IBM and Red Hat are investing $5BN in securing open-source software as they look to help enterprises confront the new generation of AI-driven cyber threats that could directly affect customer experience and trust.
The initiative, called Project Lightwell, comes in response to growing concern over Anthropic’s recent warnings about its Claude Mythos AI model, which the company says has identified nearly 3,900 high- or critical-severity vulnerabilities in open-source software.
Anthropic’s Project Glasswing initiative is exploring Mythos’s capabilities to autonomously identify and exploit software vulnerabilities and how advanced AI systems could transform offensive cybersecurity approaches, particularly through automated vulnerability discovery at scales previously impossible for human researchers. Anthropic’s findings have intensified warnings across the technology sector that enterprises are not prepared for how quickly frontier AI systems could accelerate vulnerability discovery and exploitation.
IBM and Red Hat’s initiative incorporates learnings from Project Glasswing as well as OpenAI’s Trust Access for Cyber.
AI’s Threat to Enterprise Infrastructure Based on Open-Source Software
Open-source software supports the digital infrastructure behind customer-facing banking apps, retail platforms, cloud services, AI assistants, contact centers and digital identity systems. More than 90 percent of Fortune 500 companies rely on open-source software according to IBM, making supply chain security increasingly intertwined with customer trust and business continuity.
A major vulnerability affecting widely used open-source components could quickly cascade into outages, fraud exposure, degraded customer journeys or large-scale trust failures.
IBM and Red Hat said Project Lightwell is designed to create a “trusted enterprise clearinghouse backed by new frontier AI capabilities” that helps organizations to identify, and fix vulnerabilities in open-source software before they disrupt enterprise operations and customer services. The announcement stated:
“The clearinghouse will serve as a security coordination layer, using advanced AI capabilities to validate and test fixes across an unprecedented volume of open source code.”
At a time when many technology firms are using AI to reduce their engineering headcount, the companies said they will deploy a team of more than 20,000 engineers, “positioning technical engineering capacity as a premium strategic asset and a source of market differentiation.”
The clearinghouse model will allow enterprises with commercial subscriptions to report vulnerabilities, receive validated production-ready patches and coordinate responsible disclosures with upstream open-source communities. That will enable them to integrate secure patches directly into their software supply chains.
Project Lightwell’s engineering teams will focus on upstream maintenance, AI-assisted vulnerability triage, secure patch development, dependency hardening, and release engineering across open-source ecosystems.
Arvind Krishna, Chairman and CEO, IBM said:
“With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain. This is about strengthening trust in the systems that power business, government, and society.”
IBM and Red Hat Turn Open-Source Influence Into an AI Security Strategy
IBM and Red Hat occupy a particularly influential position within enterprise open-source infrastructure. Red Hat’s Linux and Kubernetes platforms are widely used across enterprise cloud and application environments, while IBM maintains extensive involvement across technologies including Kafka, Java, Ansible, Terraform, Cassandra, and AI frameworks that support customer-facing digital services. IBM uses more than 62,000 open-source packages.
The companies said early collaborators on Project Lightwell include Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa and Wells Fargo, indicating how regulated industries are prioritizing software supply chain resilience as part of their customer trust strategies. The IMF has warned that financial services firms are particularly vulnerable to AI models like Mythos exploiting vulnerabilities.
As AI systems become increasingly capable of defending and attacking software infrastructure, the reliability of the open-source foundations beneath customer experiences may become one of the defining operational challenges for enterprises.
