Open source software powers much of the world's critical infrastructure — financial systems, hospitals, government services — and most of it is maintained by volunteers who patch vulnerabilities when they can. IBM and Red Hat launched Project Lightwell in May 2026 with a $5 billion commitment and 20,000 dedicated engineers to change that picture. On June 26, 2026, they announced that Deloitte is joining as an integration collaborator.
What Project Lightwell actually does
Lightwell operates differently from a traditional vulnerability scanner. Rather than simply flagging CVEs and leaving remediation to you, it coordinates upstream disclosures with independent open source maintainers, writes and validates backported patches, and delivers tested fixes directly to the specific, pinned software versions running in customers' production environments — without requiring a full library upgrade.
That last part matters enormously in enterprise environments where upgrading a dependency version is often weeks of testing and approvals. Lightwell sidesteps the problem by meeting software where it already is.
The system works in three stages:
- Continuous visibility: Mapping and scanning first-party, open source, and third-party components to track exactly what runs where.
- Contextual prioritization: Scoring active threats against severity, exploitability, and threat-chaining to separate signal from noise.
- Machine-speed remediation: Automated patch validation from Red Hat and IBM, deployed into production repositories with minimal disruption.
Deloitte's role
Deloitte joins as an integration collaborator, bringing its secured software supply chain architecture and cyber risk services. Practically, Deloitte will maintain a bench of Forward Deployed Engineers who work directly inside client environments to support ongoing remediation. IBM and Red Hat handle the engineering at scale; Deloitte handles the organizational integration and coordination.
Palo Alto Networks also joined on June 24, adding network-level threat protection that combines with Lightwell's software remediation. An emerging threat gets blocked at the perimeter while a validated patch is being prepared — two layers of protection running in parallel.
Who's already in
The project counts Bank of America, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo among its early adopters — a signal that financial services is the immediate target market, where both regulatory obligations and attack-surface exposure are exceptionally high.
With Deloitte and Palo Alto now added to IBM and Red Hat's coalition, Lightwell is starting to look less like a product and more like a new kind of infrastructure for enterprise open source. Whether it can actually keep pace with the attack surface — which grows faster than any single team can patch — is the real question.