Deloitte, IBM and Red Hat have announced a collaboration to help protect the software supply chain against increasingly automated cyber threats.
Deloitte joins the initiative as an integration collaborator for Lightwell, bringing its broader secured software supply chain architecture and cyber risk services to the large-scale enterprise open source security model deployed by IBM and Red Hat.
Most organisations rely on a mix of first-party code, open source software, and third-party commercial software. Because a single business application can include all three, an unpatched vulnerability can introduce immediate risk across the entire corporate estate. Frontier AI models have accelerated this risk and can enable adversaries to discover and exploit zero-day flaws in minutes.
Lightwell aims to help address this operational pressure by decoupling open source software security remediation from the traditional software upgrade cycle. The initiative combines an enterprise open source security model with an active engineering force. Supported by IBM and Red Hat, Lightwell coordinates upstream threat disclosures with independent maintainers while developing, testing, and backporting patches directly to the pinned software versions running in production environments. Lightwell delivers validated patches to those specific, in-use software versions, protecting critical systems without forcing disruptive upgrades.
Through this collaboration, the three organisations will coordinate across the software lifecycle to help clients manage security threats:
- Continuous visibility and discovery: Continuously mapping and scanning first-party, open source, and third-party software to identify exactly what code exists, where it runs, and which critical business functions it supports.
- Contextual prioritisation: Separating active threats from noise by analysing severity, exposure, threat-chaining, and exploitability to inform operational decisions.
- Machine-speed remediation: Combining Red Hat and IBM’s automated patch validation with Deloitte’s orchestration services to rapidly coordinate, test, and deploy validated fixes into production repositories, limiting disruption. To achieve this, Deloitte will maintain a bench of Forward DeployedEngineers (FDEs) to support ongoing remediation and maintenance of client applications.
- Ecosystem trust and compliance: Through the collaboration, the organisations will help enterprises manage upstream open source and vendor relationships, including pre-disclosure vulnerability handovers, while delivering continuous, evidence-based reporting for boards, auditors, and regulators.
“Exploits don’t wait for manual patching processes, and neither can enterprise response,” says Adnan Amjad, Deloitte’s US cyber leader. “Together, we’re enabling clients to operate at machine speed to identify, validate, and remediate vulnerabilities. This collaboration is about building the operational resilience needed to maintain trust across increasingly complex software ecosystems — creating systems that can withstand and neutralise risk without disrupting the business.”
Savio Rodrigues, vice-president: service partners at IBM, comments: “Lightwell was created to address the growing challenge of securing open source software in an AI-driven threat landscape. It brings together the engineering, automation, and ecosystem partnerships needed to tackle this risk at scale. “We’re excited to collaborate with Deloitte and leverage their capabilities in cyber risk management to extend this model to more organisations.”
Kevin Kennedy, vice-president: global partner ecosystem at Red Hat, adds: “Open source drives innovation, but the volume of AI-generated threats requires engineering capacity that matches the speed of the attacker. Our work with Deloitte will bring the remediation capabilities we developed with IBM with Lightwell directly to enterprise application environments. Together we will isolate, patch, and deliver the fixes, supporting the open source ecosystem while protecting the specific versions our customers depend on.”
As the pace of vulnerability discovery increases, organisations are looking for solutions that help reduce exposure while improving accountability across the software lifecycle. This collaboration aims to help clients do exactly that — transform software supply chain security from a fragmented, reactive process into a coordinated, evidence-based operating model.