Raleigh’s Red Hat, IBM have a $5B plan to defend the software we use every day
AI-generated summary reviewed by our newsroom.
- Anthropic prevented a full Claude Mythos release and previewed it to select partners.
- Experts say AI tools have reduced vulnerability exposure windows from months to minutes.
- Raleigh’s Red Hat and its open source legacy will shape AI-driven cybersecurity battles.
In April, the artificial intelligence company Anthropic warned that its new model, Claude Mythos, was too dangerous to release.
If left in the wrong hands (or fingertips), Anthropic wrote, its platform could exploit software vulnerabilities virtually undetectable to humans. Instead, it previewed Mythos to select partners, including Apple, Amazon, Nvidia and Cisco, so that each could spot and patch their coding gaps ahead of future attackers.
Did Anthropic, which filed to go public last week, benefit from framing Mythos as an almost godlike force? Indeed.
But the age of AI battling AI over cybersecurity is here, sector experts say. No longer can humans recognize a threat and expect a months-long buffer before hackers pounce. “AI tooling has shrunken that window to perhaps minutes,” said Will Dormann, a vulnerability analyst at Maryland-based Tharros Labs.
And thanks to the 30-plus-year history of Raleigh’s Red Hat, which pioneered enterprise open source software, much of this fight will transpire across code that anyone can edit.
“Mythos is really just a synecdoche for the broader fact that these models have now become powerful enough that they are better at finding security problems than humans are,” Gunnar Hellekson, vice president and general manager for the Red Hat Enterprise Linux business, told The News & Observer in a video interview last week. “Now, what you’re seeing is us and a lot of other companies reacting.”
In late May, Red Hat and its parent company IBM announced “Project Lightwell,” a $5 billion initiative to strengthen open source software in the wake of Mythos. Red Hat describes Lightwell as a clearinghouse where customers can confidentially share the internal vulnerabilities they discover with AI.
The project leverages the river-like flow of open source ecosystems. Today, more than 90% of Fortune 500 companies use open source software; most universities, nonprofits and governments do, too. Proponents say it is nimbler, safer and more affordable than proprietary alternatives. Open source software relies on communities of paid and volunteer developers to build, sustain and strengthen its code. Users then pull down and repackage this code.
After getting a Lightwell alert, Red Hat will notify the “upstream” distributors of this at-risk code, who can then fix it to the benefit of all “downstream” users — including whoever first reported the threat. Because these communities trust Red Hat, Hellekson said, any security alerts from the Raleigh company will stand out among the barrage of warnings (some legit, some not) that developers receive.
Red Hat remains top performer for parent IBM
IBM and Red Hat list 11 major financial institutions as initial Project Lightwell adopters, including Bank of America, Morgan Stanley and Wells Fargo. Others say smaller entities will find value from it, too.
“This enables organizations without massive AI investments to get the benefit of proactive component auditing and hardening,” said HD Moore, a network security expert who founded the Texas-based firm runZero.
Moore said Red Hat isn’t alone in this industry, including competition from Google-funded AI cybersecurity projects Big Sleep and OSS-Fuzz.
IBM acquired Red Hat for $34 billion in the summer of 2019. In the seven years since, Red Hat has been a top-performing division for its parent, routinely delivering double-digit revenue jumps compared to IBM’s more modest gains. Both Red Hat and IBM are large Triangle employers, with the former headquartered in downtown Raleigh.
But this office won’t have a unique role in Project Lightwell, said Hellekson, who is based in Austin, Texas. IBM has committed roughly 20,000 engineers to this effort, and some may be local, but there’s no particular concentration in the Triangle.
As for the broader security balance, Dormann said it remains to be seen if AI will tip in the favor of software defenders or attackers. “It perhaps should not be surprising if it turns out that one party receives more of an advantage than the other,” he said. “The old saying is, an attacker only needs to find one way into your system. A defender needs to protect against all of the ways.”
