IBM expands Project Lightwell as AI changes software security

IBM, Red Hat and Palo Alto Networks expanded Project Lightwell, a cybersecurity initiative designed to help organizations respond more quickly to software vulnerabilities.

The move comes as advances in artificial intelligence allow security flaws to be identified faster and at greater scale, according to the companies. IBM, Red Hat and Palo Alto Networks said AI-driven threats can uncover security gaps across software codebases faster than defenders can patch them, increasing the risk that attackers will exploit newly discovered vulnerabilities.

“AI has compressed the window between vulnerability discovery and exploit from weeks to minutes,” Nikesh Arora, CEO and Chairman of Palo Alto Networks, said in a statement announcing the collaboration. “Traditional patching cannot keep pace.”

The collaboration combines vulnerability discovery, virtual patching and software remediation to help organizations reduce the time between vulnerability discovery and protection.

Security teams have long relied on software updates to address newly discovered vulnerabilities. Deploying those fixes across large organizations can take time, leaving systems exposed while remediation efforts are underway.

Project Lightwell aims to help narrow that gap. The expanded collaboration integrates Palo Alto Networks’ virtual patching technology with Project Lightwell from IBM and Red Hat. Virtual patching blocks exploit attempts at the network level while organizations work on permanent software fixes.

The companies described the approach as a “shield-and-fix” workflow. Palo Alto Networks can deploy network-level protections designed to stop attacks, while Project Lightwell provides software remediation that customers can test and deploy in their own environments. The collaboration also works to provide protection before official software patches become available, helping organizations reduce exposure while remediation is underway.

According to the companies, the initiative supports open-source software, commercial applications, operational technology systems and connected devices. IBM Security Services can also help customers identify which vulnerabilities pose the greatest risk to their business and determine how best to deploy protections and fixes across complex environments.

Using AI to find vulnerabilities

The announcement comes shortly after IBM joined OpenAI’s Daybreak Cyber Partner Program and launched a new application security service that uses advanced AI models to identify and validate software vulnerabilities.

As part of that effort, IBM launched a service that uses OpenAI models to analyze software code, identify vulnerabilities and determine whether attackers could exploit them. The service operates inside what IBM calls a “security harness,” a controlled environment designed to apply advanced AI capabilities while maintaining enterprise security controls.

Speaking on IBM’s Security Intelligence podcast, Jayesh Kamat, Global Competency Leader for Application Security at IBM said the technology goes beyond traditional code scanning by analyzing how vulnerabilities interact across applications.

“We use them to scan application code for clients and have the models think about what vulnerabilities they could find in that code,” Kamat said, “Not just vulnerabilities, but also chained vulnerabilities across pieces of code.”

Kamat explained the technology can do more than identify vulnerabilities by examining how flaws interact across an application.

“We also have the capability in the harness where the AI models can go and prove that those vulnerabilities can be exploited,” Kamat said on the podcast.

Would your team catch the next zero-day in time?

Join security leaders who rely on the Think Newsletter for curated news on AI, cybersecurity, data and automation. Learn fast from expert tutorials and explainers—delivered directly to your inbox twice weekly. See the IBM Privacy Statement.

Learn more about AI-driven automation for modern application resilience in this IDC Spotlight paper.