Understanding Vibe Coding: Benefits and Security Risks

Summarize this glossary article with AI:

Ask ChatGPT Ask Grok Ask Perplexity Ask Claude Ask Google AI  

Technology has reached a historical precipice of innovation with the AI era. Today, everything is simplified, automated, and optimized in ways we’ve previously thought impossible. Artificial Intelligence has allowed us to overcome obstacles and expand concepts faster and with more accuracy than ever before. However, every opportunity comes with its own shortcomings.

Today, we’ll be focusing on vibe coding, which is simply a process of writing code using AI. We’ll be breaking down the fundamentals of the practice and how it can be used in real-life situations. Apart from the benefits of vibe coding, we’ll also be exploring the very real security threats that the practice presents, along with how you can combat those risks. First, let’s get a better understanding of what vibe coding means by itself.

What Is Vibe Coding?

Simply put, vibe coding is the practice of writing code with the help of agentic AI. Vibe coders use natural language to have their AI tools build an app. Instead of writing out code directly, simply describe what you want, and the AI will handle the technical aspect. The software development practice is meant to free up time and help programmers prioritize more important elements of their task.

The term “vibe coding” was coined by Andrej Karpathy, an AI researcher, Tesla's former director of AI, and a member of OpenAI's founding team. In 2025, Karpathy posted on X about a new kind of coding in which you “give in to the vibes, embrace exponentials and forget that the code even exists.” While it's gained traction since then, Karpathy described the idea initially as being “not too bad for throwaway weekend projects, but still quite amusing.”

Sourced from X

Today, vibe coding has skyrocketed in popularity and is being used to build applications and write code, even for novices in the industry. Programmers and non-programmers alike have taken an interest in the more passive approach to coding, with tutorials floating around almost everywhere online already. Now, let’s figure out further on what are the differences between vibe coding and traditional programming.

Vibe Coding vs. Traditional Programming

One of the biggest differences between vibe coding and typical programming is naturally the input. Unlike programming, where functions need to be typed out line-by-line in languages like JavaScript, Python or C++, components need to be built, and files need to be managed, vibe coding allows you to have a natural, normal conversation with the AI agent detailing your needs. The AI will then take care of the details, generating, debugging, and refining the code as needed.

Vibe coding generally focuses more on the end result and what you’d like to see as an outcome than on the implementation steps and process. Here’s a quick reference table to understand the main differences between the two coding processes:

According to Sam Dhar, the former engineering leader at Adobe and Amazon Alexa and now leading AI Platform at Galileo AI, real software is a pyramid of decisions, “from tiny UI choices like a button color and shape, to high-level questions like who the app is for and how many users it should handle.” Dhar maintains that vibe coding still needs teams beneath a lead architect, “because not every decision can be spelled out in a single giant prompt to a model.” However, the idea of AI-enabled coding doesn’t sit too well with everyone in the industry.

How Does Vibe Coding Work?

Vibe coding generally follows the same rules as any AI system; simply prompt the AI tool to write a specific code or build a certain app. Rather than relying on traditional programming and coding, the vibe coding practice gives you free rein to demand specifics and refine as you see fit, giving you an almost trial-and-error workflow to finalize your project. Vibe coding can be summarized in a few simple steps:

1. Define Your Objective: Speak to the AI agent and describe your end goal in plain language.
2. Evaluate and Test: After the code is generated, you must run the code and see if it works correctly.
3. Refine and Amend Requests: Give the AI assistant constructive feedback if anything goes awry, and refine your demands until the code is complete.

While some people might rely entirely on pure vibe coding output as a final solution, responsible vibe coding still requires human evaluation and testing. This ensures more of a collaboration with the AI agent rather than total reliance, providing a human perspective safety net for anything that may have slipped through the cracks.

While you might feel like you’re out of the woods if your code runs, developers will warn you not to get too ahead of yourself. The final act of vibe coding is deployment. The prototype illusion often blinds us to how the code will run in the wild, with deployment issues still causing most software development bottlenecks. For vibe deployment, you can use several AI-enabled workflow tools to easily deploy your code. Some of the most popular vibe coding tools and platforms available include:

Replit: A full-stack solution for building apps that scale with intuitive tools that make software creation feel more natural and an Agent that empowers human creativity by handling technical complexities.

Base 44: An AI-powered app-building platform that uses natural language prompts to build personal productivity apps, back-office tools, customer portals, or complete enterprise products that are ready to use, no integrations required.

Lovable:  A full-stack AI development platform for building, iterating on, and deploying web applications using natural language, with real code, security, and enterprise governance.

Vercel.V0: An AI agent that helps anyone create real code and full-stack apps and agents.

Users can also rely on the more common AI tools like ChatGPT, Claude, Gemini, Grok, Cursor, and GitHub Copilot Workspace to generate vibe code, fix bugs, and perform other programming tasks. Blake Stimac wrote for CNET about how he used Gemini, Claude, and ChatGPT to vibe code himself a functional e-reading application.

Stimac used all three chatbots to create the project, asking for a prompt at the end so the next platform could continue refining the code, moving from Gemini to Claude to ChatGPT. In the end, he found that each chatbot was able to create a functional version of the project at some point after repeated efforts.

In other real-life applications of the process, Srdjan Stakic shared with Business Insider how he managed to vibe code a security camera system for his parents to ensure their safety. The former film producer began using AI to simplify his parents’ hospital visits and wanted to see what more the technology could provide. He outlined the idea of an AI system to monitor his elderly parents and detect falls using Gemini and ChatGPT.

Sourced from Business Insider

The Lovable platform then gave him a live development environment to build, test, and refine the application further using hundreds of uploaded training videos for nurses and healthcare providers, a high-fidelity validation pipeline, and a labeled dataset. After its successful outcome, Stakic decided to launch a startup, called Alvis, to make this system available to others.

While these stories can be moving, it’s still important to note that vibe coding still requires a level of computer literacy and an understanding of the vibe coding process to be entirely effective. Now, let’s continue on the main benefits of vibe coding.

Benefits of Vibe Coding

Vibe coding has been around long enough for people and platforms to perfect and optimize the process. This has swayed a large number of programmers and industries to see the benefits of the practice. Some of these vibe coding advantages include:

• Ease of Use: Naturally, vibe coding is a lot simpler than regular coding practices, ensuring almost effortless app development.
• Accessibility: the simplicity of vibe coding means that just about anyone can get involved in software development, despite limited or even no coding skills.
• Efficient Productivity: Vibe coding gives you the agility to develop and deploy faster, allowing you to refine and perfect your code quicker, which boosts productivity. This is especially helpful for smaller projects.
• Problem-First Approach: Rather than working through complex coding logic, vibe coding looks at the outcome first and works its way to swifter, more innovative development.
• Affordability: Rather than relying on expensive and complex programming skills, vibe coding platforms have varied pricing tiers that will help you navigate development without breaking the bank.

Vibe coding offers a seamless solution to accessible coding and application development; however, it can be flawed in certain areas as well. In this case, the most prominent concern around vibe coding is its security.

Not-a-Vibe Coding?

Like most things AI, the concept of vibe coding has brought about a tremendous wave of apprehension, mostly from authentic programmers who view the process as a lackluster imitation of “real” coding practices. Artificial Intelligence will always be a sore spot for most people who view its capabilities as a replacement for hard and genuine human work, and vibe coding is no different.

However, many people in the AI industry dismiss these claims and state that vibe coding is simply another new process to streamline productivity, with some of them even expressing disdain at the name itself. In fact, Peter Steinberger, OpenClaw’s creator, described vibe-coding as a "slur" used to make coding with AI sound easy and stated that he doesn't appreciate the dismissive undertones of the term.

Despite the controversies, vibe coding has continued to make headway across industries, with almost 66% of organizations already using AI-assisted code generation. Many smaller projects can easily come to fruition using the less-complex coding practice, opening the industry to innovative ideas and applications.

Sourced from Server Side

Adam Janes, a fractional CTO, told Business Insider that vibe coding sometimes gets a bad rap among industry veterans, stating that it’s “a very touchy subject for devs, because they like to think that they have this real expertise." Janes went on to state that an opportunity exists for people who are experts in an area to become professional vibe coders because they can pair their knowledge with AI's technical wizardry.

It’s still important to note that the cons of vibe coding are not limited to just “bad vibes” from traditional programmers, but do involve genuine security and operational flaws, which we’ll get to later on. For now, the debate on the integrity of AI-enabled coding probably won't be resolved soon, and we certainly won't be taking sides in the matter. Now let’s dive into the security risks of vibe coding.

Security Risks of Vibe Coding

Every innovative technology comes with inherent risks, most of which are refined and patched over time. Vibe coding presents a specific set of security risks that make the practice difficult to embrace wholeheartedly. According to CSO findings, AI-generated code often introduces deeper architectural vulnerabilities and privilege escalation risks that are both harder to detect and costlier to fix.

Based on the opinions of software security experts they’ve interviewed, a large number of programmers and developers share the sentiment that vibe coding introduces a larger attack surface and heightened risks from coders who simply do not know how to implement safeguards.

To add to the case, Reya Vir researched the “9 Critical Failure Patterns of Coding Agents” and highlighted security as one of the most critical failure patterns of AI coding agents. She noted that AI agents would often introduce basic security vulnerabilities as they lack an understanding of data sensitivity and access control. The Agents in her research would often choose the easiest way to answer users’ queries, often ignoring safety checks, misunderstanding access controls, and frequently exposing sensitive data like API keys.

Sourced from Columbia University DAPLab

In a separate article, Vir also considered the reasoning behind vibe coding security flaws. She concluded that:

• LLMs are optimized for speedy acceptance. Making the error message go away faster is prioritized over safety guards.
• AI is often unaware of the full codebase context, especially when working with large, complex architectures.
• LLMs don’t actually understand the semantics or implications of the code they write. They don’t know why a security check exists, or that removing it creates risk.

In February, the BBC reported “a significant - and unfixed - cyber-security risk” in a popular AI coding platform called Orchids. The reporter, Joe Tidy, downloaded the Orchids desktop app and began vibe coding a computer game based on the BBC News website. The publication’s cyber-security researcher, Etizaz Mohsin, then exploited a cyber-security weakness in his setup to gain access to the project and was able to view and edit the code.

Britain’s National Cyber Security Centre also warned that a rise in vibe coding “could reshape the software-as-a-service industry while introducing new cybersecurity risks if organizations fail to adapt.” To summarize the main points of concern about the security of vibe coding, or lack thereof, we’ve created a list of some of the top security risks of the practice:

• Technical Complexity: While this may go against the benefit of easy usage that we’ve mentioned earlier, we need to reiterate that vibe coding still demands a level of computer literacy and knowledge. While vibe coding can provide a basic framework, real-world applications are still complex and require expertise to run effectively.
• Overly Trusting AI: An AI agent doesn’t have the ability to understand security risks or boundaries in the way a human can. It can easily misinterpret prompts, override access controls, and ignore authorization steps.
• Valuing Speed Over Security: The main objective of the AI is to produce a working code as fast as possible; this means that it might reproduce insecure patterns from training data or generate flawed logic under pressure to produce faster results. This can lead to buggy, insecure, and flawed code.
• Hallucinations: Like all AI software, vibe coding is prone to hallucinating code in the way chatbots hallucinate answers. Without proper refinement and evaluation, these errors can go unchecked.
• Unsafe Configurations: Vibe coding can lead to training on insecure patterns and deploying weak coding configurations that leave API keys, tokens, and credentials exposed.
• Wider Attack Surface: If anyone is capable of vibe coding, threat actors suddenly have a wider attack surface to carry out social engineering and malicious attacks.
• Reduced Accountability: Relying on vibe coding gives users a scapegoat if anything goes wrong. This reduces the responsibility of the coder and pushes the blame on the AI. Vibe coders are responsible for security risks in their code, whether they wrote it themselves or not.

Ultimately, vibe coding can be dangerous if not handled in the correct way, much like any technology. The onus is with the user to use vibe coding responsibly and ensure that the correct guardrails are in place.

How to Practice Safe Vibe Coding

While vibe coding can be difficult to secure at times, it is important that we continuously improve new technologies to make them safer as they grow in popularity. While delivering a keynote about cyber risks and opportunities at the RSAC Conference in San Francisco, Dr Richard Horne stated that “the attractions of vibe coding are clear, and disrupting the status quo of manually produced software that is consistently vulnerable is a huge opportunity, but not without risk of its own.”

Horne continued to note that security professionals had “both the opportunity and responsibility” to ensure that a future where vibe coding and other AI code-generation tools are more widely adopted is “a net positive for security.”

While we can look to the future and hope for a more secure approach to vibe coding, it is up to us to create a secure environment now with what we have. Staying safe as you vibe code is essential to developing secure, optimized, and fully functional applications. These are some practical steps you can take to ensure safer vibe coding practices:

• Be Security Specific: Ensure secure vibe coding by adding explicitly clear security requirements into every prompt. This will ensure that all code generated follows strict security protocols.
• Add On Security Tools: Try to integrate security tools into your existing AI code assistants where you can.
• Evaluation Based on Real Deployment: As mentioned earlier, coding is not fully complete until full deployment in real conditions. Reserve testing for these moments rather than only relying on code patterns.
• Limit Access: Your AI should only have access to the data it needs to fulfill the task. Be specific in your prompts about where the AI can go, what it can go, and what it can use.
• Continuous Human Evaluation: While this might seem tedious, you need to have a human eye overseeing your code generation to ensure that no security gaps are overlooked.
• Implement Secure Environments: Use systems that will automatically detect and sandbox bad code.

In a blog by David Chismon, NCSC's CTO for Architecture, the argument is also made that relying on code built by humans only is far-fetched, with Chismon stating that “over the next 5 years it will become increasingly common to see AI-written code in production systems that a human has never reviewed or even looked at.”

Chismon went on to argue that while vibe coding currently poses intolerable risks for many organizations, the practice also shows “glimpses of a new paradigm” allowing “experienced developers to massively increase their productivity.” He further argued that it is vital that security professionals start engaging with the risks now and embed core security principles that will make software less vulnerable to attack, concluding that “vibe coding is following a similar pattern to cloud adoption 20 years ago, and will likely reshape how software is developed, deployed, and maintained.”

Sangfor Costrict: Enterprise-Grade AI Coding Redefined

Most AI tools stop at autocomplete, but Sangfor’s Costrict goes further, combining an AI code generator, assistant, and multi-expert review tool into one secure platform.
By integrating Google’s Gemini CLI for million-token repository analysis and a multi-model cross-validation process, it dramatically reduces false alarms while ensuring code assurance. Designed for the enterprise, Costrict supports private deployment and delivers 50%+ token cost efficiency compared to other open-source providers. Whether using local models like Ollama or external APIs, it fits seamlessly into the VS Code workflow for languages like Python, Java, and Go, providing a context-aware, high-performance coding environment.

 

Try Sangfor Costrict Now

In Conclusion

Vibe coding is an engaging new practice that streamlines coding and improves productivity and workflows. Like all new technologies, it bears its own set of security risks and controversies that cast a shadow of doubt. However, innovation demands risk at times, and Rome was not built in a day. While it may be unsteady, vibe coding is still very young and has the potential to grow into something secure, optimized, and revolutionary with the right guidance and controls.