Skip to content
Home » What is Vibe Coding? A Comprehensive Guide to AI-Powered Software Development

What is Vibe Coding? A Comprehensive Guide to AI-Powered Software Development

Andrej Karpathy posted a tweet on February 6, 2025, that would become one of the most consequential statements in recent software development history. The former OpenAI co-founder and Tesla AI director described a practice he called “vibe coding” where developers “fully give in to the vibes, embrace exponentials, and forget that the code even exists.” Within weeks, this phrase had been viewed over 4.5 million times and sparked a fundamental debate about the future of programming.

The practice Karpathy described involves using large language models to generate code through natural language prompts rather than writing it manually. Developers describe what they want in plain English, the AI produces the implementation, and the human either accepts it or provides feedback for iteration. Karpathy admitted to clicking “Accept All” without reading the diffs and copy-pasting error messages back into the AI when things broke. He built a working iOS app in Swift without prior experience, completing it in one hour using Cursor’s Composer feature paired with Claude models.

Collins Dictionary named “vibe coding” their Word of the Year for 2025, announcing the selection on November 6, 2025. The dictionary’s managing director Alex Beecroft stated that the term “perfectly captures how language is evolving alongside technology” and “signals a major shift in software development, where AI is making coding more accessible.” The term had previously appeared on Merriam-Webster’s website as a “slang and trending” term in March 2025, within weeks of its coinage.

The Distinction Between Vibe Coding and AI-Assisted Development

Simon Willison, a prominent software developer and creator of Datasette, drew an important line that has shaped how the industry understands this practice. “If an LLM wrote every line of your code, but you’ve reviewed, tested, and understood it all, that’s not vibe coding in my book, that’s using an LLM as a typing assistant,” Willison wrote. The distinguishing characteristic is acceptance without comprehension.

This distinction matters because it separates two fundamentally different workflows with different risk profiles. When developers use AI as a typing assistant, they maintain the understanding necessary to debug, maintain, and secure the code. When they vibe code, they trade that understanding for speed, creating software they cannot fully explain or predict.

Willison has published over 80 experiments built with vibe coding and views it as valuable for building intuition about AI capabilities. He believes the technique has genuine merit for “throwaway weekend projects” as Karpathy originally described, while maintaining that “vibe coding your way to a production codebase is clearly risky.”

The Tools Enabling Vibe Coding

The vibe coding ecosystem has crystallized around several categories of tools. AI-enhanced code editors like Cursor and Windsurf wrap large language models in full development environments, allowing developers to describe changes in natural language and have the AI modify code across multiple files. Cursor’s “agent mode” became the default interface in February 2025, enabling conversational development where the AI suggests, implements, and iterates based on feedback. Claude Code, released by Anthropic in general availability in May 2025, represents the agentic approach where AI operates more autonomously across the development workflow. Anthropic’s Economic Index analysis of Claude usage patterns found that 79% of coding interactions were “automation” (AI directly performing tasks) versus 21% “augmentation” (AI assisting human work).

No-code vibe coding platforms like Lovable, Bolt.new, and Create.xyz take this further by eliminating the development environment entirely. Users describe applications in natural language, and the platform generates complete, deployable web applications including frontend interfaces and database connections. Lovable reported reaching a valuation of $1.8 billion despite ongoing security concerns. Bolt.new reached $20 million in annualized revenue within two months of launch, according to industry tracking by Aifire.

Traditional AI coding assistants like GitHub Copilot function more conservatively, offering suggestions and completions that developers explicitly accept or reject. GitHub reports that approximately 30% of new code on their platform comes from Copilot, a self-reported figure that includes all AI-assisted code regardless of subsequent human modification, not specifically vibe-coded output where developers accept code without review.

The distinction between these tool categories matters for understanding risk. AI-enhanced editors assume developer expertise and provide assistance. No-code platforms assume minimal expertise and attempt to abstract away complexity. The security incidents have concentrated in the no-code category, where users lack the background to evaluate what the AI produces.

Adoption Data and Industry Trends

Y Combinator’s Winter 2025 batch provided the first quantitative signal of how deeply this approach had penetrated startup culture. Jared Friedman, YC managing partner, revealed that 25% of startups in the cohort had codebases that were 95% AI-generated. This figure excluded imported library code and referred specifically to core functionality.

“It’s not like we funded a bunch of non-technical founders. Every one of these people is highly technical, completely capable of building their own products from scratch. A year ago, they would have built their product from scratch, but now 95% of it is built by an AI,” Friedman stated in a YouTube discussion titled “Vibe Coding Is the Future.”

YC CEO Garry Tan reported that this batch grew 10% per week in aggregate, calling it the fastest-growing and most profitable group in the fund’s history. However, Tan also raised concerns about scalability: “Let’s say a startup with 95% AI-generated code goes out in the market, and a year or two out, they have 100 million users on that product. Does it fall over or not? The first versions of reasoning models are not good at debugging.”

Fastly’s July 2025 survey of 791 professional developers found that 32% of senior developers (those with 10+ years of experience) reported that more than half of their shipped code was AI-generated. This was 2.5 times the rate reported by junior developers at 13%. The survey also found that 90% of developers were using AI coding assistants, though 28% reported fixing AI-generated code frequently enough to offset most time savings. These figures align with Stack Overflow’s 2025 Developer Survey, which found 65% of developers using AI tools at least weekly.

The Security Problem

The democratization of software development through vibe coding has produced a measurable security crisis. On March 20, 2025, Matt Palmer, an employee at Replit, discovered a critical vulnerability in Linkable, a Lovable-built website for generating sites from LinkedIn profiles. His subsequent scan of 1,645 Lovable-created web applications found that 170 contained the same flaw, allowing unauthorized access to user data.

The vulnerability stemmed from misconfigured Row Level Security (RLS) policies in Supabase databases. Lovable applications use a client-side architecture where the browser communicates directly with a Supabase backend via API. Supabase provides an anonymous JWT token for this communication, which is embedded in the frontend JavaScript. When RLS policies are properly configured, this token can only access data the user is authorized to see. When misconfigured, attackers can modify database queries to retrieve any data in the system.

Palmer’s analysis found 303 vulnerable endpoints across 170 projects. By examining only the homepages of these applications, he discovered exposed names, email addresses, financial information, and API keys. The exposed credentials included Google Maps tokens, eBay authentication tokens, Gemini API keys, subscription details, and personal debt amounts. An attacker could override payment settings or inject unauthorized parameters into Stripe integrations.

Lovable’s response drew criticism from the security community. The company initially dismissed concerns and deleted both response tweets and the vulnerable site. When Palmer and colleague Kody Low performed deeper analysis, they notified Lovable on April 14, 2025, initiating a 45-day disclosure window. A Palantir engineer independently discovered and publicly tweeted about the same vulnerability that day, demonstrating active exploitation in the wild. Lovable released a “security scan” feature on April 24, but it only checked whether RLS policies existed, not whether they were correctly configured. “This provides a false sense of security,” Palmer wrote in his vulnerability disclosure, “failing to detect the misconfigurations that expose data.”

In a separate analysis published in October 2025, security firm Escape examined over 5,600 publicly available vibe-coded applications across platforms including Lovable, Base44, Create.xyz, Vibe Studio, and Bolt.new. They identified more than 2,000 vulnerabilities, 400+ exposed secrets, and 175 instances of personally identifiable information including medical records, bank account numbers (IBANs), phone numbers, and emails. The exposure of medical records and financial data raises potential regulatory violations under GDPR, HIPAA, and PCI-DSS, though enforcement actions have not yet been reported.

Alex Stamos, former Facebook chief security officer, stated that the odds of a beginner configuring database permissions correctly are “extremely low.” The vulnerability pattern echoes 1990s web development, when dynamic sites multiplied faster than secure coding practices could spread. The difference now is that attackers can automate reconnaissance using the same AI tools developers use to write vulnerable code.

The Productivity Paradox

The assumption that AI coding tools accelerate development has faced empirical challenges. METR (Model Evaluation and Threat Research), a nonprofit organization, conducted a randomized controlled trial with 16 experienced open-source developers working on their own repositories averaging over one million lines of code. While the sample size is limited, the study’s rigorous methodology, including screen recordings and controlled randomization, provides rare direct measurement of productivity effects.

The study, conducted from February to June 2025, assigned 246 real-world tasks randomly to allow or prohibit AI usage. Developers primarily used Cursor Pro with Claude 3.5 and 3.7 Sonnet, representing the frontier of available tools at the time. Before starting tasks, developers predicted AI would reduce completion time by 24%. After completing the study, they estimated AI had reduced their time by 20%.

The actual result: developers using AI took 19% longer to complete their tasks. The perception gap between feeling faster and being slower represents what researchers identified as a “productivity placebo.” The study noted that AI coding creates an early sense of momentum through rapid autocomplete, followed by cycles of editing, testing, and reworking that erode initial gains.

Mike Judge, principal developer at software consultancy Substantial, replicated these findings in his own work. For six weeks, he guessed how long tasks would take, flipped a coin to decide whether to use AI, and timed himself. His AI-assisted work took 21% longer on average, mirroring the METR results.

Judge extended his analysis to look for macro-level evidence of productivity gains. He examined data on new apps, website registrations, video games, and GitHub projects. “Shouldn’t this be going up and to the right?” Judge asked. “Where’s the hockey stick on any of these graphs?” He found flat lines across all indicators, suggesting that AI tools provide little aggregate productivity boost.

However, the picture is more nuanced than wholesale rejection. Fastly’s survey found that 80% of developers reported that AI tools made coding more enjoyable, even when productivity gains were modest or absent. Senior developers were twice as likely as juniors to report significant speed gains (26% versus 13% reporting AI made them “a lot faster”). The key differentiator appears to be expertise: experienced engineers can quickly identify when AI output looks correct but behaves incorrectly, enabling faster iteration.

The perceived-versus-actual productivity gap may explain why adoption remains high despite mixed evidence. One developer in the Fastly survey described the dynamic: “An AI coding tool like GitHub Copilot greatly helps my workflow by suggesting code snippets and even entire functions. However, it once generated a complex algorithm that seemed correct but contained a subtle bug, leading to several hours of debugging.”

Google’s 2024 DevOps Research and Assessment (DORA) report, based on over 39,000 respondents, found a similar pattern. While 75% of developers reported feeling more productive with AI tools, the objective data showed that every 25% increase in AI adoption correlated with a 1.5% dip in delivery speed and a 7.2% drop in system stability. Additionally, 39% of respondents reported having little or no trust in AI-generated code.

Andrew Ng’s Critique

Andrew Ng, Stanford professor and co-founder of Google Brain, offered a pointed critique of the term itself at LangChain Interrupt in May 2025. “It’s unfortunate that that’s called vibe coding,” Ng stated. “The phrase can mislead people into imagining that engineers just ‘go with the vibes’, simply accepting or rejecting suggestions from an AI, rather than doing real engineering.”

Ng described AI-assisted coding as “a deeply intellectual exercise” that leaves engineers cognitively exhausted by day’s end. The AI handles syntax, but the human must constantly review outputs, integrate them with project requirements, and catch subtle errors. This mental workload is why Ng finds the casual branding misleading.

Despite his critique of the terminology, Ng encouraged adoption: “It’s been interesting to see how many companies, CIOs and CTOs, still have policies that don’t let engineers use AI-assisted coding. We have to get past that.”

Karpathy’s Own Retreat

By October 2025, Karpathy himself had moderated his position. His latest project, Nanochat, a minimal ChatGPT-like interface, was “basically entirely hand-written.” When asked why, Karpathy explained that he “tried to use Claude/Codex agents a few times but they just didn’t work well enough at all and net unhelpful, possibly the repo is too far off the data distribution.”

The creator of the term had discovered its limits through practical experience. For codebases that diverge significantly from what the models were trained on, AI assistance becomes counterproductive. This creates an interesting tension with the METR findings: experienced developers working on familiar codebases were slowed by AI, yet Karpathy found AI unhelpful when his repository was “too far off the data distribution.” The common thread is that current AI tools struggle at the boundaries of their training data, whether the task requires deep domain expertise or novel architectural patterns.

Professional Implications

A Stanford University study, reported by MIT Technology Review, found that employment among software developers aged 22-25 fell nearly 20% between 2022 and 2025, coinciding with the rise of AI-powered coding tools. Whether this reflects AI displacement, broader tech industry contraction, or other factors remains debated. But the timing has created anxiety about the long-term value of programming skills.

For those in the profession, the data suggests counterintuitive guidance. Senior developers report more benefits from AI assistance despite also spending more time fixing its output. The explanation: expertise enables better prompting, faster validation, and more efficient error correction. Junior developers lack the foundation to evaluate AI output effectively, making them paradoxically less suited to AI-assisted workflows in their current form.

Fastly’s survey quantified this expertise gap. Among senior developers, 59% said AI helped them ship code more quickly, versus 49% of juniors. Seniors were twice as likely to report substantial time savings. One junior developer in the survey captured the frustration: “It’s always hard when AI assumes what I’m doing and that’s not the case, so I have to go back and redo it myself.”

The skills that matter are shifting. Prompt engineering, system design, and AI auditing are becoming valuable while syntax-level mastery recedes in importance. But the transition creates a paradox: learning programming fundamentals may matter more than ever precisely because AI handles the basics. Without understanding what correct code looks like, developers cannot identify AI mistakes.

Luciano Nooijen, an engineer at Companion Group, described atrophy effects after heavy AI usage. When working on a side project without access to AI tools, he found himself struggling with tasks that previously came naturally. “I was feeling so stupid because things that used to be instinct became manual, sometimes even cumbersome.” He now advocates for regular “manual practice” to maintain fundamental skills, comparing it to athletes who still perform basic drills regardless of experience level.

MIT computer scientist Daniel Jackson characterized the trend as “a bit of an impending disaster.” He warned that “not only will we have masses of broken code, full of security vulnerabilities, but we’ll have a new generation of programmers incapable of dealing with those vulnerabilities.” The concern is that AI assistance during skill development may prevent the deep learning that produces experts capable of training and evaluating AI systems.

The Technical Reality

Vibe coding platforms rely on a similar architecture. Users provide natural language descriptions. Large language models translate these into code. The code connects to backend services like Supabase for database functionality. The entire application deploys without the user necessarily understanding what was created.

The vulnerability patterns are structural, not incidental. When AI generates frontend code that directly queries databases, security depends entirely on correct backend configuration. Row Level Security policies must restrict data access appropriately. Anonymous JWT tokens must not expose excessive permissions. API keys must not be embedded in client-side JavaScript.

These requirements are orthogonal to the AI’s code generation capabilities. The model can produce syntactically correct code that creates security vulnerabilities because security is a property of system architecture, not individual code blocks. A user who cannot evaluate the generated code cannot identify when permissions are misconfigured.

Google Cloud’s documentation distinguishes between “pure” vibe coding, where users trust AI output entirely, and “responsible AI-assisted development,” where AI acts as a collaborator and the developer reviews, tests, and understands the output. The former suits rapid ideation; the latter describes professional practice.

The Path Forward

The data suggests neither wholesale adoption nor rejection. AI coding tools provide genuine value for specific use cases: prototyping, boilerplate generation, learning new frameworks, and expanding what individuals can build. They create genuine risks when deployed without human comprehension in security-sensitive or production contexts.

The industry has begun developing hybrid workflows. Tools like VibeEval offer automated security scanning for AI-generated applications, checking for the specific vulnerability patterns that plague vibe-coded projects. Platforms are implementing secure-by-default configurations that reduce the expertise required for safe deployment. Senior developers have adopted the role of “AI babysitters” who validate and correct machine output, a workflow that trades typing time for review time.

For organizations evaluating these tools, several patterns have emerged from the research:

When vibe coding works: Rapid prototypes that will be discarded or rebuilt, internal tools with limited exposure, learning projects where the goal is understanding concepts, and situations where the developer has deep domain expertise to validate output quickly.

When vibe coding creates risk: Applications handling sensitive data, code that will be maintained long-term, projects where security misconfigurations have material consequences, and situations where the developer cannot independently verify correctness.

Measurement determines outcomes. Fastly found that only 14% of developers rarely needed to edit AI output. The remaining 86% spent varying amounts of time on correction, with 28% spending enough time to offset most gains. Organizations should track not just code output but debugging time, security incidents, and long-term maintenance costs before concluding that AI tools improve productivity.

The skills question remains open. If AI handles implementation, what does human expertise become? The METR study suggests that deep familiarity with codebases currently provides more value than AI assistance. But for greenfield projects or unfamiliar domains, the calculus may differ. Developers who understand system architecture, security principles, and debugging methodology can extract value from AI tools. Those who lack this foundation may produce working software that harbors hidden defects.

The cultural shift Karpathy identified is real. Natural language is becoming a programming interface. The question is not whether this trend continues, but how the industry manages its consequences. Vibe coding works for throwaway projects. For software that matters, understanding remains non-negotiable.

Sources and References

Primary Sources:

  • Karpathy, Andrej. Twitter/X post, February 6, 2025. Original coinage of “vibe coding.”
  • Collins Dictionary Word of the Year 2025 announcement, November 6, 2025.
  • Y Combinator YouTube discussion, “Vibe Coding Is the Future,” March 2025. Jared Friedman and Garry Tan statements.
  • Fastly Developer Survey, July 2025 (791 respondents).
  • METR, “Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity,” July 2025.

Security Research:

  • Palmer, Matt. CVE-2025-48757 disclosure. Replit vulnerability research on Lovable applications.
  • Escape Security Research, “Methodology: 2k+ Vulnerabilities in Vibe-Coded Apps,” October 2025.
  • National Vulnerabilities Database entry for CVE-2025-48757.

Industry Analysis:

  • TechCrunch reporting on Y Combinator Winter 2025 batch statistics.
  • MIT Technology Review, “AI coding is now everywhere. But not everyone is convinced,” December 2025.
  • Google DORA Report 2024.
  • Semafor reporting on Lovable security vulnerabilities, May 2025.

Expert Commentary:

  • Willison, Simon. “Not all AI-assisted programming is vibe coding,” simonwillison.net, March 2025.
  • Ng, Andrew. Remarks at LangChain Interrupt conference, May 2025.
  • Jackson, Daniel (MIT). Comments to Wired on vibe coding risks.
  • Stamos, Alex. Security commentary on vibe coding platforms.

Industry Surveys:

  • Stack Overflow Developer Survey 2025.
  • Anthropic Economic Index analysis of Claude usage patterns.

Related posts:

  1. Medical AI SEO: How Doctors and Healthcare Brands Can Win Visibility in the Age of AI Search
  2. Best AI Tools for Blog Title Optimization
  3. Niche Site Success: From Zero to 100k Monthly Visitors with AI
  4. Google Penalizing AI Content? What the Data Shows
  5. How to Write Blog Posts with AI in 2025
  6. Podcast Repurposing: AI Content Multiplication Strategy
  7. Image Optimization with AI: Speed Up Your Website Without Sacrificing Quality
  8. AI Brand Kit Generator: From Logo to Complete Style Guide
  9. How to Write Twitter/X Threads with AI
Tags: