CRSE — Cyber Risk Simulation Engine
Turn your control posture and vendor graph into a quantitative risk estimate. CRSE runs scenario simulations, identifies toxic control combinations, and maps your gaps to MITRE ATT&CK.
What CRSE answers
- “If a ransomware operator got in today, what’s my expected loss?”
- “Which two controls, when both weak, account for the most blast radius?” (toxic combinations)
- “Where are my gaps against MITRE ATT&CK?”
- “If this vendor is compromised, what fraction of my revenue is exposed?”
The primitives
| Object | What it is |
|---|---|
| Template | A canonical threat scenario (ransomware, BEC, supply-chain compromise, …). |
| Simulation | A single run of a template against the tenant’s controls & vendors. Produces a distribution of outcomes. |
| Chain | A multi-step simulation joining several templates (e.g. phishing → lateral movement → data exfil). |
| MITRE mapping | Each control maps to the ATT&CK techniques it mitigates. Used to compute coverage. |
| Loss parameter | Business-impact values (cost per record, downtime cost, regulatory fine models) that convert a breach into a dollar value. |
| Toxic combination | A pair (or small set) of control weaknesses that together produce disproportionate blast radius. |
Running a simulation
- Pick a template (
GET /api/crse/templates). - Pick targets (business units, vendors, data elements) from
GET /api/crse/target-options. - Override any loss parameters (
PUT /api/crse/loss-parameters/overrides) — defaults come from the tenant’s industry template. - Start the run (
POST /api/crse/simulations). The dispatcher executes the simulation asynchronously. - Poll
GET /api/crse/simulations/<runId>or subscribe to workflow KRI events for completion.
Chains
A chain is an ordered sequence of templates with shared state. The first step’s output (e.g. “attacker has domain admin”) feeds the second step’s preconditions. Chains are either authored by hand (POST /api/crse/chains) or auto-generated from your threat model (POST /api/crse/chains/auto-generate).
MITRE mappings & coverage
Every control has zero or more MITRE ATT&CK technique mappings. The coverage view reports, for each tactic / technique, which controls would mitigate an attacker using it and how effective those controls currently are (per KRI). Gaps drive the CRSE’s scenario-probability model.
Toxic combinations
After each simulation, CRSE identifies toxic combinations — pairs of weak controls whose joint failure accounts for a disproportionate share of blast radius. The expert panel uses these when asked “what should I fix next?” to justify prioritisation against dollar impact, not headcount effort.
Regulatory fine models
Regulatory fines are first-class. GET /api/crse/regulatory-fine-models returns the shipped models (GDPR, CCPA, HIPAA, sector-specific rules). Simulations fold the applicable model into the loss distribution based on the data elements exposed in the scenario.