Vibecoding from a technological perspective
Thanks to tools like Claude Code, GitHub Copilot (now with Agentic Mode), Cursor, Lovable, Bolt, and Replit, almost anyone with an app idea can actually build it in just a few hours. But is it really that simple?
In our previous post about vibecoding for marketers, we laid out the opportunities and the pitfalls from a marketing perspective: messy code, token limits, no CMS, limited SEO, and the lack of a strategic foundation.
In this article, we look at the innovation from a technological perspective: what happens when people without a technical background start building software that actually goes into production? Our tech studio, Studio Fledge, dives deeper into the technical details in their version of this blog “What could possibly go wrong?”
Here, we’ll focus on the key learnings.
Technology is evolving at breakneck speed. Karpathy himself, who coined the term “vibecoding” a year ago, has recently said that the term no longer captures what’s happening. He now advocates for “agentic engineering” as a more accurate description. A sign that the domain is maturing, but also becoming more complex.
We recognise this impressive evolution in the way the technology is being used as well. Platforms like Vercel and Netlify saw their user numbers surge in 2025, largely thanks to vibecoders. Major tech companies like Google and Microsoft already generate more than 20% of their code via AI. Gartner predicts that by 2028, no less than 75% of enterprise software engineers will use AI code assistants, up from under 10% in early 2023.
Thanks to vibecoding, anyone can build applications. But while we celebrate this democratisation, it’s worth pausing to consider the risks. What could go wrong?
Security as the primary concern
The GenAI Code Security Report 2025 by Veracode (based on more than 100 LLMs and 80 coding tasks) shows that 45% of AI-generated code introduces security vulnerabilities. Nearly half the time, models choose an unsafe approach, consciously or unconsciously. That’s not entirely surprising: LLMs trained on public code learn both secure techniques and widespread vulnerabilities. “Garbage In, Gospel Out”: the models may put out functionally correct code, but security quality structurally lags behind.
Authentication & identity management
AI models will typically build their own user management system by default, but without the right best practices. They understand the concept of an Identity Provider (IdP), but rarely apply it proactively. A concrete example: the startup Enrichlead, built entirely with Cursor, discovered that a flawed IdP setup granted full free access to all paid features—and they couldn’t fix it afterwards.
Hardcoded credentials & exposed API keys
Vibecoding often chooses to hardcode API keys, tokens, or database credentials directly in the code. Anyone with developer tools can copy those keys. The 1.5 million API keys and 35,000 email addresses leaked by the AI-driven social network Moltbook, for example, weren’t the result of a hack, but of vibecoding without the right reflexes.
OWASP Top 10
The OWASP Top 10 is an annual list of the most critical security risks for web applications. Some of these risks, like Cross-Site Scripting and Log Injection, are now growing exponentially. Admittedly, they existed long before we started vibecoding at scale, but the scale of failure is far greater now.
Legal framework: the EU Cyber Resilience Act
The EU Cyber Resilience Act requires manufacturers of software products to apply secure-by-design principles, conduct mandatory risk analyses, and provide security updates for at least five years. Vibecoding that ignores this isn’t just technically risky—it’s legally exposed as well, with the potential for hefty fines.
Architecture & hosting
The cost of publicly running AI agents
Anyone can spin up AI agents or backend services that are hosted publicly without authentication or access controls. Often, a vibe coder doesn’t even realise their application is publicly accessible. Token and compute costs can then skyrocket. In the marketing version of this blog post, we already discussed token limits. Here it takes on a completely different dimension: it’s not the conversation with the AI that burns budge, it’s the running application itself.
Monolith or microservices?
AI will typically generate an application structure as a single block—a monolith. That’s not necessarily wrong for small projects, but it doesn’t scale well. If you don’t understand the difference between application structures, vibecoding will propose an architectural framework that can have major consequences for performance, maintainability, and hosting costs.
Kubernetes
Vibecoded applications can automatically generate complex infrastructure code—and they won’t shy away from Kubernetes. Kubernetes is extremely powerful, but also extremely complex. It requires not only a strong technical background, but also a significant budget.
Technical debt at machine speed
Traditional technical debt happens when developers prioritise speed over maintainability. You build up debt you’ll have to repay later, because it's difficult to change, extend, or debug code. Vibe Coding Debt is the same phenomenon at AI speed: vulnerabilities are baked in from day one, in codebases that no one can read or audit anymore.
What does work: expertise-driven AI
Let’s not get stuck on the negative. The power of vibecoding or agentic engineering, is that it drastically lowers the barrier to building. What used to take weeks or months can now be done in days, or even hours. That’s not a threat to technology; it’s an invitation to use it smarter and more efficiently.
Because where code without a foundation is like quicksand, with the right principles, choices, and guidance you can turn that same speed into a lever for innovation. So how do we approach it?
Blueprints & reusable components as a foundation
Our experts build software based on a set of proven building blocks. Just as fast, because we use agentic engineering technology, but grounded in years of expertise.
The difference isn’t the tools, but the foundation: security defaults, architectural decisions, and infrastructure standards are already baked into our blueprints and components. We define the guardrails; AI fills in the gaps. The result? The speed of vibecoding, without the risks.
Expert-in-the-loop as a principle
Another common comparison: a tech expert using agentic coding is like a farmer operating heavy machinery. The machine (AI) doesn’t eliminate the farmer; it gives them exponentially more productive power, provided they know how to drive the tractor.
We use AI as a turbo engine, not as an autopilot. Architecture, security choices, and hosting strategy remain human work, powered by expertise and experience.
Where we can help
Want to get started with vibecoding but make sure you don’t fall into the pitfalls above? Or have you already built an application with vibecoding and now want to make it scalable? Our tech experts are ready to help:
- Architecture review & guidance
We review your plans from a technical perspective before you start. Which stack? Which hosting? What about authentication, data storage, and API security? We help you make the right choices from day one. - “Vibe Better” training
Want to experiment with agentic engineering yourself, but lack the background? We’ll teach you how to steer AI correctly with the right architectural context and security guardrails, so what you build is safe and scalable. - Support during vibe-time
Prefer a partner who guides you while you build? We help you avoid classic pitfalls when they’re still cheap to fix, instead of after the fact. - From vibed to robust
Already started vibecoding and now running into one of the issues above? We’ve got you. We take over existing vibecoded applications and transform them into production-ready software with proper security, hosting best practices, and maintainable code.
Vibecoding and agentic engineering are here to stay. The question isn’t whether we should use these tools, but how to do so responsibly. With the right expertise, you can build AI-driven development on a solid foundation. Not on quicksand with no bearing capacity.
Want to build fast and safely? Let's vibe together! We’ll help you get the best of both worlds
