Business

IBM just answered a $5 billion cybersecurity question

IBM and Red Hat commercially launched Lightwell on July 8, turning a $5 billion pledge into two products that enterprises can actually buy.

Most corporate security promises stay abstract for months before a product ships. This one produced a live catalog, a pricing structure, and a named client list in about ten weeks.

In May, IBM said it would spend $5 billion and deploy more than 20,000 engineers to fix vulnerabilities in open source code, according to Red Hat's original announcement.

IBM chairman Arvind Krishna described the goal as securing open source at its source, a phrase that left the actual product undefined. Investors and customers were left to guess what a $5 billion security pledge would look like in practice.

Now they know. Lightwell Network, the first offering, is generally available today with more than 6,500 remediated and digitally signed software components spanning Java and Python, according to IBM's Newsroom announcement.

The system pairs an AI driven remediation engine with human engineers who validate each fix, then backports the patch into the specific software version a company already has in production instead of forcing a full upgrade.

Companies pull those signed fixes into their existing systems without rewriting code or scheduling disruptive upgrades.

The second piece, Lightwell Clearinghouse Premier, answers the pricing question IBM dodged in May.

Related: IBM's latest Wall Street call hides bigger shift

Rob Thomas, IBM's senior vice president of software, told Reuters in May that the service would likely be sold through subscriptions priced by how many software packages a company uses. That mechanic is now live, and for now it is available only to financial services firms.

That exclusivity is not an accident.

Early participants named in Red Hat's original announcement include Bank of America, JPMorgan Chase, Citi, Goldman Sachs, and Visa, the same institutions that piloted Lightwell before it carried a price tag. IBM is selling first to the customers who helped build the product.

IBM shares closed at $302.05 on July 8, down 1.33% on the day, according to TheStreet data, a muted reaction that suggests the market had already priced in the launch after Bank of America raised its price target to $330 on July 6, as reported by CNBC.

Why banks bought into IBM Lightwell first

Banks face some of the highest compliance costs of any industry when a software vulnerability goes unpatched, which makes them the buyers most willing to pay for certainty.

ARC president and CEO Scott DePasquale said no single institution can keep pace with the growing scale of open source vulnerabilities alone, according to IBM's July announcement. That scarcity of in-house capacity is the entire business case for Lightwell.

IBM is also stacking partnerships around that same financial services base. In June, Palo Alto Networks (PANW) and IBM said they would combine Palo Alto's virtual network patching with Lightwell's software fixes, creating layered protection while a permanent patch is still in testing, according to a Palo Alto Networks press release.

 IBM and Red Hat launched Lightwell on July 8, a $5 billion open source security service priced by subscription and limited at first to banks.
IBM and Red Hat launched Lightwell on July 8, a $5 billion open source security service priced by subscription and limited at first to banks.

MANDEL NGAN / Getty Images

The AI's accuracy has a catch

This is where Lightwell's business model gets tested. IBM has pointed to Anthropic's Project Glasswing initiative to justify the AI driven half of its pitch.

Anthropic disclosed that its Claude Mythos Preview model has scanned more than 1,000 open source projects and flagged 6,202 vulnerabilities it assessed as high or critical severity, according to Anthropic's own research update.

Of the 1,752 flagged vulnerabilities that outside security firms have independently reviewed so far, 90.6% were confirmed as real, and 62.4% were confirmed at high or critical severity, per Anthropic's disclosure.

Extrapolated across the full scan, Anthropic estimates the model is on pace to surface nearly 3,900 genuine high or critical vulnerabilities in open source code alone.

That hit rate is strong, but it also means more than a third of flagged issues do not hold up as critical threats under review, a detail that matters for anyone paying IBM to act on those flags.

More IBM:

The bigger bet behind Lightwell

IBM is not just selling patches. It is testing whether a legacy enterprise vendor can turn a fear, AI accelerated vulnerability discovery outpacing human patching capacity, into a recurring subscription line, the way cybersecurity firms have built businesses around breach detection over the past decade.

Lightwell also arrives with a wide roster of cloud, chip, and infrastructure partners already agreeing to plug their systems into it, according to IBM's July announcement.

That kind of early buy-in matters, because a vulnerability clearinghouse is only as useful as the number of environments it can actually reach.

That bet depends on two things holding steady. The AI needs to keep finding real problems faster than humans could alone, and enterprises need to keep deciding it is cheaper to pay someone else to manage that flood than to build the capacity in-house.

Watch whether Lightwell Clearinghouse Premier reaches healthcare and government on the timeline IBM has promised.

If that expansion slips, it will say more about the difficulty of scaling human verification than about the AI itself.

Related: IBM handed two major wins within 24 hours

The Arena Media Brands, LLC THESTREET is a registered trademark of TheStreet, Inc.

This story was originally published July 9, 2026 at 3:47 PM.

Get unlimited digital access
#ReadLocal

Try 1 month for $1

CLAIM OFFER