SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Red Hat, IBM & Deloitte launch Lightwell security pact
Application Security IT Automation SOCs

Red Hat, IBM & Deloitte launch Lightwell security pact

Tue, 30th Jun 2026 (Today)
Sofiah Nichole Salivio
SOFIAH NICHOLE SALIVIO News Editor

Red Hat, IBM and Deloitte have announced a collaboration on Project Lightwell, an initiative focused on open source software security in corporate supply chains.

Deloitte will join Lightwell as an integration partner, adding cyber risk services and software supply chain expertise to a model designed to patch vulnerabilities at scale. The arrangement is intended to help organisations identify vulnerable code, prioritise threats and deploy validated fixes without waiting for full software upgrades.

Lightwell addresses a problem facing large organisations that rely on a mix of in-house software, open source components and third-party commercial products. A flaw in one part of that stack can spread risk across multiple applications and business functions, particularly when software versions are pinned to older releases that companies are reluctant to change quickly.

According to IBM and Red Hat, the project coordinates vulnerability disclosures with independent maintainers, then develops, tests and backports patches to the software versions running in production. That approach is intended to help companies protect systems already in use while avoiding broader, potentially disruptive upgrade cycles.

The collaboration gives Deloitte a role across the software lifecycle, including mapping software assets, assessing exposure and helping move fixes into production systems. The professional services firm said it will maintain a bench of Forward Deployed Engineers to support remediation and application maintenance for clients.

Rising pressure

The announcement comes as companies face a growing volume of software vulnerabilities and a faster pace of exploitation. The three groups pointed to the rise of AI-assisted attacks, which can shorten the time between the discovery of a flaw and attempts to exploit it.

That has made software supply chain security more pressing for regulated industries and other large enterprises, where changes to production systems often require lengthy testing and governance. By separating remediation from the broader upgrade process, the partners aim to address a common bottleneck in corporate security operations.

The plan covers four main areas: continuous discovery of first-party, open source and third-party software; contextual analysis to distinguish urgent threats from lower-priority issues; remediation through coordinated testing and deployment; and reporting for boards, auditors and regulators.

It also emphasises managing relationships with upstream open source communities and software vendors. That includes pre-disclosure vulnerability handovers and evidence-based reporting intended to improve accountability across the software lifecycle.

Deloitte said the effort builds on its existing work with IBM on cybersecurity, resilience and digital trust, as well as a long-standing alliance with Red Hat focused on open source technologies and IT automation. The new collaboration brings those strands together in a more targeted security programme for open source software maintenance.

Adnan Amjad outlined Deloitte's view of the issue.

"Exploits don't wait for manual patching processes, and neither can enterprise response. Together, we're enabling clients to operate at machine speed to identify, validate and remediate vulnerabilities. This collaboration is about building the operational resilience needed to maintain trust across increasingly complex software ecosystems, creating systems that can withstand and neutralise risk without disrupting the business," said Adnan Amjad, US Cyber Leader, Deloitte.

IBM said Lightwell was created in response to the growing difficulty of securing open source software as the threat environment changes. It described the Deloitte tie-up as a way to extend an existing engineering and automation model to a wider set of organisations.

"Lightwell was created to address the growing challenge of securing open source software in an AI-driven threat landscape. It brings together the engineering, automation and ecosystem partnerships needed to tackle this risk at scale. We're excited to collaborate with Deloitte and leverage its capabilities in cyber risk management to extend this model to more organisations," said Rodrigues.

Red Hat said the collaboration is intended to bring patching work directly into enterprise application environments, with an emphasis on the versions customers are already running rather than requiring immediate migrations to newer releases.

"Open source drives innovation, but the volume of AI-generated threats requires engineering capacity that matches the speed of the attacker. Our work with Deloitte will bring the remediation capabilities we developed with IBM through Lightwell directly to enterprise application environments. Together we will isolate, patch and deliver the fixes, supporting the open source ecosystem while protecting the specific versions our customers depend on," said Kennedy.

Share Share
Add us as a preferred source on Google
Image: Kevin Kennedy, Adnan Amjad and Savio Rodrigues
Related stories
Broadcom expands Spring security for AI threat surge
DigiCert posts record ARR after Valimail acquisition
Checkmarx launches AI inventory for code governance
Checkmarx named leader in Gartner supply chain quadrant
IBM joins OpenAI cyber programme with app security tool
Top stories
NCC Group & Avertro launch managed cyber risk service
Scotland cyber event aims to boost women in security
Contrivian launches Horizon Plus for remote field teams
Exclusive Networks names Sergio Amodeo as Finance Chief
NAKIVO signs Italian distribution agreement with ICOS