IBM and Red Hat have announced Project Lightwell, a $5 billion initiative designed to strengthen enterprise open source software security using advanced AI capabilities and a global engineering workforce of more than 20,000 specialists.
The initiative introduces a new enterprise security model focused on identifying, validating, and remediating vulnerabilities across open source software supply chains at scale. Project Lightwell combines AI-assisted vulnerability management with enterprise-grade lifecycle support and upstream collaboration to improve the resilience of modern software ecosystems.
Project Lightwell is designed to create a new operational model for securing enterprise open source software from upstream development through production deployment.
The initiative combines AI-driven vulnerability analysis, enterprise validation systems, and global engineering resources to address growing security challenges within modern software supply chains.
According to IBM and Red Hat, the platform will function as a trusted security coordination layer capable of validating and testing fixes across a large volume of open source code.
The companies say enterprises will be able to integrate secure patches directly into their software supply chains through commercial subscriptions that include enterprise-grade validation and lifecycle management.
The announcement comes as enterprises increasingly depend on open source software across critical infrastructure and AI systems.
According to IBM and Red Hat, more than 90% of Fortune 500 companies rely on open source software as part of their technology infrastructure.
At the same time, advances in frontier AI models are accelerating the discovery and exploitation of software vulnerabilities.
The companies referenced recent findings from Anthropic indicating that its Mythos Preview model identified nearly 3,900 high- or critical-severity vulnerabilities in open source software environments.
Project Lightwell is intended to help enterprises address these escalating risks through coordinated remediation and AI-assisted vulnerability management.
IBM and Red Hat confirmed they are already collaborating with a group of early enterprise adopters on Project Lightwell deployments.
Participating organizations include:
According to the companies, insights from these deployments will help shape how vulnerabilities are identified, validated, and remediated across complex enterprise software supply chains.
A core component of Project Lightwell is the creation of a trusted enterprise security clearinghouse.
IBM and Red Hat say the clearinghouse expands upon their existing enterprise open source support model, extending vulnerability management beyond their traditional product ecosystems.
IBM currently uses more than 62,000 open source packages and maintains deep expertise across approximately 10,000 components spanning technologies such as:
The companies say the same engineering discipline previously applied to platform support will now extend to broader application environments, including independent libraries, AI frameworks, data streaming systems, and language toolchains.
Through the clearinghouse model, enterprise organizations will be able to:
IBM and Red Hat say this approach allows enterprises to address critical vulnerabilities while also strengthening the broader open source ecosystem through responsible disclosure and long-term maintenance collaboration.
Project Lightwell will also deploy a global engineering organization of more than 20,000 engineers supported by advanced AI systems.
The engineering teams will focus on:
The companies say the initiative reflects a strategic decision to expand engineering capacity rather than reduce technical staffing amid broader industry AI adoption trends.
"Open source is the backbone of today's digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured, and scaled," said Arvind Krishna, Chairman and CEO, IBM. "With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain. This is about strengthening trust in the systems that power business, government, and society."
IBM and Red Hat say Project Lightwell is also aligned with broader government and enterprise priorities surrounding digital infrastructure resilience and software supply chain security.
The initiative incorporates lessons from previous AI security and open source programs, including Anthropic’s Project Glasswing and OpenAI’s Trust Access for Cyber initiatives.
As AI adoption accelerates across enterprise environments, the companies say securing foundational open source infrastructure is becoming increasingly critical for business continuity, regulatory compliance, and operational trust.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.