IBM is making one of its largest cybersecurity commitments in years, pledging $5 billion to a new initiative aimed at tackling a growing problem at the heart of modern software development: securing the open-source code that underpins much of the global digital economy.
The project, dubbed Project Lightwell, is a joint effort between IBM and Red Hat that will combine more than 20,000 engineers with artificial intelligence systems to identify, verify, and remediate vulnerabilities across open-source software widely used by businesses.
The initiative comes as enterprises face mounting concerns that advances in AI are dramatically changing the cybersecurity landscape. While AI is helping companies improve productivity and automate software development, it is also giving attackers new tools to discover and exploit vulnerabilities at unprecedented speed.
Register for Tekedia Mini-MBA edition 20 (June 8 – Sept 5, 2026).
Register for Tekedia AI in Business Masterclass.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab.
IBM senior vice president of software Rob Thomas told Reuters that the commercial service is expected to launch within 30 days and will likely be offered through subscription-based pricing tied to the number of software packages a customer uses.
At its core, Project Lightwell aims to function as a trusted verification layer for open-source software, providing enterprises with what Thomas described as a “stamp of approval” that specific software packages are safe for production deployment.
The initiative addresses a challenge that has become increasingly critical as software supply chains grow more complex. More than 90% of Fortune 500 companies rely on open-source software, according to IBM. Modern applications often contain thousands of external software components maintained by distributed communities rather than centralized vendors.
IBM itself reportedly uses more than 62,000 open-source packages across its technology ecosystem.
The widespread adoption of open-source software has accelerated innovation and reduced development costs, but it has also created a vast attack surface. A single vulnerability in a widely used package can cascade across thousands of organizations worldwide.
Recent years have demonstrated how vulnerable these software supply chains can be. High-profile incidents involving compromised open-source components have affected governments, financial institutions, healthcare providers, and critical infrastructure operators, prompting regulators and cybersecurity agencies to increase scrutiny of software supply chains.
IBM estimates publicly disclosed software vulnerabilities could reach 59,000 by 2026, citing data from CVE.org. The sheer volume of potential threats has made traditional manual security reviews increasingly difficult to scale.
AI Becomes Both The Problem And The Solution
Project Lightwell reflects a broader shift occurring across the cybersecurity industry: using AI to defend against threats that AI itself is helping create. The initiative will employ artificial intelligence systems to scan massive open-source code bases, identify potential vulnerabilities, and prioritize which issues require immediate attention. Human engineers will then validate findings, develop patches, maintain affected software, and coordinate fixes with open-source communities.
The approach is designed to address one of cybersecurity’s biggest bottlenecks: separating genuine threats from false alarms.
IBM pointed to recent findings from Anthropic’s cybersecurity research efforts as evidence of AI’s growing capabilities in vulnerability discovery. According to IBM, Anthropic’s Project Glasswing used its Mythos Preview model to identify nearly 3,900 vulnerabilities rated as high or critical severity within open-source software.
Among the vulnerabilities reviewed, Anthropic reported that 90.6% were legitimate security issues, while 62.4% were confirmed to be high- or critical-severity threats. Those figures suggest AI systems are becoming increasingly effective at uncovering software weaknesses that might otherwise remain undetected for extended periods.
The same capabilities, however, can also be used by malicious actors, creating an arms race between defenders and attackers.
Wall Street Joins The Effort
One notable aspect of Project Lightwell is the roster of early participants. IBM and Red Hat have already piloted the initiative with several major financial institutions, including Bank of America, JPMorgan Chase, and Visa. Additional participants include BNY, Citi, Goldman Sachs, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, and Wells Fargo.
The participation of some of the world’s largest financial institutions highlights how software supply-chain security has become a boardroom issue rather than merely an IT concern. Banks face particularly high risks because they depend on complex technology infrastructures while also operating under stringent regulatory oversight.
IBM says Project Lightwell is intended to cover the entire software lifecycle, from development through production deployment. Companies will be able to report sensitive vulnerabilities privately, receive validated patches, and coordinate fixes with upstream maintainers before vulnerabilities become widely known.
The platform is also designed to work without requiring direct access to a company’s proprietary source code. Using dependency manifests such as pom.xml files, the system can identify affected software components, determine exposure, and deliver patched artifacts directly into repositories controlled by enterprise customers.
The initiative also addresses one of the most persistent challenges in enterprise software management: maintaining older software versions.
Many organizations continue running applications built on legacy dependencies because upgrading can disrupt operations. Project Lightwell aims to provide backported security fixes, allowing organizations to remain on tested software versions while still receiving security updates.
That capability could be particularly valuable in heavily regulated industries where software changes require extensive testing and approval processes.
Expanding Beyond Red Hat
Although Red Hat’s enterprise Linux ecosystem remains central to the initiative, IBM says the project will extend far beyond its existing platforms. Coverage will include independent open-source libraries, language toolchains, AI frameworks, data-streaming technologies, and infrastructure software.
Among the technologies highlighted by IBM are widely used platforms such as Kafka, Ansible, Terraform, Flink, and Cassandra, all of which play critical roles in enterprise computing environments.
The breadth of coverage reflects the reality that modern enterprises rarely rely on a single software stack. Instead, they operate sprawling ecosystems assembled from thousands of interconnected open-source components.
Project Lightwell also positions IBM to capitalize on a rapidly expanding cybersecurity market. As software supply-chain attacks become more sophisticated and regulators demand greater transparency, enterprises are showing more willingness to pay for independent validation and security assurance services.
Government agencies worldwide have pushed for greater adoption of Software Bills of Materials (SBOMs), which provide detailed inventories of software components and dependencies. At the same time, organizations are struggling to manage vulnerabilities buried deep within complex dependency chains.
By combining AI-powered vulnerability discovery with human validation and enterprise-grade support, IBM is seeking to create a new category of security service centered on trusted open-source software certification.