IBM and Red Hat have expanded their enterprise security strategy with two announcements in quick succession: joining Anthropic’s Project Glasswing on May 19 and introducing Project Lightwell on May 28, aligning large-scale engineering investment with industry collaboration to address growing risks in open-source and AI-driven environments.
IBM and Red Hat Launch Project Lightwell
Project Lightwell represents a $5 billion commitment focused on securing open source software across its full lifecycle, from upstream development through enterprise production. The initiative combines advanced AI capabilities with a global workforce of more than 20,000 engineers to create a coordinated model for identifying, validating, and remediating vulnerabilities at scale.
At the center of the effort is a trusted security clearinghouse that serves as an intermediary between enterprises and the open-source ecosystem. The clearinghouse is designed to ingest vulnerability data from real-world deployments, apply AI-assisted validation and testing, and deliver production-ready patches through commercial subscription services. These patches are intended to integrate directly into enterprise software supply chains with lifecycle management and enterprise-grade assurance.
IBM and Red Hat are extending their established enterprise open-source model beyond curated platform components to include independent libraries, language toolchains, AI frameworks, and data streaming platforms. IBM already uses more than 62,000 open source packages and maintains deep expertise in over 10,000, spanning technologies such as Linux, Java, Kubernetes, Kafka, Ansible, and Terraform. The expansion reflects the operational reality that enterprises rely on a broad mix of community-driven software outside vendor-managed distributions.
The clearinghouse enables organizations to report vulnerabilities discovered in active environments within a controlled framework, receive validated patches optimized for production use, and coordinate responsible disclosure upstream to maintainers. This approach is designed to reduce fragmentation in vulnerability handling while reinforcing long-term ecosystem stability through upstream contributions.
The initiative comes as open-source software continues to underpin enterprise infrastructure, with more than 90 percent of Fortune 500 companies relying on OSS, and as advances in AI accelerate both vulnerability discovery and exploitation. Anthropic recently reported that its Mythos Preview model identified nearly 3,900 high- or critical-severity vulnerabilities in open source software alone. IBM and Red Hat are positioning Project Lightwell as a response to this shift, applying AI and engineering scale to compress remediation timelines and improve consistency across complex software supply chains.
AI-Assisted Engineering Model
A core component of Project Lightwell is the deployment of a large-scale engineering organization augmented by AI-driven tooling. IBM and Red Hat are emphasizing technical capacity as a strategic asset, with engineers operating across both upstream communities and enterprise environments.
The engineering teams will contribute to upstream maintenance alongside project maintainers and handle enterprise-specific requirements, such as vulnerability triage, prioritization, and validation. AI is used to support high-volume analysis, secure patch development, dependency hardening, and release engineering.
This model addresses a key challenge for enterprises managing diverse open-source dependencies, where vulnerability management is often fragmented and resource-intensive. By combining AI-assisted workflows with dedicated engineering resources, IBM and Red Hat aim to standardize and scale remediation processes.
Early adopters are concentrated in financial services: Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo are already collaborating with IBM and Red Hat on Project Lightwell. IBM says insights from these initial deployments will shape how vulnerabilities are identified, validated, and remediated at scale in large, regulated environments.
Integration with IBM’s AI Security Portfolio
Project Lightwell aligns with IBM’s broader security portfolio for the AI era, outlined in the company’s May 19 announcement. IBM Concert aggregates application, infrastructure, and network signals into a unified operational view, with the goal of moving organizations from passive monitoring to coordinated response. Its security capabilities extend into the developer’s IDE through IBM Concert Secure Coder, which detects and prioritizes risks by business impact and generates automatic remediations as code is written, preventing vulnerabilities from reaching production.
IBM Consulting is also advancing Autonomous Security services, which use multi-agent systems to coordinate detection, decision-making, and response at machine speed. These services are intended to help enterprises adapt vulnerability management and open source governance to increasingly compressed timelines driven by AI-enabled threats.
IBM Joins Project Glasswing
Shortly before the Lightwell announcement, IBM joined Project Glasswing, the Anthropic-led industry initiative to defend critical software infrastructure. The coalition brings together security and technology leaders to identify and remediate vulnerabilities in widely used software and share findings across industries. The Lightwell release notes that the new initiative incorporates lessons from Glasswing and OpenAI’s Trust Access for Cyber program.
As part of Glasswing, IBM has been identifying and remediating vulnerabilities in widely used software and sharing those findings with the broader community. Rob Thomas, SVP Software and Chief Commercial Officer at IBM, said the company has been “hardening our own products and contributing fixes back to the open-source community,” adding that “the collaboration makes the entire ecosystem stronger.”
A central component of this work is coordinated disclosure. IBM shares findings with affected vendors and maintainers in accordance with established disclosure practices, enabling patches to be developed and validated before public release. The company also contributes fixes directly to upstream projects, ensuring that remediations are incorporated into future releases and supported branches, reducing divergence between enterprise deployments and community codebases.
IBM is also applying its Glasswing work to its own portfolio. The company says that by contributing fixes proactively and maintaining enterprise-grade versions of widely used open-source components, IBM and Red Hat can move quickly when issues arise, pairing the flexibility of open source with reliable, rapid support.
The Glasswing collaboration model emphasizes shared learning across participants. IBM contributes findings through coordinated disclosure, upstream open-source patches, and best practices shared with fellow participants, reflecting the company’s position that openness and scrutiny are prerequisites for security at scale. This cross-industry visibility is increasingly important as AI lowers the barrier to discovering and exploiting vulnerabilities.
Positioning for AI-Driven Threat Environments
Together, Project Lightwell and IBM’s participation in Project Glasswing reflect a shift toward more coordinated, AI-assisted security models. IBM is combining internal engineering scale, ecosystem collaboration, and AI-driven tooling to address the growing complexity and speed of modern threat environments.
The approach focuses on securing open source software at its source while improving how vulnerabilities are identified, validated, and remediated across enterprise supply chains. By linking upstream engagement with production-grade validation and industry-wide intelligence sharing, IBM and Red Hat are positioning these initiatives as foundational elements of enterprise security in the AI era.
Amazon