT licensed
07Quick Start
$ python crq_engine.py sample_scenarios.json $ python crq_engine.py sample_scenarios.json --json report.json --html dashboard.html $ python crq_engine.py sample_scenarios.json --severity HIGH $ python crq_engine.py sample_scenarios.json --simulations 50000 --seed 42 $ python crq_engine.py sample_scenarios.json -v
08Compliance & Frameworks
09Integrations & Outputs
Explore Cyber Risk Quantification
Full source, documentation, and deployment guides live on GitHub.