Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
- Lightwell is now a service for open-source AI defense.
- Akrites and Athena are taking similar approaches.
- AI-driven attacks need AI-powered defenders.
For software developers, [AI is both a blessing and a curse.](https://www.zdnet.com/article/ai-curse-and-blessing-to-open-source-software-developers/) On the one hand, AI enables developers to build programs faster than ever. On the other hand, AI enables hackers to find and exploit security holes even faster.
To deal with this, IBM and Red Hat launched Project Lightwell.
Backed by a $5 billion, AI-powered initiative, Lightwell's job is to find and fix vulnerabilities in open-source software at an industrial scale. Now, it's moved from a project to products: Lightwell Network and Lightwell Clearinghouse Premier.
**Also: **Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it
Lightwell Network is generally available, while Lightwell Clearinghouse Premier is entering a limited-availability onboarding phase. According to the companies, "Lightwell now extends that proven enterprise protection to an organization's entire software portfolio." Both services provide a way to secure open-source components for enterprises, not just those that ship inside Red Hat and IBM products.
Turbo-charged open-source security
Both companies emphasize that this is not so much a new approach as a supercharged open-source mega-project backed by AI and 20,000 engineers. It's "a model built on decades of trust, in which Red Hat has secured the most critical systems in the world for thousands of customers," and scaling it to cover a much broader slice of the software stack.
At the heart of the offering is what the pair describes as "the high-throughput capability of a generative AI-powered remediation engine that is already live and operating at scale." This automation pipeline "combines frontier AI models with human engineering expertise to identify, validate, and remediate vulnerabilities across critical dependencies embedded deep within modern software architectures."
**Also: **IBM says it can fit nearly 100 billion transistors on a chip - why the milestone matters
Rather than insisting customers constantly chase upstream releases, Lightwell "uses automation to backport critical fixes directly to exact, long-lived production software versions, helping to address the lengthy regression testing and breaking changes that often paralyze teams forced to adopt major upstream upgrades."
The first new product, Lightwell Network, provides "immediate access to an active and growing library of content spanning latest to legacy libraries with high-value remediations." Members receive "a continuous stream of digitally signed binaries, source code, and comprehensive compliance artifacts, including complete Software Bills of Materials (SBOMs), delivered directly into existing pipelines without code drift."
The second, Lightwell Clearinghouse Premier, is "designed to serve as a trusted intermediary for deep industry collaboration, advanced vertical threat coordination, and secured patch embargoes."
Initially, Lightwell Clearinghouse Premier will be limited to financial services. Participating organizations can submit vulnerabilities and request "targeted version remediation under a secured embargo window." If successful, it will be expanded into government, healthcare, and telecommunications.
How Lightwell changes the patching equation
IBM and Red Hat are explicit that the target is what they describe as a broken remediation model in the age of cheap AI-driven exploitation. With open source "running enterprise software," they argue, "massive volume and 50-dollar AI-generated exploits have broken traditional patch management." Lightwell, the vendors claim, is designed to mitigate this unmapped risk and neutralize execution bottlenecks by evaluating application context and dependency interactions to deliver validated fixes directly into active workflows.
As Matt Hicks, Red Hat's president and CEO, said, "Lightwell represents a fundamental structural shift in how we secure all enterprise software. By pairing automated remediation with our deep engineering heritage, we aim to deliver the trusted infrastructure required to consume open source reliably, sustainably, and at frontier model speeds."
**Also: **Stuck in AI pilot mode? IBM has a solution to help you scale - without ripping everything up
Rob Thomas, IBM's senior vice president for software and chief commercial officer, underscores the "we'll do the hard work for you" angle. "IBM and Red Hat are giving enterprises certified fixes they can pull straight into the systems they already run, with no retooling or disruption, backed by a growing network of technology and delivery partners," he said.
Lightwell also leans heavily on Red Hat's "upstream-always" model. According to the announcement, "security fixes are actively submitted back to the originating open-source community for review and acceptance," which is meant to ensure "commercial protections and community health continually reinforce one another, preventing project fragmentation without risking in-production zero days."
That sounds good, but IBM and Red Hat aren't the only ones seeking to use AI to defend open-source code against AI-driven attackers.
Where Akrites fits
Lightwell doesn't exist in a vacuum. The Linux Foundation, together with industry partners, recently launched Akrites to defend critical open-source software against AI-enabled threats. Akrites mitigates open-source software supply chain risks by hardening critical open-source projects. It does this by creating a common framework for how maintainers and consumers coordinate on serious vulnerabilities.
While Lightwell is a commercial service, Akrites is a foundation-governed effort that focuses on process and coordination for the projects themselves. Its goal is to give maintainers and critical-infrastructure users a confidential, structured way to handle AI-discovered flaws, standardizing vulnerability remediation and disclosure rather than delivering enterprise-specific, backported patches. **Also: **Red Hat Desktop vs. Fedora Hummingbird: Which AI development Linux path is right for you?
Those lines are already blurring. In the Lightwell announcement, Microsoft's VP of independent software vendor (ISV) Partner Development, Sandy Gupta, points directly at that intersection: "Speed in delivering patches to customers is critical. We're already working together with IBM and Red Hat as part of the Linux Foundation's Akrites effort and now extending that collaboration to Lightwell to ensure critical fixes reach customers as quickly as possible using the fastest delivery mechanisms and tools."
In practice, Akrites aims to shape how critical open-source projects handle vulnerabilities in an AI-accelerated world, while Lightwell offers enterprises a way to consume those fixes and IBM/Red Hat-engineered backports under contract.
Where Chainguard's Athena fits
Chainguard's Athena coalition occupies yet another corner of this fast-moving security race. Athena is an industry coalition protecting open-source software from AI attacks. It's built for the frontier-model era, where AI systems can find serious flaws faster than anyone can patch them.
Like Lightwell, Athena is framed as a kind of AI-powered clearinghouse, but instead of a single vendor's service, it pools vulnerability findings and remediation work from "over two dozen organizations," including banks and major infrastructure providers, as well as developers.
Athena is already publishing early metrics. According to Chainguard, "Athena is operational today. It processed 40,000+ findings and generated 2,000+ patches across 500+ open source projects. The coalition uses AI to find and fix vulnerabilities in widely-used open-source software before attackers can exploit them." Its focus is on libraries, containers, and other components that underpin critical systems.
**Also: **How digitally sovereign is your organization? This Red Hat tool can tell you in minutes
As Chainguard founder and CEO Dan Lorenc explained, "Athena provides a place for organizations to find → fix → shield → surface → disclose vulnerabilities that frontier AI models are discovering. Findings come from across the coalition. We build fixes under embargo. Partners stack non-patch protection around them. We surface exposures that would otherwise stay invisible. And then durable fixes get driven home to the upstream maintainers who can make them permanent."
In contrast to Lightwell's emphasis on shipping enterprise-ready backports into customer pipelines, Athena's workflow starts with pooled AI findings that are "deduplicated, triaged, and enriched in a shared clearinghouse," after which coalition members collaborate on patches and mitigations before vulnerabilities are public.
When a clean patch is not yet available, "Athena layers independent protections so that coverage remains even in the absence of a timely patch, and continues to monitor every flaw until a robust upstream solution is established." Those fixes are then intended to flow upstream and into Chainguard's own secure-by-default artifacts, including minimal, SLSA-compliant images and packages.
Three models for AI-era open source defense
Taken together, Lightwell, Akrites, and Athena sketch out three different and increasingly overlapping responses to the same underlying problem: Cheap, fast AI tooling that can discover and weaponize flaws in the open-source commons faster than traditional patch pipelines can keep up with.
**Also: **IBM says it can fit nearly 100 billion transistors on a chip - why the milestone matters
Akrites focuses on governance and process for critical projects, trying to standardize how maintainers and key users handle AI-driven vulnerabilities and embargoed patches. Athena wraps AI-accelerated vulnerability research in a cross-industry coalition that shares findings, coordinates pre-disclosure remediation, and pushes fixes upstream while also feeding them into hardened supply-chain artifacts. Lightwell, by contrast, is aimed squarely at enterprises that want no fuss or muss, just certified fixes they can pull straight into the systems they already run, with no retooling or disruption.
For the immediate future, we're going to need all of them and more besides. AI is transforming both open-source software and security. Until we've worked out a path forward to truly secure our code, we'll need to try all of these approaches and see which ones will work best to protect us and our programs.