Seville, Spain
Seville, Spain
+(34) 624 816 969
Open source software (OSS) is the digital backbone of the modern enterprise. Over 90% of Fortune 500 companies rely on it, according to a Worldmetric study cited by IBM. However, its very open nature makes it an attractive target for cyberattacks, especially now that artificial intelligence accelerates the time between vulnerability discovery and exploitation. To address this threat, three tech giants — IBM, its subsidiary Red Hat, and Palo Alto Networks — have joined forces in an initiative that promises to change the rules of the game in open source security.

Table of contents [Show]
Announced in May 2024, Project Lightwell is the flagship project of IBM and Red Hat, with a $5 billion investment. Its goal is to create what IBM calls "an enterprise trust center combined with a global force of engineers to identify and fix vulnerabilities at scale." This center will act as a security coordination layer, using advanced AI capabilities to validate and test solutions across an unprecedented volume of open source code. Solutions will be offered through commercial subscriptions, allowing companies to integrate secure patches directly into their software supply chains, with enterprise-level validation and lifecycle management.
The alliance with Palo Alto Networks adds a key piece: Prisma's network-based virtual patching technology, its cloud security platform. This combination enables network-level protections to be deployed on the same day a vulnerability is discovered, even before an official patch exists. As Nikesh Arora, CEO of Palo Alto Networks, notes: "AI has compressed the time between vulnerability discovery and exploitation from weeks to minutes. Traditional patching can't keep up."
The collaboration between IBM, Red Hat, and Palo Alto Networks is structured around three fundamental pillars:

Project Lightwell already has top-tier early adopters: Bank of America, BNY, Citi, Goldman Sachs, JPMorgan Chase, Mastercard, Morgan Stanley, RBC, State Street, Visa, and Wells Fargo. These institutions not only validate the proposal but also contribute anonymized telemetry on real-world exploitation attempts, accelerating the development of protections. Additionally, the companies plan to establish secure processes for sharing vulnerability information among software vendors, technology providers, and security teams.
This collaboration is not the first between IBM and Palo Alto Networks. Both companies maintain a long-standing relationship integrating enterprise-class security and networking. Recently, they launched Quantum-Safe Readiness, a service to identify cryptographic exposure and risks related to quantum computing. Also, in early 2024, they combined efforts to help companies discover, assess, and prioritize security and compliance risks in cloud AI deployments.
For security teams and system administrators, this alliance represents a paradigm shift. It's no longer just about patching, but about anticipating. The combination of virtual patching with vulnerability intelligence enables proactive defense, essential when attackers use AI to automate exploits. As we saw in the article about Godot and AI agents, software quality and mentorship are key, but here a layer of defensive automation is added.
For companies that rely on open source, this initiative reduces the risk of zero-days and accelerates remediation. Moreover, by integrating with existing software supply chains, it facilitates frictionless adoption. In a context where SAP is betting everything on AI and Microsoft invests $2.5 billion to fix errors, open source security becomes a strategic pillar.

The IBM-Red Hat-Palo Alto Networks alliance is not just a response to current threats, but a platform for the future. By sharing intelligence and automating protections, an ecosystem is created where defenders regain the advantage. As Arora says, "We are giving the advantage back to defenders." For IT professionals, this means fewer sleepless nights patching servers and more time to innovate. And for businesses, a tangible reduction in cyber risk in a world where open source is increasingly the heart of technology.
Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.