IBM joins OpenAI cyber programme with app security tool

IBM has joined OpenAI's Daybreak Cyber Partner Program, linking IBM's security business with OpenAI's cyber-focused artificial intelligence work.

IBM has also introduced an application security service that uses OpenAI models to identify and validate software vulnerabilities. Designed for enterprise security operations, it analyses application code to find likely flaws and exploitable paths.

The offering builds on Project Lightwell, IBM's broader effort around software supply chain security. The initiative combines a security clearinghouse with engineering teams that patch, validate and manage open-source code, backed by a USD $5 billion commitment from IBM and Red Hat.

The new service is delivered through IBM Consulting Advantage, IBM's internal AI platform for consulting work. It connects a client's application environment to AI tools under controlled, governed conditions, operating inside the client's own environment with read-only access to code repositories and bounded execution.

Clients can begin with targeted reviews of important applications and then expand to continuous monitoring as code changes and threat patterns shift. The approach goes beyond conventional code scanning by combining code analysis with validation of whether a vulnerability is likely to be exploitable.

Security push

The announcement places IBM among the companies working with OpenAI on defensive cyber uses for frontier AI models. The focus is on adapting tools that can process large volumes of code and security data for internal enterprise workflows, as security teams face pressure to respond more quickly to threats that can spread at automated speed.

Mark Hughes, Global Managing Partner, Cybersecurity Services, IBM Consulting, framed the issue as a question of balance between attackers and defenders.

"Attackers are already using AI to probe, exploit, and scale threats at machine speed. Defenders need the same advantage, with the security and control enterprises require," said Mark Hughes, Global Managing Partner, Cybersecurity Services, IBM Consulting.

He said the programme would also expand IBM's own service capabilities.

"The OpenAI Daybreak Cyber Partner Program expands our access to a broader set of advanced AI capabilities, which we deploy within our clients' environments to help surface the most relevant risks faster and help them act with confidence," Hughes said.

OpenAI said the programme is intended to support defensive security work across companies, public bodies and other organisations. Its Chief Information Security Officer cast the effort as part of a broader push to make advanced AI usable in environments that require clear controls and compliance measures.

"Security is central to realizing the benefits of advanced AI," said Dane Stuckey, Chief Information Security Officer at OpenAI.

"Through the OpenAI Daybreak Cyber Partner Program, we are collaborating with AI pioneers like IBM to use frontier models to accelerate defensive security workflows and support enterprises, governments, and other organizations as they identify risks, strengthen resilience, improve security, and ultimately deploy AI with the trust, controls, and compliance their environments require," Stuckey said.

Wider context

The partnership reflects a growing effort by major technology groups and security providers to apply generative AI to software assurance and threat detection. For corporate users, one of the main attractions is the prospect of automating parts of vulnerability triage, code review and exposure analysis that are labour-intensive when handled manually.

At the same time, cybersecurity teams are increasingly concerned that the same tools can help attackers test code, probe systems and scale campaigns more quickly than before. That has pushed large vendors to focus on defensive use cases that can be deployed within customer environments rather than through open consumer tools.

IBM said its service operates with restrictions intended to limit how the AI interacts with client systems. The analyses are applied with read-only access to repositories and within bounded execution rules, giving organisations a way to test AI-assisted security analysis without opening direct write access to production code.

IBM also linked the programme to its broader role in setting safeguards for enterprise AI deployment. In that context, the work with OpenAI and other partners extends beyond a single product launch into standards for controlled analysis inside business systems.

For IBM, the announcement adds another cybersecurity service to a consulting-led business that already serves regulated sectors such as finance, telecommunications and healthcare. For OpenAI, it marks another step in embedding its models in specialist enterprise applications where customers want tighter oversight of how AI is used and what data it can access.

The new application security service is now available.