IBM, Red Hat and Palo Alto Networks have expanded Project Lightwell, their open-source security initiative, to combine software remediation with network-level virtual patching. The aim is to help organizations find vulnerabilities earlier and reduce the time between discovery and protection across open source software, commercial applications, operational technology and medical technologies.
The expanded setup brings together Palo Alto Networks Virtual Patching with Project Lightwell from IBM and Red Hat. Palo Alto Networks provides rapid network-layer protection, while IBM and Red Hat provide software remediation for open-source components that customers can test and deploy in their own environments.
The collaboration is intended to help defenders move faster because AI is accelerating both vulnerability discovery and exploitation.
IBM and Red Hat first announced Project Lightwell as a $5 billion commitment backed by AI capabilities and more than 20,000 engineers. At that stage, the project was described as a trusted enterprise clearinghouse for securing open source software across the software supply chain. Reuters reported at the time that the service would launch as a commercial offering within 30 days.
[ALSO READ: IBM and Red Hat Commit $5 Billion to Secure Open-Source Software as AI Raises Cybersecurity Risks ]
IBM, Red Hat and Palo Alto Networks expanded the project to add virtual patching, combining remediation with immediate network protection. IBM said the collaboration covers open source software, commercial applications, OT and healthcare technologies.
How Project Lightwell works
Red Hat says Project Lightwell is an enterprise clearinghouse for open source software. Customers can report security flaws in software versions they are running, receive verified fixes, and push those fixes upstream so the wider community can benefit. Red Hat says the program now goes beyond Red Hat software to include independent libraries, language toolchains, AI frameworks and data streaming systems.
IBM and Red Hat say they will deploy a global team of more than 20,000 engineers, assisted by AI, to handle upstream maintenance, vulnerability triage, patch development, dependency hardening and release engineering.
Palo Alto Networks adds a separate layer: virtual patching at the network edge.
Key points
- Project Lightwell began as a $5 billion IBM and Red Hat commitment.
- The project is backed by more than 20,000 engineers.
- IBM says more than 90% of Fortune 500 companies rely on open-source software.
- Reuters reported that Project Lightwell was expected to launch as a commercial subscription service within 30 days of the May 28 announcement.
- IBM listed early adopters including Bank of America, JPMorgan Chase and Visa, alongside other major financial institutions.
[ALSO READ: IBM and ServiceNow Target Enterprise Data Silos as AI Adoption Accelerates ]
What it means
The practical significance is that enterprise security is moving toward two-layer defense: one layer stops exploitation immediately at the network level, and the other repairs the software so the issue does not return. That is a meaningful shift from the older pattern of waiting for a patch, deploying it, and hoping the vulnerability isn’t exploited first.
IBM and Red Hat are treating open-source maintenance as a managed security service, with validation, patching and upstream disclosure built into the model. That is a structural change for enterprises that depend on open-source code but do not have the internal capacity to track every dependency on their own.
[ALSO READ: Palo Alto Networks Completes Koi Acquisition to Address Emerging AI Endpoint Risks ]
Executive bites
Nikesh Arora, CEO and Chairman of Palo Alto Networks, said AI has shortened the period between finding a flaw and exploiting it, and that traditional patching cannot keep up.
Arvind Krishna, IBM’s Chairman and CEO, said Project Lightwell was created to secure the open-source foundation enterprises use every day and that the Palo Alto collaboration extends that security from source code to the network front line.
Matt Hicks, President and CEO of Red Hat, said Project Lightwell extends Red Hat’s long-standing patching model across the wider open-source ecosystem.
