We need to have an honest conversation about vibe coding.
In 2025, the internet fell in love with the idea: describe what you want in plain English, let an AI generate the code, ship fast, move on. Andreessen, Karpathy, half of Twitter — everyone was evangelizing the future where "coding" means prompting. No CS degree required. Build your SaaS in a weekend. The barrier to entry dropped to basically zero.
And we get it. At Gerus-lab, we've watched this unfold with a mix of excitement and genuine concern. We build production systems — Web3 platforms, AI-driven SaaS, GameFi backends — and we've seen firsthand what happens when vibe-coded MVPs make it to real users.
Spoiler: it's not pretty.
The Numbers Are Damning
Let's start with facts before opinions.
A December 2025 study analyzing 470 open-source GitHub pull requests found that AI co-authored code contained 1.7x more "major" issues compared to human-written code. Veracode's research puts it even more starkly: security vulnerabilities in AI-generated code appear at 2.74 times the rate of manually written code. Logic errors? 75% more frequent. Readability problems? Over 3x higher.
These aren't edge cases. These are systematic, foundational failures:
- SQL injection vulnerabilities
- Broken authentication flows
- Poor input validation
- Insecure dependencies
- Hardcoded secrets in environment handling
The New Stack called it a "Challenger disaster waiting to happen." That might sound hyperbolic until you realize that someone somewhere is running vibe-coded payment processing on production.
Why Vibe Coding Fails at Scale (And We've Seen It)
Here's the dirty secret: vibe coding works great for demos. It absolutely breaks down at scale.
When a client came to us after their vibe-coded marketplace started showing weird behavior — users seeing other users' data under certain race conditions — we spent three days untangling what the AI had built. The authentication middleware was technically "working" for the happy path. But the AI had made a classic assumption: that user sessions would never overlap in a specific edge case. They did. Every Friday night. At peak traffic.
The AI didn't understand the system. It understood the prompt.
That's the fundamental issue. LLMs are trained to produce code that looks correct. They optimize for syntactic validity and common patterns. They don't reason about your specific infrastructure, your threat model, your data retention requirements, or the six legacy integrations you have that weren't in the prompt.
// What vibe coding gives you
app.get('/user/:id', async (req, res) => {
const user = await db.findUser(req.params.id); // No auth check
res.json(user); // No field filtering
});
// What production actually needs
app.get('/user/:id',
authenticate,
authorize('read:user'),
rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }),
async (req, res) => {
const user = await db.findUser(req.params.id, {
select: SAFE_USER_FIELDS
});
if (!user) return res.status(404).json({ error: 'Not found' });
if (user.id !== req.user.id && !req.user.isAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
res.json(sanitize(user));
}
);
The AI generates the first snippet. A senior engineer writes the second one.
The Real Cost: Security Debt Compounds Fast
Technical debt is bad. Security debt is catastrophic.
When you vibe-code your way to an MVP and accumulate security vulnerabilities, you're not just incurring refactoring costs. You're building a liability. Every user you onboard increases your blast radius. Every piece of customer data you store raises your GDPR/compliance exposure. Every dollar you process without proper security controls is potential legal territory.
We've had startups come to Gerus-lab with exactly this problem — live products with real users and fundamental architectural security holes. The conversation is always the same: "We launched fast, got traction, and now we need to fix this before we raise our Series A."
The cleanup cost is never cheap. We're talking about:
- Full security audit — finding everything the AI got wrong
- Architecture review — often the DB schema itself has issues
- Incremental migration — can't just rewrite everything while users are live
- Testing infrastructure — because vibe-coded apps rarely have tests
- Documentation — because the original "developer" was a chatbot
We've done this cleanup three times in the past year. Each time, the client said some version of: "We should have hired engineers from the start."
This Isn't an Anti-AI Take
Let me be clear: we use AI tools every single day at Gerus-lab. Copilot for boilerplate, Claude for architecture brainstorming, GPT for writing test cases. AI makes good engineers dramatically more productive.
The problem isn't AI-assisted coding. The problem is unreviewed AI-generated code in production.
There's a difference between:
- A senior engineer using AI to accelerate work they understand
- A non-technical founder shipping AI-generated code they can't read
The first is 10x productivity. The second is a time bomb.
The workflow that actually works:
Prompt → Generate → REVIEW → Test → Security scan → Deploy
↑
This step gets skipped
in vibe coding
We've standardized on a simple rule for our team: if you can't explain every line of AI-generated code in a PR review, the PR doesn't merge. Full stop. The AI is a junior developer — smart, fast, and dangerously confident about things it doesn't fully understand.
What "Fast" Actually Looks Like Done Right
The argument for vibe coding is speed. But we've found that disciplined engineering with AI assistance is actually faster when you account for the full lifecycle — not just time-to-demo, but time-to-stable-production.
For our last Web3 project (a GameFi platform on Solana), we used AI assistance throughout — but every component went through:
- Architecture decision records — why we chose each approach
- Security review checkpoints — OWASP checklist before any auth-related PR
- Automated testing — unit + integration, AI-generated but human-reviewed
- Staged deployments — canary releases, not YOLO pushes to main
We shipped in 11 weeks. The client had a fully documented, tested, auditable codebase. Not a prompt history.
The Talent Question
Here's the uncomfortable part of this conversation: vibe coding creates the illusion of technical capability.
A non-technical founder who can prompt an AI to build features isn't a developer. They're an operator with a very powerful tool — and that's fine! But they often don't know what they don't know. They can't evaluate the code quality. They can't spot the security flaw. They don't know when to bring in real engineering expertise.
The danger zone is when those founders believe they've built something production-ready because it works in their browser. It works. Until it doesn't. Usually at the worst possible moment.
We've seen this pattern enough that we now proactively advise early-stage founders: if you're going to raise money, if you're going to handle real user data, if you're building anything with financial transactions — you need engineers who can own the codebase. Full ownership, not just prompting.
So What Should You Actually Do?
If you're building something serious:
Use AI, but own your code. Every line that goes to production should be understood by a human engineer who can defend it in a review.
Security scanning is non-negotiable. Run SAST tools (Semgrep, Snyk, Bandit for Python) on every PR. Automate it. Make it a gate.
Test coverage before features. AI is great at generating tests — use it for that. But if you're vibe coding features without tests, you're building in the dark.
Audit before you scale. Before your Series A, before you hit significant user numbers, get a security audit. It's cheaper than a breach.
Hire engineers who understand what they're building. Tools are multipliers. Multiplied by zero is still zero.
The Bottom Line
Vibe coding is a tool. Like any tool, it produces dramatically different results depending on who's using it and how.
In the hands of an experienced engineering team, AI code generation is a superpower. In the hands of someone who can't review the output, it's a liability factory.
The hype will settle. The startups that shipped fast and skipped security fundamentals will learn their lessons — some gently, some catastrophically. The ones that used AI intelligently, with proper review and engineering discipline, will have a real competitive advantage: speed without the debt.
At Gerus-lab, we've shipped 14+ products across Web3, AI, SaaS, and GameFi. We use AI aggressively. We never let it drive unsupervised.
Building something real and tired of vibe coding problems? We've navigated exactly this — from initial architecture through production security audits to scale. Whether you need a team to build it right from scratch or to rescue an existing codebase, let's talk.
Top comments (0)