IBM, Red Hat And Deloitte Put Lightwell On Regulated Open-Source Patch Work
Deloitte is joining IBM and Red Hat’s Lightwell initiative to map open-source components, validate patches and support regulated software supply chains, backed by IBM and Red Hat’s $5 billion commitment.
Deloitte Joins IBM And Red Hat’s Lightwell Work
Deloitte is joining IBM and Red Hat’s Lightwell initiative, adding consulting and forward-deployed engineering support to an open-source security program aimed at regulated software supply chains.
IBM and Red Hat launched Lightwell in May with a $5 billion initial commitment and 20,000 engineers assigned to the effort.
The program is designed to help enterprises detect and patch vulnerabilities in the open-source projects that sit inside their software.
Deloitte’s role is operational.
The company will work with IBM to help joint customers map the open-source components their developers use, then keep that inventory current as software changes.
The purpose is to reduce the risk that a company misses a vulnerable module inside an application.
The partnership gives Lightwell a services layer.
IBM and Red Hat provide automated patch validation, while Deloitte manages patch installation and checks whether the fixes work in customer environments.
Regulated Software Supply Chains Are The Target
IBM, Red Hat and Deloitte said the partnership will focus on regulated software supply chains.
That points the work toward organizations where software security must also satisfy sector-specific cybersecurity rules.
Deloitte brings a large cybersecurity services business to the partnership.
SiliconANGLE reported that Deloitte had $70.5 billion in revenue as of fiscal 2025 and helps enterprises scan infrastructure for vulnerabilities, detect breaches and handle related security tasks.
The consulting firm gives IBM and Red Hat access to teams that already work with enterprise security programs.
Regulated customers have to fit open-source remediation into audit, reporting and maintenance processes, not only developer workflows.
The companies also plan to support breach reporting to regulators.
They will notify open-source maintainers about vulnerabilities before public disclosure, giving project teams time to prepare patches before attackers learn the details.
The patch process is not always simple.
A security update may require the latest version of a project or extensive configuration changes.
Lightwell is being framed as a way to test whether fixes work before they are pushed into regulated enterprise systems.
That division of labor is specific: Deloitte handles installation and effectiveness validation, while IBM and Red Hat supply the automated patch-validation layer.
The companies are trying to turn open-source vulnerability response from a case-by-case engineering scramble into a maintained component inventory and remediation workflow.
Forward-Deployed Engineers Add Customer-Site Support
Deloitte will assign forward-deployed engineers to support the effort.
These developers work at client organizations and will help with vulnerability remediation and ongoing software maintenance.
Their presence also gives customers a named team for follow-up maintenance after a patch is applied.
Savio Rodrigues, IBM’s vice president of service partners, said Lightwell was created to address open-source software security in an AI-driven threat landscape.
He said the effort combines engineering, automation and ecosystem partnerships to tackle the risk at scale.
The commercial proof now depends on adoption inside regulated enterprises.
IBM, Red Hat and Deloitte have described the Lightwell structure, commitment and engineering model, but they have not disclosed named customers, remediation volumes or measured patch-time reductions.
