Security patches rarely move as fast as the exploits chasing them — and IBM, Red Hat and Deloitte say that gap is exactly what they are trying to close. The three companies have announced a collaboration around Lightwell, an initiative built to push validated fixes to the precise open source software versions running in production, without forcing the disruptive upgrades that usually come bundled with them.
Backed by IBM and Red Hat, Lightwell decouples open source remediation from the traditional upgrade cycle. Rather than telling an enterprise to jump to the newest release just to escape a vulnerability, it coordinates with upstream maintainers to develop, test and backport patches directly to the “pinned” versions companies already run. Deloitte is joining as an integration collaborator, folding in its secured software supply chain architecture and cyber risk services.
The timing is the whole point. Most business applications are a blend of first-party code, open source components and third-party commercial software, so a single unpatched flaw can ripple across an entire corporate estate. The partners argue that frontier AI models have made this worse, handing attackers the ability to find and exploit zero-day bugs in minutes rather than weeks.
Patching at machine speed
The companies describe a lifecycle approach rather than a single product: continuously mapping first-party, open source and third-party code to see what is running where; separating genuine threats from noise by weighing severity, exposure and exploitability instead of chasing every CVE; and combining IBM and Red Hat’s automated patch validation with Deloitte’s orchestration to test and ship fixes into production repositories. Deloitte says it will keep a bench of “Forward Deployed Engineers” on hand for ongoing remediation.
“Exploits don’t wait for manual patching processes, and neither can enterprise response,” said Adnan Amjad, Deloitte’s US Cyber leader, framing the effort as a way for clients to “operate at machine speed to identify, validate, and remediate vulnerabilities.”
IBM’s Savio Rodrigues, vice president of service partners, said Lightwell “was created to address the growing challenge of securing open source software in an AI-driven threat landscape,” while Red Hat’s Kevin Kennedy pitched the collaboration as bringing remediation “directly to enterprise application environments.”
It is worth keeping expectations grounded. This is a partnership announcement, not a shipping product with public benchmarks, and its success hinges on how reliably backported patches hold up in the wild and how willingly upstream maintainers cooperate on pre-disclosure handovers. Handing an outside engineering bench access to production repositories is also a trust exercise many security teams will scrutinize. Still, as AI accelerates both the discovery and the weaponization of vulnerabilities, the pitch — fix what you actually run, and fast — is one enterprises will want to hear more about.
