IBM and Red Hat are bringing together what they’ve learned from frontier AI models and 20,000 engineers to launch Project Lightwell, a $5 billion initiative aimed at helping enterprises better secure their open source software, work that has become more challenging in the age of such models as Anthropic’s Claude Mythos Preview.
Mythos and similarly powerful frontier models are quickly collapsing the exploit window for organizations, reducing from weeks to days or hours the time between vulnerability detection and patching. IT and security vendors are scrambling to develop AI-powered protections and processes to match the machine speed at which bad actors can now operate.
It can be particularly difficult in the open source world. Anthropic researchers earlier this month wrote about their findings after the first month of Project Glasswing, an effort the AI vendor created to let a few dozen companies and researchers use the Mythos model to find vulnerabilities and to develop advanced security tools to protect systems from exploits.
They wrote that they used Mythos to scan more than 1,000 open source projects, with the model finding 23,019 security flaws, including 6,202 deemed high- or critical-severity. The researchers noted the importance of open source software – “which collectively underpin much of the internet – and much of our own infrastructure” – and the challenges that frontier AI models present.
“The bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them,” they wrote. “Finding them in the first place has become vastly more straightforward with Mythos Preview.”
Combining AI with Engineers
IBM Chairman and CEO Arvind Krishna echoed the sentiment in announcing Project Lightwell.
“Open source is the backbone of today’s digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured, and scaled,” Krishna said in a statement. “With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain.”
He added that “this is about strengthening trust in the systems that power business, government, and society.”
A Clearinghouse for AI Threat Information
Project Lightwell has a few parts to it. It will create a clearinghouse that will act as a coordination layer for enterprises, including using advanced AI capabilities to validate and test fixes across massive volumes of open source code. The clearinghouse will be available through commercial subscriptions that will enable organizations to integrate secure patches directly into their software supply chains, complete with validation and lifecycle management capabilities.
Enterprises can use the clearinghouse to share security issues they’ve discovered in their software versions, deploy validated patches in production environments that run from Red Hat offerings to code from the open source community, and share fixes upstream so open source communities can include them as they maintain the open source projects.
At the same time, the 20,000-plus engineers, using advanced AI technology, will work across upstream and enterprise environments to focus on upstream maintenance in tandem with others in the open source community, run through high-volume and AI-assisted reviews, triage, and prioritization of security flaws, and ensure that patch development, dependency hardening, and release engineering are secure.
Learning from Frontier Models
IBM officials said the effort builds on its and Red Hat’s broad experience in open source, enterprise AI, and security, and builds upon what they’ve learned in both Anthropic’s Project Glasswing and OpenAI’s Trust Access for Cyber, an initiative launched by the AI vendor in February as an “identity and trust-based framework designed to help ensure enhanced cyber capabilities are being placed in the right hands. This reflects our broader approach to responsibly deploying highly capable models.”
It follows what other vendors, including Microsoft and Google Cloud, are doing to improve security capabilities through the work they’ve done with Project Glasswing and other initiatives.
Leveraging Agents
Project Lightwell also will use new agentic security methods developed by IBM, along with the open source capabilities developed by both Big Blue and Red Hat. IBM uses more than 62,000 open source packages and has expertise in more than 10,000, and Red Hat – which IBM owns – is a key player in the open source space. Between the two, they have deep experience in such open source technologies as Linux, Java, Kubernetes, Terraform, and Ansible.
Through the new project, the vendors are extending their capabilities in the application field, including independent libraries, language toolchains, AI frameworks, and data streaming platforms, officials said.
IBM and Red Hat already are working with a number of Lightwell early adopters from the financial services world, including Bank of America, JPMorgan Chase, Citi, Goldman Sachs, Mastercard and Visa.