Chainguard's new Athena coalition uses AI to fix open-source flaws - before attackers exploit them

Follow ZDNET: Add us as a preferred source on Google.

As everyone in IT knows, or should know anyway, AI has opened up a new front in attacking open-source code security . Hacking used to require real skill. Now, anyone with a sufficiently advanced AI model can pry open programs and infect them with AI-custom-made malware. The software company Chainguard , which specializes in zero-CVE container images and security-hardened open-source code , is joining with others to beat the attackers to the punch with Athena.

As Chainguard puts it, "The gap between a vulnerability being discovered and being exploited has collapsed from years to hours , and a growing share of exploits are weaponized before the bug is ever publicly disclosed. Coordinated disclosure was built for a world in which finding a serious flaw took weeks, and the targets were few. That world is gone." Chainguard is right. It is.

Also: Treat your AI agents like eager but misguided human interns - before you lose control

Something had to be done. As the company's CEO and co-founder, Dan Lorenc, wrote on LinkedIn, we had a "choice between letting open-source security fragment into a dozen rival patch sets nobody can reconcile, or doing the hard, coordinated thing instead. I said it would only work if we built it together, and admitted I had no idea if we actually would. Here's the update: the industry showed up. It's called Athena, and it's live."

Anthony Grieco, Cisco's SVP, chief security and trust officer, agrees. "For decades, Cisco has helped secure the open-source ecosystem. That work now faces new urgency; frontier AI has accelerated the vulnerability discovery cycle beyond what traditional coordinated disclosure was built to handle. Chainguard's Athena Coalition represents an important evolution, the coordination of open-source vulnerability intelligence and defense at the pace these threats demand."

Athena comes with two parts. The first is a coalition of more than two dozen companies that will collaborate to hunt down and remediate flaws in widely used open-source software using cutting-edge AI models. Its supporters are a who's who of finance and enterprise infrastructure companies such as JPMorgan Chase, Cisco, Cloudflare, Docker, Kyndryl, and PwC.

Also: 5 security tactics your business can't get wrong in the age of AI - and why they're critical

These companies already face stringent regulatory and customer pressure around software supply-chain risk. The coalition gives them a way to pool data, AI capabilities, and remediation work on vulnerabilities that cut across their stacks. The aim is to shift from one-off, project-specific fixes to a coordinated model in which critical AI-identified open-source software flaws can be found and addressed before they appear in attacker playbooks.