What Is Vibe Coding? A Practical Guide for 2026 (With Real Examples)
Vibe coding explained: Karpathy-coined approach to building software with natural language. Veracode found 45% of AI code has OWASP vulnerabilities.
ByAsh·14 min readVibe coding is how I shipped a working Pomodoro timer app in 60 seconds last month — no terminal, no package.json, no thinking about React. I typed what I wanted, watched an agent write it, and opened a running web app in my browser tab.
Two weeks later, I found a hardcoded Stripe API key in the client-side bundle.
That's vibe coding. Lightning-fast to build. Terrifying to maintain. This post explains what vibe coding actually is, the real research on how often it breaks, and when to use it (hint: never for anything touching user data).
Quick take: Vibe coding is a shift from writing syntax to managing intent — popularized by Andrej Karpathy in February 2025. You describe what you want in natural language, an AI agent builds it, and you iterate on the running result instead of reading code. Veracode's 2026 testing of 100+ models found 45% of AI-generated code contains OWASP Top 10 vulnerabilities — a pass rate that has not improved despite vendor claims. Use vibe coding for prototypes and internal tools. Do NOT use it unmonitored for anything involving authentication, payments, or PII.
The 60-Second App (A Real Example)
I tested this on Bolt.new. No terminal opened. No npm installed. Here's what happened in real time.
My prompt:
"Build me a minimalist Pomodoro timer app. It needs a dark mode, a circular progress bar that shrinks as time elapses, and a way to log completed sessions in local storage. Make it look like a premium Apple-style interface."
What happened, second by second:
- 0-10s: The agent initialized a Vite/React environment via WebContainers in my browser
- 10-30s: Wrote the Tailwind CSS configuration and pulled in
lucide-reactfor icons - 30-50s: Built the
setIntervallogic for the countdown - 60s: A working, polished, persistent Pomodoro app running in my browser tab
Total cost: $0.02 in tokens. Total effort: 60 seconds of typing. This would typically take a junior developer 3-4 hours of environment setup and CSS debugging.
The part that broke: When I deployed to staging two weeks later, my auth flow had a hardcoded Stripe key in the client bundle. The agent had wired up session logging to Supabase but missed the basic rule that secrets belong in server-side environment variables, never in client code. Six hours of audit work later, I had a working app with a clean security posture. The AI built the app. I had to harden it.
This is the pattern. Vibe coding gives you 70% of the build for free. The last 30% (security, edge cases, error handling) still needs a human who knows what they're looking at.
Where the Term Came From
Andrej Karpathy, OpenAI co-founder and former Tesla AI lead, coined vibe coding in a February 2025 tweet. His description:
"There's a new kind of coding I call vibe coding, where you fully give in to the vibes, embrace exponentials, and forget that the code even exists."
The phrase caught on instantly. By late 2025, vibe coding was a venture capital category. By 2026, the market hit $4.7 billion in annualized revenue (projected $12.3 billion by 2027, per Medium analysis of VC funding across Cursor, Bolt, Lovable, Replit, and peers). A 2026 GitHub survey found 92% of US developers use AI coding tools daily, and Medium analysis of 470 GitHub pull requests suggests 41% of production code today is AI-generated or AI-assisted.
That's the landscape. Now here's what the research actually shows about the output quality.
The Research: What Multiple Studies Have Found
I haven't personally audited 100 vibe-coded apps, so I won't pretend I have. But the research from actual security labs is damning and worth knowing before you ship a single line of vibe-coded production code.
Veracode (March 2026) tested over 100 language models on security-sensitive coding tasks. Key findings:
- 45% of AI-generated code samples introduced OWASP Top 10 vulnerabilities
- 86% of samples failed to defend against cross-site scripting
- 88% were vulnerable to log injection
- Pass rate has remained flat across multiple testing cycles from 2025 to 2026, despite vendor claims of "security-aware training"
- Larger models did not outperform smaller ones on security
Georgia Tech's Vibe Security Radar (academic tracking project, launched May 2025) reported 35 CVEs directly attributed to AI-generated code in March 2026 alone (up from 6 in January and 15 in February). Researchers estimate the true count is 5-10x higher across the broader open-source ecosystem.
Lovable, specifically: A May 2025 investigation found 170 out of 1,645 Lovable-generated web apps had vulnerabilities that allowed personal information to be accessed by anyone (per Wikipedia sourcing from original security reports).
The Moltbook breach (February 2026): An AI social network launched entirely by vibe coding ("I didn't write one line of code," per founder Matt Schlicht) exposed 1.5 million authentication tokens, 35,000 email addresses, and private messages within three days of launch. Root cause: a misconfigured Supabase deployment the AI generated without proper Row Level Security policies.
The pattern is clear. Vibe coding optimizes for "it works." It does not optimize for "it works safely."
How Vibe Coding Differs From Related Ideas
These terms get confused. The distinctions matter for knowing what you're actually doing:
Prompt engineering is the skill of crafting prompts that produce good outputs from any LLM. It's a one-off transaction: you ask, you get an answer. Works for any task (writing, research, coding).
Vibe coding is prompt engineering applied specifically to software, with an iterative loop. You prompt, see the result running, refine based on visual or functional feedback. The defining feature: you accept the code without line-by-line review.
Agentic coding is when the AI drives the loop instead of you. An autonomous agent (Claude Code, Cursor's agent mode, Replit Agent) plans the work, edits multiple files, runs tests, and iterates without your approval at each step. You set a goal; the agent decides how to get there.
The simplest way to remember it: vibe coding is human-driven ("you prompt, you verify"). Agentic coding is AI-driven ("you delegate, AI decides"). They overlap but aren't the same thing.
Vibe Coding vs Traditional Coding
| Dimension | Traditional Coding | Vibe Coding |
|---|---|---|
| Primary unit of work | The line of code | The prompt |
| Error detection | Compilers, linters, tests | Visual inspection, runtime checks |
| Typical cost | $85/hr developer time | ≈$0.02-0.10 per task in tokens |
| Skill requirement | Syntax memory, language mastery | High-level architecture sense |
| Scaling difficulty | Linear with features | Exponential with complexity |
| Security default | Developer-enforced | Absent without explicit prompting |
The cost column is misleading if you read it straight. Traditional coding at $85/hr produces maintainable code. Vibe coding at $0.10 per prompt produces code that often needs $85/hr of developer time to audit and fix before it ships. The real economics look different depending on whether you count the audit step.
The Seven Vibe Coding Tools Worth Trying in 2026
These are the tools I've actually used. Scores reflect my hands-on experience for speed, reliability, and security defaults (not a formal review — each tool deserves its own deep-dive).
Cursor — 4.9/5
The bridge between a traditional IDE and agentic coding. Cursor is VS Code plus deep agentic capabilities, which means you get a familiar editor that can also refactor across 10 files on command. Technically it's an AI pair programmer more than a pure vibe coding tool, but real-world use overlaps heavily — and GSC data shows hundreds of monthly searches for "vibe coding with cursor." The most professional option on this list.
Bolt.new — 4.8/5
StackBlitz WebContainers running Node.js directly in your browser tab. Best-in-class speed and environment fidelity. Hit $40M ARR in 6 months, which tells you how well it works for rapid iteration. The downside: complex multi-step workflows occasionally break the "vibe" and you end up dropping into the filesystem anyway.
v0 by Vercel — 4.6/5
Rebranded from v0.dev to v0.app in January 2026, expanded from UI-only to full-stack. If you need a beautiful React component in seconds, this is unmatched. Not as mature as Lovable for full applications, but it's the strongest option inside the Next.js ecosystem.
Windsurf — 4.3/5
Built for massive, pre-existing codebases. Focuses on deep context awareness across your entire repo. Ideal if you're working in a legacy system and need the agent to understand the full architecture before making changes.
Lovable — 4.2/5
Best for non-technical founders. Handles the backend (Supabase) automatically so you can focus on the UI. Hit $200M ARR and a $6.6B valuation in 2026 (backed by NVIDIA, Salesforce, Databricks, Atlassian). Warning: abstracts too much away for long-term maintenance. Always review the generated SQL migrations before your app touches real data.
Claude Code — 4.0/5
Terminal-native. Raw, fast, and lives where professional engineers work. Missing the visual feedback loop that makes vibe coding "vibe" (there's no running preview until you deploy), but for CLI-native workflows it's excellent. See the full Claude Code review for details.
Replit Agent — 3.9/5
"Zero-to-deployed" simplicity. Hosting, code, and AI all in one ecosystem. Great for quick internal tools or bots. Not what I'd use to build a production MVP — the lack of environment control makes scaling painful once your app grows past 10 files.
Pricing in USD and INR
Token burn is the hidden cost everyone underestimates. As agents iterate on bugs, the bill grows fast. All INR at ₹93/USD, verified April 17, 2026.
| Tool | Free Tier | Paid Plan (Monthly) | Token Cost Risk | Worth Paying? |
|---|---|---|---|---|
| Lovable | Limited prompts | $20 (≈₹1,860) | High (Supabase compute extra) | Yes, if you need zero-config backend |
| Bolt.new | Basic WebContainers | $25 (≈₹2,325) | Medium (heavy compute) | Yes, for rapid frontend work |
| v0 by Vercel | UI components only | $20 (≈₹1,860) | Low (mostly UI) | Only if you live in Vercel |
| Cursor | Limited completions | $20 (≈₹1,860) | Predictable | Yes — baseline dev requirement |
| Replit Agent | Limited runtime | $25 (≈₹2,325) | High (hosting + compute) | Only for hobby projects |
Complex apps can burn $100-1,000 in API costs on Bolt.new or Lovable as the AI iterates through bugs. This is the part nobody mentions in the demo videos.
When Vibe Coding Works (And When It Absolutely Doesn't)
Use vibe coding for:
- Validating a UI/UX concept before committing engineering time
- Internal throwaway tools (data scrapers, simple dashboards, slack bots)
- Investor demos and design prototypes
- Learning a new framework by seeing it used
- Features you plan to rewrite in a controlled environment later
Do not use vibe coding for:
- Anything handling PII (Personally Identifiable Information)
- Financial transactions or payment flows
- Authentication systems without independent review
- Healthcare, legal, or regulated industry workflows
- Code that will run in production without a senior engineer auditing it first
- Core business logic that represents your competitive moat
The rule I use personally: if a breach would embarrass me, get me sued, or expose my users, it doesn't touch a vibe-coded codebase without a manual security pass first.
Getting Started: Five Steps That Actually Matter
-
Learn how databases, APIs, and frontends connect before you write your first prompt. You cannot direct an agent effectively if you don't know what a "request" is or why Row Level Security exists. This is the single biggest predictor of whether your vibe-coded apps survive contact with real users.
-
Start with Bolt.new or v0. Bolt.new for transparency (you can see exactly what it wrote). v0 for design-heavy work. Skip Replit Agent until you know what you're doing — it hides too much.
-
Decompose everything. Never prompt "Build Facebook." Prompt "Build a user profile page with avatar upload." Then "Add email verification." Then "Add password reset flow." Small, verifiable chunks you can review.
-
Inspect the output files. Open
package.json. Open any SQL migration files. Open the environment variable template. If you see credentials in the client bundle, stop everything and fix it before you deploy. -
Hand-write the security layer. Once the vibe is established and the app works, manually implement your security policies. RLS policies, input sanitization, rate limiting, secrets management. These are the layers AI consistently misses.
Further Reading
If you want to go deeper on the tools side, my best AI coding tools roundup compares the professional-grade options side by side. For the agentic coding alternative (where the AI drives the loop instead of you), the Claude Code review explains how that workflow differs.
Common Questions
Is vibe coding the same as using ChatGPT to write code?
Not quite. Using ChatGPT to write a function you then copy, review, and paste into your own project is just AI-assisted coding — you're still the architect. Vibe coding specifically means accepting the AI's output into a running environment without line-by-line review, then iterating based on what you see working or breaking. The defining feature is the lack of manual code review, not the use of AI itself.
Will vibe coding replace software engineers?
Not in the next 5 years. Vibe coding handles the first 70% of any app (UI, basic CRUD, MVP scaffolding) but struggles with the last 30% (security, edge cases, performance, integration with legacy systems). Junior dev roles are shifting, but senior engineers who can direct AI and audit its output are worth more in 2026 than they were in 2024.
What's the real risk of using vibe coding in production?
Security failures that materialize weeks after launch. The app works when you test it. The vulnerability sits in production until someone finds it. Veracode's 2026 testing found 45% of AI-generated code has OWASP Top 10 vulnerabilities. The Moltbook breach (1.5M tokens exposed in 3 days) is the canonical example of what happens when you ship vibe-coded apps without a security review.
How much does vibe coding actually cost?
Free tiers on Bolt.new, v0, and Lovable cover a handful of small projects. Paid plans run $20-25/month (≈₹1,860-2,325/mo) for individuals. Token burn is the real variable: complex apps can rack up $100-1,000 in API costs as the AI iterates through bugs. Budget 3-5x what the "demo app" cost you.
What should I build with vibe coding first?
Start with a tool you'd use yourself. A personal dashboard, a habit tracker, a calculator for a specific calculation you do repeatedly. Small, personal, zero security surface. This lets you build the instinct for what AI is good at versus where it consistently fails — without putting anyone else at risk while you learn.
Is vibe coding going to be replaced by something else?
The term might fade (Medium's analysis of April 2026 already declared "vibe coding is over" as a professional strategy), but the underlying practice will evolve into what some are calling "strategic decomposition" — using AI to handle well-defined sub-tasks while humans design the architecture and review the critical paths. The pure Karpathy version (accept everything without review) is dying. The AI-assisted version is here to stay.
Last updated April 17, 2026. Based on hands-on testing of seven vibe coding tools over three months. Security statistics cited from Veracode (March 2026), Georgia Tech's Vibe Security Radar, and public breach reports. INR pricing at ₹93/USD, verified April 17, 2026.