IBM & Red Hat: How Lightwell Can Lock Up AI-Era Open Source

Major cyber disruptions seen in 2026 – be it Trivy, TanStack or XZ Utils – have two things in common. They are open-source and they have hundreds of thousands of users, leading to an easy win for attackers as they poison the software supply chain, affecting millions of downstream users.
Guarding enterprises against this very challenge, IBM and Red Hat have launched Lightwell, a new platform designed to help secure open source code at scale.
The launch introduces two offerings, Lightwell Network and Lightwell Clearinghouse Premier, which use AI-driven automation and human engineering expertise to identify, validate and remediate vulnerabilities in open source dependencies.
The announcement builds on IBM and Red Hat's US$5bn commitment to open-source security unveiled in May 2026, supported by more than 20,000 engineers focused on scaling AI-powered remediation.
“Lightwell represents a fundamental structural shift in how we secure all enterprise software,” says Matt Hicks, President and CEO at Red Hat. “By pairing automated remediation with our deep engineering heritage, we aim to deliver the trusted infrastructure required to consume open source reliably, sustainably and at AI speeds.”
Designed with major financial institutions in the loop, Lightwell aims to remove the burden of patching vulnerable software without forcing organisations into disruptive upgrades or lengthy regression testing.
AI-powered remediation tackles vulnerabilities
The scale of the risk is put in perspective when learning that as much as 90% of enterprise codebase are open source.
AI is exacerbating the problem. With attackers relying on AI-generated exploits – available at as little as US$50 – IBM and Red Hat say traditional patch management can no longer keep pace.
The result? Enterprise codebases now contain an average of 581 vulnerabilities.
Enter Lightwell. Using a generative AI-powered remediation engine that combines frontier AI and open AI models and human expertise to analyse software dependencies and deliver validated fixes for production environments.
Instead of upgrading entire software stacks, the platform backports critical security fixes directly into long-lived production versions. This helps reduce disruption and minimise regression risks.
Lightwell Network, which has now been made generally available, launches with more than 6,500 "remediated, digitally signed and certified application dependencies across ecosystems including Java and Python".
Members receive updated binaries, source code, Software Bills of Materials (SBOMs) and compliance documentation that integrate directly into existing development pipelines.
Financial services first as collaboration expands
Standing beside its Network offering, IBM and Red Hat have introduced Lightwell Clearinghouse Premier in limited availability.
- The launch expands on US$5bn commitment to open source security that IBM and Red Hat announced in May 2026
- Open source comprises up to 90% of enterprise codebases
- Massive volume and AI-generated exploits have broken traditional patch management, leaving codebases with an average of 581 vulnerabilities
This entry is solely focused on the financial services sector in its initial phase, with the platform enabling organisations to collaborate securely on vulnerability disclosure, coordinated threat response and patch embargoes before vulnerabilities become public.
IBM and Red Hat plan to expand the service to government, healthcare and telecommunications.
“IBM and Red Hat are giving enterprises certified fixes they can pull straight into the systems they already run, with no retooling or disruption, backed by a growing network of technology and delivery partners,” says Rob Thomas, Senior Vice President, Software & Chief Commercial Officer, IBM.
"Making that possible takes scale most organisations don't have, a world-class team of engineers and AI systems working around the clock to protect the open source software the world's enterprises run on."
The platform follows Red Hat's upstream-first development model, ensuring fixes are contributed back to the open source community while maintaining enterprise-grade security protections.
Partner ecosystem supports enterprise adoption
IBM and Red Hat are also positioning Lightwell as an ecosystem backed by technology and consulting partners.
“IBM and Red Hat are giving enterprises certified fixes they can pull straight into the systems they already run ”
“Safeguarding the open source software supply chain requires an open, diverse ecosystem spanning AI models, development tools and enterprise infrastructure,” IBM notes.
Big tech companies including Amazon Web Services, AMD, F5, GitLab, Intel, JFrog, Microsoft, NVIDIA, Palo Alto Networks and ServiceNow are all collaborating to integrate security fixes across cloud environments, developer tools and enterprise infrastructure.
Deployment support will be provided by organisations including IBM Consulting, Red Hat Consulting, Accenture, Atos, Cognizant, Deloitte, EY, HCLTech, Infosys, Kyndryl, NTT DATA, Tata Consultancy Services and Tech Mahindra. These partners will help customers map SBOMs, manage software dependencies and integrate Lightwell into existing development pipelines.
With AI hyper charging both software development and cyber threats, IBM and Red Hat are betting on automated remediation backed by strong industry collaboration to secure the very vulnerable enterprise open source.









