IBM and Red Hat have launched Lightwell, a commercial platform designed to automate open source vulnerability remediation at scale, with cybersecurity firm JFrog joining as a launch technology collaborator.
The platform arrives through two offerings: Lightwell Network, now generally available with a launch catalogue of more than 6,500 remediated, digitally signed and certified application-layer dependencies across Java, Python, JavaScript and other major ecosystems; and Lightwell Clearinghouse Premier, entering limited availability as a trusted intermediary for secured patch embargoes, initially restricted to the financial services sector.
Built on a $5 billion open source security commitment
The launch builds on a $5 billion commitment to open source security that IBM and Red Hat announced in May 2026, backed by more than 20,000 engineers overseeing Lightwell’s AI-driven remediation capabilities. The platform combines frontier and open AI models with human engineering expertise to identify, validate and remediate vulnerabilities embedded deep within enterprise software architectures.
The companies cite scale as the core problem Lightwell is built to solve: open source now comprises up to 90% of enterprise codebases and drove 9.8 trillion downloads in 2025, while AI-generated exploits have pushed the average codebase to 581 vulnerabilities, overwhelming traditional patch management.
“Lightwell represents a fundamental structural shift in how we secure all enterprise software. By pairing automated remediation with our deep engineering heritage, we aim to deliver the trusted infrastructure required to consume open source reliably, sustainably, and at AI speeds,” said Matt Hicks, President and CEO, Red Hat.
JFrog extends remediation into enterprise pipelines
JFrog is among a technology bench that includes AWS, AMD, F5, GitLab, Intel, Microsoft, NVIDIA, Palo Alto Networks and ServiceNow. Gal Marder, JFrog’s Chief Strategy Officer, framed the collaboration around what he called an era of “adversarial symmetry” between defenders and attackers.
“Today’s AI models are finding gaps far faster than most organisations can patch them, leaving enterprises highly vulnerable to attack. To survive this unprecedented threat environment, organisations must automate security at a completely different pace and scale. As the definitive system of record and trust layer, JFrog delivers the automated controls needed to ensure real protection keeps pace with AI-accelerated threats,” said Marder.
IBM’s Rob Thomas, Senior Vice President, Software and Chief Commercial Officer, said the platform gives enterprises certified fixes they can pull directly into existing systems without retooling. Deployment and strategy partners including IBM Consulting, Red Hat Consulting, Accenture, Deloitte, Infosys, Kyndryl, TCS and Tech Mahindra are supporting enterprise rollout of the platform.



Share your thoughts