Palo Alto's CEO says AI has compressed the gap between a flaw's discovery and its exploitation from weeks to minutes. The three vendors' joint workflow is designed to operate inside that window.
For decades, the cadence of enterprise cybersecurity followed the same rhythm: a software flaw is disclosed, defenders get a multi-week window to test and ship a patch, and only then does the bad code become a live target. That schedule is now obsolete. On 24 June 2026, IBM, Red Hat and Palo Alto Networks announced they are pooling their tools into a single workflow designed to operate inside the new, far shorter window.
The trigger, according to Palo Alto Networks CEO Nikesh Arora, is that AI has compressed the gap between a vulnerability's discovery and its active exploitation "from weeks to minutes." His framing, quoted in the joint announcement, is the line the three vendors want enterprise buyers to hear, and it is the lens through which they want the partnership read.
The program they are expanding is Project Lightwell, an IBM and Red Hat initiative that originally launched as a roughly $5 billion push to secure open-source software. The 24 June announcement does not add new headline funding; it brings Palo Alto Networks in as a third partner and folds its network-level blocking technology into a workflow the companies are calling "shield-and-fix."
That workflow has three load-bearing pieces. The first is discovery: finding the vulnerable code in the customer's environment. The second is what the industry calls virtual patching, blocking exploit attempts at the network or runtime layer while a permanent software fix is being tested and rolled out. The third is the remediation step: actually shipping the corrected code, whether to a Linux distribution, a commercial application, an operational technology system, or a connected device. IBM's framing of the expansion is that combining those three steps under one vendor relationship shrinks the operational gap between "we know about the flaw" and "we are protected against it."
The discovery side is where the most interesting secondary reporting sits. Igor's Lab, a German hardware and security trade outlet, has reported that IBM's separate "Daybreak" application security service, built with OpenAI, feeds the AI-augmented vulnerability discovery layer of Lightwell. That linkage is not in the IBM press release; it is the kind of claim that should be cited to the trade outlet that reported it rather than to IBM directly, and it has not been independently confirmed.
The honest read of what the three vendors are selling is exposure management, not exposure elimination. Virtual patching is, by design, a stopgap. It works only as long as the blocking layer is correctly configured for the specific flaw being exploited, and it must be re-evaluated as attackers iterate. A Medium analysis by SOCFortress, labeled opinion rather than primary evidence, frames the move as part of a "new era of structural cybersecurity," a phrase that captures the vendors' pitch that fixing the architecture matters more than chasing individual patches. The critique the partnership announcement does not resolve is older and sharper: even a perfectly coordinated shield-and-fix workflow still leaves a window while permanent fixes propagate, and the wider the enterprise's software estate, the longer that window stays open.
The scope the vendors are now claiming is broad. The 24 June announcement positions Lightwell as covering open-source software, commercial applications, operational technology systems, and connected devices, effectively any software surface a large enterprise might run. Secondary coverage from SC World and Cybersecurity Dive has framed the original initiative around open-source patching at enterprise scale, with Developer-Tech emphasizing the multi-billion-dollar commitment as the marketing anchor.
Whether the partnership actually shrinks the response window in practice is the open question. The vendors have not published mean-time-to-patch benchmarks, and the "weeks to minutes" line is industry framing from one of the three CEOs, not an independently measured result. What is worth watching is whether rival security vendors copy the three-party discovery-plus-blocking-plus-remediation template, and whether enterprise customers buying into Lightwell see a measurable change in the length of the window between disclosure and protection on their own software estates. For now, the partnership is best read as the industry's first major vendor response to the fact that the old patching clock no longer matches the new attack clock, and as an explicit acknowledgment that defenders need to buy time while the longer fix is still in the pipeline.