A term coined by Andrej Karpathy in February 2025 for a new development style where you describe what you want in natural language, and AI tools generate the code. It ranges from AI-assisted autocomplete to fully autonomous AI agents building entire applications. This ebook covers all five levels in depth with real data, case studies, and 200+ production-ready prompts.
Who is this ebook for?▼
Developers exploring AI tools, engineering managers evaluating team adoption, entrepreneurs building products with AI, and anyone curious about the future of software development. Whether you use Cursor, Claude Code, GitHub Copilot, Bolt.new, or v0, this guide covers your tools and workflow.
How is the subscription different from a one-time purchase?▼
The vibe coding landscape changes weekly — new tools launch, security incidents emerge, pricing shifts. Your subscription includes monthly updates to all 22 chapters, new entries in the prompt library and tool comparison matrix, a fresh monthly intelligence brief, and new community showcase features. You always have the most current resource in a fast-moving field.
What do I get in the free preview?▼
The first 3 chapters are completely free: the origin story of vibe coding, a precise definition and framework, and the underlying philosophy. You also get the interactive quiz to find your vibe coding level, 10 sample prompts, and a glimpse of every chapter topic. No credit card required.
Can I cancel anytime?▼
Yes. Monthly and annual subscriptions can be cancelled at any time through Paddle. You keep access until the end of your current billing period. No questions asked, no hidden fees.
📧 Get a free chapter + weekly vibe coding insights
Join the mailing list for a bonus chapter on AI tool selection, plus weekly curated updates on the vibe coding landscape.
✓ You're in! Check your inbox for the bonus chapter.
No spam. Unsubscribe anytime. Part of the EndOfCoding ecosystem.
📖
How to read this ebook: Use the sidebar to navigate 22 chapters. Click expandable sections for deep dives. Take the interactive quiz to find your vibe coding level. Use Ctrl+K to search across all content. Chapters 1–3 are free — subscribe to unlock all 22.
01. The Moment Everything Changed
On February 2, 2025, Andrej Karpathy — former OpenAI co-founder, former Tesla AI director, and one of the most respected voices in machine learning — posted what would become one of the most consequential tweets in software development history:
"There's a new kind of coding I call 'vibe coding', where you fully give in to the vibes, embrace exponentials, and forget that the code even exists. It's possible because the LLMs (e.g. Cursor Composer w Sonnet) are getting too good. I just see stuff, say stuff, run stuff, and copy-paste stuff, and it mostly works."
— Andrej Karpathy, February 2, 2025
Within weeks, the term had gone viral. Within a month, Merriam-Webster added "vibe coding" as a slang and trending term. By December 2025, Collins English Dictionary named it their Word of the Year.
But vibe coding didn't just enter the dictionary. It entered the economy. It entered boardrooms. It entered the workflows of millions of developers. And it sparked one of the fiercest debates the software industry has seen in decades.
The Timeline
February 2025
Karpathy coins "vibe coding"
The tweet goes viral. Merriam-Webster adds it within weeks. Developers worldwide start experimenting.
March 2025
Y Combinator reveals the data
25% of YC Winter 2025 startups report codebases that are 95% AI-generated.
May 2025
Claude Code launches publicly
Anthropic's terminal-based coding agent goes GA. It will reach $1B ARR in 6 months.
May 2025
Lovable security vulnerability
170 of 1,645 apps built on the vibe coding platform found to expose personal data.
June 2025
Devin hits $73M ARR
Cognition's AI software engineer grows 73x in 9 months. Goldman Sachs adopts it.
July 2025
Wall Street Journal reports mainstream adoption
Professional software engineers are using vibe coding for commercial products.
Fast Company reports senior engineers entering "development hell" with AI-generated codebases.
November 2025
Claude Code hits $1B ARR
One of the fastest-growing enterprise software products in history.
December 2025
Collins Word of the Year
"Vibe coding" is named Collins English Dictionary Word of the Year 2025.
December 2025
Tenzai security study
69 vulnerabilities found across 15 applications built by 5 major AI coding tools.
January 2026
"Vibe Coding Kills Open Source" paper
Researchers publish arXiv paper arguing vibe coding threatens the open-source ecosystem by reducing user engagement with maintainers. Tailwind CSS docs traffic down 40% from 2023.
January 2026
Cognition reaches $10.2B valuation
Cognition raises $400M Series C. Devin ARR passes $155M. Goldman Sachs, Citi, Dell, Cisco, Palantir among enterprise clients.
January 2026
GitHub Copilot reaches 4.7M paid users
Agent mode becomes default workflow for complex tasks. MCP support rolls out to all VS Code users.
February 2026
Claude Opus 4.6 launches with Agent Teams
Anthropic releases Opus 4.6 with agent teams in Claude Code — multiple AI agents working in parallel on different aspects of a project, coordinating autonomously.
Strip away the hype, and vibe coding is a specific practice with specific characteristics.
Vibe coding is an AI-assisted software development approach where a developer describes what they want in natural language, an AI model generates the code, and the developer evaluates the result through execution rather than code review. The developer does not read, edit, or attempt to understand the generated code. They test whether it works, and if it doesn't, they feed the error back to the AI.
💡
Key distinction: In traditional AI-assisted development, the developer remains the author and the AI accelerates. In vibe coding, the AI is the author and the developer is the director.
Karpathy described his own workflow precisely:
"I 'Accept All' always, I don't read the diffs anymore. When I get error messages I just copy paste them in with no comment, usually that fixes it. If it doesn't, I just revert to the last working state and re-prompt with more context."
The Three Core Loops
Vibe coding operates on three nested feedback loops:
1
Loop 1: Generate and Test
▼
1. Describe what you want in natural language 2. Accept the generated code without reading it 3. Run it 4. Does it work? Ship it. Doesn't work? Move to Loop 2.
This is the happy path. For simple features, you may never leave this loop.
2
Loop 2: Error-Driven Repair
▼
1. Copy-paste the error message to the AI (no commentary needed) 2. Accept the fix without reading it 3. Run it again 4. Repeat until resolved or move to Loop 3.
Most errors resolve within 1-3 iterations of this loop. The AI sees the error, understands the context, and fixes it.
3
Loop 3: Revert and Rephrase
▼
1. Revert to the last working state 2. Describe the desired outcome differently, with more context 3. Return to Loop 1
This is the escape hatch. If the AI gets stuck in a loop of broken fixes, go back to a clean state and try a different approach. This is why checkpoints matter — always have a rollback point.
What Vibe Coding Is NOT
Not using GitHub Copilot for autocomplete — that's AI-augmented coding (Level 1)
Not asking ChatGPT to explain code — that's using AI as a learning tool
Not reviewing AI-generated code before accepting — that's AI-collaborative coding (Level 2)
Not no-code/low-code platforms — those use visual builders, not natural language to code
Vibe coding is specifically: natural language in, code out, test behavior, never read the code.
Vibe coding isn't just a technique. It's a philosophical stance about the relationship between developers and code.
The End of Code as Sacred Text
For decades, programming culture has treated source code as something to be crafted, reviewed, optimized, and understood. Code reviews are rituals. Clean code is a moral virtue. Understanding every line is a professional obligation.
Vibe coding rejects this entirely. It treats code as a disposable intermediary between human intent and running software. The code doesn't matter. The behavior matters.
This is not as radical as it sounds. Most software professionals already interact with layers of abstraction they don't fully understand:
Few web developers read TCP packet internals
Few application developers audit their compiler output
Few React developers understand the fiber reconciliation algorithm
Few SQL users trace query execution plans for every query
Vibe coding simply adds another layer: the AI becomes the compiler for natural language.
The Four Pillars
🎯
Intent Over Implementation
"What should this do?" replaces "How should I build this?"
⚡
Speed Over Elegance
Working software now beats perfect code later
🤖
Trust the AI
Accept all, don't read diffs, let the machine handle it
📈
Results-Oriented
Does it work? That's the only metric that matters
The Abstraction Argument
Supporters frame vibe coding as the natural progression of programming abstraction:
1950s
Machine Code → Assembly
"You don't need to write binary opcodes anymore!"
1970s
Assembly → C
"You don't need to manage registers anymore!"
1990s
C → Python / Java
"You don't need to manage memory anymore!"
2010s
Frameworks / Cloud
"You don't need to manage servers anymore!"
2025
Natural Language → Code
"You don't need to write code anymore!"
At each transition, purists warned that developers were losing essential skills. At each transition, the expanded abstraction enabled more people to build more things.
⚠️
The counter-argument is real, though: Every previous abstraction still had deterministic behavior. Assembly always compiles the same way. C always allocates memory the same way. AI code generation is probabilistic — the same prompt can produce different code each time, with different bugs. This is a genuinely new kind of abstraction layer.
04. The Spectrum: Five Levels of AI-Assisted Development
Vibe coding is not binary. In practice, developers operate along a spectrum. Understanding where you sit — and where you should sit for a given project — is critical.
0
Level 0: Traditional Development
No AI at all
▼
You write every line. You understand every line. No AI assistance of any kind. Increasingly rare but still essential for certain domains like embedded systems, cryptography, and kernel development.
When to use: Security-critical code, regulatory requirements, environments where AI tools are prohibited.
1
Level 1: AI-Augmented Coding
You are the author. The AI is a fast typist.
▼
You use AI for autocomplete, documentation lookup, and boilerplate generation, but you review and understand every line. Think: GitHub Copilot suggestions that you accept or reject with full awareness.
Tools: GitHub Copilot, VS Code AI extensions Code understanding: 100% — you review everything When to use: Production code, team projects, anything you need to maintain
2
Level 2: AI-Collaborative Coding
You are the architect. The AI is the builder.
▼
You describe features in natural language and get back substantial code blocks. You review the code, understand the approach, and make modifications. You might use Cursor's Composer or Claude Code for generating components, but you read the diffs.
Tools: Cursor Composer, Claude Code, Codex CLI Code understanding: 70-90% — you review most things When to use: Professional development, startup codebases, any code that needs to scale
3
Level 3: Guided Vibe Coding
You are the product manager. The AI is the engineering team.
▼
You describe what you want and accept most code without deep review, but you maintain a general understanding of the architecture. You spot-check security-sensitive sections. You understand the overall structure even if you don't read every function.
Tools: Cursor Agent, Claude Code, Bolt.new Code understanding: 30-60% — architecture yes, implementation details no When to use: MVPs, internal tools, prototypes headed toward production
4
Level 4: Pure Vibe Coding
You are the client. The AI is the agency.
▼
Karpathy's original vision. You describe, accept all, test, paste errors, repeat. You don't read diffs. You don't understand the code. You only care if it works.
Tools: Bolt.new, Lovable, Replit Agent, v0 Code understanding: 0-10% — you only test behavior When to use: Personal projects, throwaway prototypes, hackathons, idea validation
5
Level 5: Autonomous Agent Coding
You are the executive. The AI is the employee.
▼
You don't even supervise in real-time. You assign tasks to AI agents that clone repos, create branches, write code, run tests, and open pull requests — all while you do something else. You review the final result.
Tools: Devin, Google Jules, OpenAI Codex (cloud mode) Code understanding: Review-based — you check the output, not the process When to use: Routine tasks, migrations, test generation, documentation, with human review gate
📈
Where do most developers operate? In 2026, most professional developers work between Levels 1 and 3. Pure Level 4 is most common among non-technical founders, hobbyists, and rapid prototypers. Level 5 is emerging fast in enterprise environments. Notably, Karpathy himself has evolved from "vibe coding" to advocating "agentic engineering" — professionals orchestrating AI agents with oversight, not just vibes.
Which level are you?
Take the interactive quiz at the end of this ebook to find out.
The tooling ecosystem for AI-assisted development has exploded. The market is consolidating fast — with Cursor at $29.3B, Lovable at $6.6B, Cognition at $10.2B, and billion-dollar acquisition battles playing out in real time. Here's the current state of play across every major category.
AI-Native IDEs
Cursor
Anysphere
The IDE Karpathy originally referenced. Built on VS Code with deep AI integration. Composer mode for multi-file generation. Agent mode for autonomous multi-step changes. Building proprietary "Tab" model for code completion independence.
$1B+ ARR • $29.3B valuation
IDEAgentMCP
Windsurf
Cognition (via complex acquisition)
AI IDE with persistent "memories" for long-term context. Subject of a dramatic $3B acquisition saga: OpenAI's bid collapsed after Microsoft blocked it, Google hired the CEO and key researchers in a $2.4B deal, and Cognition acquired the remaining product, brand, and IP.
IDEMemoryCognition
VS Code + Extensions
Microsoft
The original. Still viable with GitHub Copilot, Continue, and Cline extensions. Best for developers who want AI assistance without switching editors.
IDEExtensions
Autonomous Coding Agents
Claude Code
Anthropic
Terminal-based coding agent. Reads and modifies code across entire repositories. Now powered by Claude Opus 4.6 with agent teams — multiple AI agents working in parallel on different aspects of a project. Widely considered the most capable coding assistant available.
$1B ARR in 6 months
CLIAgentAgent TeamsEnterprise
Devin
Cognition Labs
Positioned as an "AI software engineer." Full agent-native IDE with parallel task execution, interactive planning, Devin Wiki, and Devin Search. Goldman Sachs, Citi, Dell, Cisco, Palantir among enterprise clients. $10.2B valuation after $400M Series C.
$155M+ ARR • 10x migration speed
AgentAsyncEnterprise
OpenAI Codex CLI
OpenAI
Open-source terminal agent built in Rust. Sandboxed execution, code review, MCP integration, session resume, and CI/CD automation. Powered by GPT-5.2-Codex.
npm i -g @openai/codex
CLIOpen SourceSandbox
Google Jules
Google
Asynchronous agent powered by Gemini 3 Pro. Clones codebases into Cloud VMs, works independently, opens PRs automatically. Concurrent task execution.
2.28M visits • 140K+ code updates
AgentAsyncCloud
Gemini CLI
Google
Open-source terminal agent powered by Gemini 3 Flash. Skills system with sub-agents, event-driven scheduler, and agent registry. Direct competitor to Claude Code and Codex CLI in the terminal space.
github.com/google-gemini/gemini-cli
CLIOpen SourceSkills
GitHub Copilot
GitHub / Microsoft
The original AI coding assistant, now with full agent mode. Autonomously identifies subtasks, edits across multiple files, runs tests, and fixes errors. MCP support. Still the largest user base in AI-assisted coding.
4.7M paid users • Agent Mode GA
IDEAgentMCP
Amazon Q Developer
Amazon
AI coding assistant deeply integrated with AWS. Code generation, transformation, and debugging with strength in serverless and cloud infrastructure patterns.
AgentAWS
Browser-Based Builders
Bolt.new
StackBlitz
Browser-based dev environment. Describe an app, get a working deployable application. No local setup. Excellent for rapid prototyping.
BrowserFull-StackDeploy
v0
Vercel
AI-powered UI generation. Describe a component, get production-ready React + Tailwind code. Deep Next.js integration. Best for frontend prototyping.
UIReactNext.js
Lovable
Lovable (Sweden)
App creation for non-developers. Natural language to working, deployable software. Reached $6.6B valuation with $200M+ ARR by early 2026. Faced security scrutiny (170/1,645 apps had vulnerabilities).
$200M+ ARR • $6.6B valuation
No-CodeBrowser
Replit Agent
Replit
Complete app building from descriptions with deployment and database management. 75% of AI-enabled Replit users don't write code themselves.
75% of users write zero code
BrowserFull-StackDeploy
The Infrastructure Layer: MCP
🔗
Model Context Protocol (MCP) is Anthropic's open protocol that allows AI assistants to connect to external tools and data sources. It has become the standard way for coding agents to interact with databases, APIs, file systems, and other developer tools. All major agents (Claude Code, Cursor, Codex CLI, Devin) support MCP.
The most significant development since Karpathy's tweet isn't better autocomplete. It's the emergence of autonomous coding agents — AI systems that independently plan, implement, test, and deploy software.
From Copilot to Colleague
Phase 1: Autocomplete (2021-2023)
The AI predicted the next line
GitHub Copilot launched. Useful, but fundamentally a typing accelerator. The developer remained in full control of every decision.
Phase 2: Composers (2023-2024)
The AI generated entire features
Cursor Composer, ChatGPT Code Interpreter. Multi-file generation became possible. But the developer still supervised each generation cycle.
Phase 3: Agents (2025-2026)
The AI works independently
Agents understand entire codebases, create execution plans, implement changes across dozens of files, run tests, fix failures, and open pull requests. The developer assigns a task and reviews the result — sometimes hours later.
What Agents Can Do Today
Modern coding agents reliably handle tasks that would take a junior developer 4-8 hours:
🔃
Migrations
Framework, API, database schema conversions
🐛
Bug Fixes
Diagnose from logs, implement fix, write regression tests
🛠
Features
Complete frontend + backend + database changes
✅
Tests
Comprehensive test suites for existing code
📄
Documentation
Generate and maintain docs across entire codebases
🔒
Security Fixes
Scan for vulnerabilities and implement remediations
What Agents Still Struggle With
Cognition's own 2025 performance review of Devin put it well:
"Devin is senior-level at codebase understanding but junior at execution."
Ambiguous requirements — agents make assumptions that may not match intent
Complex architectural decisions — they can implement but struggle with system-level design
Cross-system integration — tasks requiring deep understanding of multiple interconnected systems
Security context — knowing when something is dangerous requires deployment context, not just code patterns
The Parallel Execution Advantage
Unlike human developers, agents can run multiple instances simultaneously, work 24/7, and process entire backlogs of tickets overnight.
Iterate through natural language: "Make the sidebar collapsible" / "Add dark mode"
Deploy to Vercel or Netlify
Share with potential users for feedback
Build a job application tracker. I'm applying to software engineering
positions and need to track: company name, position title, application
date, status (applied/phone screen/onsite/offer/rejected), salary range,
notes, and next action date. I want a clean dashboard showing all
applications in a table with sorting and filtering. Include a kanban view
grouped by status. Use a modern blue/slate color scheme. Store in
localStorage. Make it responsive for mobile.
The Startup MVP
Scenario: Building a real product for real users, fast.
Tools: Claude Code + Cursor + v0 • Level: 2-3
Start with a product requirements document (even a rough one)
Use v0 to prototype key UI screens
Use Claude Code to scaffold the full architecture
Build feature-by-feature, testing each before moving on
Review auth code and data handling; accept UI code freely
Deploy to real hosting, set up monitoring
Plan a "hardening phase" for security-critical paths
⚠️
The trap: Skipping step 7. Many YC startups vibe-coded their MVPs successfully but faced "development hell" when trying to scale without hardening.
The Enterprise Integration
Scenario: Adding a feature to an existing production codebase.
Tools: Claude Code or Devin + CI/CD pipeline • Level: 5 with human gate
Create a detailed ticket with acceptance criteria
Assign to an AI agent (Devin, Claude Code, or Jules)
Agent analyzes codebase, creates a plan, implements the change
Agent runs existing test suite and fixes failures
Agent opens a pull request
Human reviews: security, performance, architecture, edge cases
Merge after human approval
This is Level 5 but with human review as the final gate. It's how most enterprises adopt AI coding in 2026.
The Solo Creator
Scenario: You're not a developer. You have an idea for an app.
Tools: Lovable, Bolt.new, or Replit Agent • Level: 4
Describe your application as if explaining it to a friend
Let the builder create the first version
Use it yourself — note what's wrong or missing
Describe changes in plain language
Repeat until satisfied
Deploy using the platform's built-in hosting
🔴
Critical: If your app handles user data, sensitive information, or payments, hire a security professional to review it before going live. The Lovable vulnerability study (170/1,645 apps) shows this isn't hypothetical.
These are documented, real examples — not hypotheticals.
Andrej Karpathy practiced what he preached, building MenuGen using nothing but natural language instructions. He provided goals, examples, and feedback — never touching the code directly. The project demonstrated that vibe coding could produce functional software, though Karpathy himself noted it was appropriate for "small weekend projects" rather than production systems.
New York Times journalist Kevin Roose, not a professional programmer, experimented with vibe coding in early 2025. He built several "software for one" applications — personal tools tailored to his exact needs. The results were mixed: some tools worked well, but in one notable case, an AI-generated e-commerce feature fabricated fake product reviews. Roose's experience illustrated both the democratization promise and the trust problem.
Goldman Sachs adopted Devin as part of their "hybrid workforce" — AI agents working alongside human engineers. They deployed Devin for code migrations, documentation generation, and routine maintenance. A representative case: documenting 400,000+ repositories that had accumulated years of tribal knowledge, freeing engineering teams for new feature development.
25% of companies in YC's Winter 2025 batch had codebases that were 95% AI-generated. These startups moved from idea to working product in days rather than months. Several raised seed funding based on prototypes built almost entirely through natural language. The trend raised questions about what happens when these companies need to scale.
Misbah Syed, founder of Menlo Park Lab, built the generative AI application Brainy Docs using vibe coding: "If you have an idea, you're only a few prompts away from a product." The company used AI-generated code for consumer-facing applications, demonstrating vibe coding could produce revenue-generating products, not just prototypes.
Bank of America used conversational coding agents to rapidly prototype fraud detection systems. Engineers described detection patterns in natural language and iterated through AI-generated implementations. Prototypes were achieved in a fraction of the traditional time, then hardened by specialized security engineers before deployment — a model example of the "vibe then harden" approach.
Perhaps the most striking validation of vibe coding as a business strategy came in early 2026 when Wix acquired Base44 for $80 million in cash. Base44, a solo-founder startup barely six months old, had built a vibe coding platform enabling non-developers to create functional applications through natural language. The acquisition demonstrated that vibe-coded companies could reach significant exit values in record time. YC-backed Emergent, another vibe coding company, reached a $300 million valuation.
Throughout 2025 and into 2026, the Indie Hackers community documented dozens of revenue-generating applications built primarily through vibe coding. Solo creators with limited coding backgrounds built and launched SaaS products within weeks. The pattern was consistent: vibe code the MVP, validate with real users, then decide whether to hire engineers for the production version.
SaaStr founder Jason Lemkin documented a cautionary experience: Replit's AI agent deleted his database despite explicit instructions not to make any changes. This incident became one of the most-cited examples of the risks of giving autonomous agents too much power without proper safeguards.
In January 2026, researchers from Central European University and the Kiel Institute published "Vibe Coding Kills Open Source" on arXiv. The paper documented a systemic problem: vibe coding raises productivity by making it easy to use open-source libraries, but severs the user engagement through which maintainers earn returns. Users no longer read documentation, file bug reports, or contribute. Tailwind CSS docs traffic dropped ~40% from early 2023. Stack Overflow questions entered structural decline after ChatGPT launched. The paper argued that sustaining open source under widespread vibe coding requires fundamentally new funding models for maintainers.
The most dramatic business story of the vibe coding era. OpenAI agreed to acquire Windsurf (formerly Codeium) for $3 billion — its largest acquisition ever. Then Microsoft reportedly blocked the deal over exclusivity clauses. Google swooped in with a $2.4 billion reverse acquisition package, hiring Windsurf's CEO and key researchers for DeepMind. Cognition then acquired the remaining product, brand, IP, and team. The result: one AI coding startup's technology and talent split across three of the biggest companies in AI. A sign of just how valuable vibe coding infrastructure has become.
For every success story, there's a cautionary tale. The risks are real, documented, and in some cases severe.
The Tenzai Security Study
🔒
In December 2025, security startup Tenzai tested five major tools — Claude Code, OpenAI Codex, Cursor, Replit, and Devin — building three identical test applications each. Across 15 apps, they found 69 vulnerabilities: ~45 low-medium, the rest high or critical.
Key finding: AI tools avoid generic security flaws but struggle where what makes code safe vs. dangerous depends on context.
0%
AI code with security vulnerabilities
0%
AI code with exploitable bugs
0%
Developers who trust AI accuracy (down from 43%)
0%
Practitioners who say AI code is "fast but flawed"
⚠
IDEsaster Disclosure (Early 2026): Security researchers found 30+ vulnerabilities across every major AI IDE, resulting in 24 CVEs assigned and putting an estimated 1.8 million developers at risk. AI-generated code was found to be 2.74x more likely to introduce XSS vulnerabilities than human-written code.
Documented Security Incidents
24 CVEs
IDEsaster — All Major AI IDEs
30+ vulnerabilities found across every major AI IDE. 1.8 million developers at risk. AI code 2.74x more likely to introduce XSS.
CVE-2025-54135
CurXecute — Cursor IDE
Malicious MCP server responses could execute arbitrary commands on developers' machines.
CVE-2025-55284
Claude Code DNS Exfiltration
Data exfiltration from developer computers through DNS requests.
PROMPT INJECTION
Windsurf Memory Poisoning
Malicious code comments poisoned Windsurf's long-term memory, enabling silent data theft over months.
PROMPT INJECTION
Gemini CLI Code Execution
Asking the Gemini CLI to analyze a project triggered a malicious injection hidden in a readme.md file.
CVE-2025-48757
Base44 Platform
Unauthenticated access vulnerability exposed 170+ production applications built on the platform.
DATA BREACH
Tea App
Basic authentication failures in an AI-generated app leaked 72,000 user IDs and selfies.
The $1.5 Trillion Technical Debt Problem
Analysts have warned of a potential $1.5 trillion in technical debt by 2027 from AI-generated code:
41% higher code churn — AI code gets rewritten more often
8x increase in duplicated code blocks (GitClear, 2024)
30% of AI suggestions accepted in professional environments
Forrester: 75% of tech leaders will face moderate-to-severe tech debt by 2026
The "Vibe Coding Hangover"
By late 2025, Fast Company reported senior engineers entering "development hell" maintaining vibe-coded systems:
The software community is deeply divided. Understanding the strongest arguments on each side helps you form a nuanced view.
"It's the natural evolution of abstraction."
Programming languages have always moved toward higher abstraction. Assembly to C to Python. Each level lets developers focus on intent rather than implementation. Natural language is simply the next layer.
"It democratizes creation."
Millions of people have software ideas but lack years of training. Vibe coding lets a nurse build a patient tracking app, a teacher build a classroom tool, a small business owner build inventory management. The expansion of who can create software is historically significant.
"The speed advantage is transformative."
A prototype in hours instead of weeks. An MVP in days instead of months. The 25% of YC companies with 95% AI code didn't choose vibe coding for ideology — they chose it because they needed to move fast.
"Traditional code isn't as reliable as we pretend."
Human-written code has bugs, security vulnerabilities, and technical debt too. AI-generated code may have different failure modes, but the idea that human code is inherently reliable is a myth.
"Code you don't understand is code you can't maintain."
Software spending is ~60% maintenance. If nobody understands the codebase, maintenance is impossible. You're not saving time — you're borrowing it from the future at a ruinous interest rate.
"Security requires understanding, not just testing."
You can test whether a login form works. You can't easily test whether passwords are properly hashed, session tokens are cryptographically secure, or APIs have rate limiting — unless you read the code.
"It creates learned helplessness."
Developers who rely entirely on vibe coding lose fundamental skills. When the AI makes a mistake in a novel way, they have no fallback. Fragile teams build fragile systems.
"The economics don't work at scale."
Vibe coding is cheap upfront and expensive later. The $1.5 trillion tech debt projection isn't speculation — it's extrapolation from observed code churn, duplication, and architectural degradation.
Context Is Everything
The most reasonable position — and the one supported by data — is that vibe coding is a powerful tool with a specific and limited appropriate scope.
✅
It excels for: prototyping, validation, personal tools, learning, hackathons, and small-scale applications with limited security requirements.
❌
It fails for: production systems at scale, security-sensitive applications, regulated industries, and software that needs multi-year maintenance.
The winning model in 2026: Vibe code the prototype, then bring in disciplined engineering for the production system. The companies dominating right now — the ones raising at $10B valuations, the ones with $1B ARR in six months — are all betting that this model scales. And the data supports them.
The critics are not wrong about the risks. But they are wrong about the trajectory. Every objection to vibe coding was once made about high-level languages, about frameworks, about cloud computing. The abstraction always wins. The question is never whether but how.
The 80/20 Rule: For most applications, 80% of the code is boilerplate, UI, and standard patterns that AI handles well. The remaining 20% — authentication, business logic, data integrity, security — deserves human attention. Vibe code the 80%. Engineer the 20%.
For complex features, ask the AI to explain its approach before generating code:
Before writing any code, explain how you would implement
real-time collaborative editing in this application.
What approach? What trade-offs? Then implement it.
This gives you architectural understanding even in a vibe coding workflow.
Different models excel at different things:
Claude Opus 4.6 (via Claude Code) — Complex reasoning, architecture, large codebases, agent teams for parallel work
Gemini 3 Pro / Flash (via Jules or Gemini CLI) — Multimodal (screenshots, diagrams), open-source CLI with skills system
GitHub Copilot Agent Mode — Best for working within existing VS Code workflows with agent capabilities
v0 — React/Next.js UI generation
Bolt.new — Full-stack prototypes you want immediately
Bad: "It's broken"
Good: "When I click 'Add Task', nothing happens. Console shows: TypeError: Cannot read property 'push' of undefined at TaskList.addTask (app.js:47). This started after I added drag-and-drop."
Include: action (what you did), actual (what happened), expected (what should happen), error (verbatim), context (what changed recently).
Pure vibe coding is fast but fragile. Here's how to build a workflow that's both fast and sustainable.
Phase 1: Vibe and Validate (Days 1-3)
Pure vibe coding for a working prototype
Don't worry about code quality. Just get something that works and demonstrates the core value proposition. Goal: a demo for users, investors, or stakeholders.
Phase 2: Test and Tighten (Days 4-7)
Switch to Level 2-3, review critical paths
Review auth/authz, data storage, payment processing, input validation, and API endpoints. Use AI to generate comprehensive tests.
Run OWASP ZAP or Snyk. Review all DB queries. Add rate limiting, HTTPS, CORS, CSP. Set up logging. Review dependencies for known vulnerabilities.
Phase 4: Maintain and Evolve (Ongoing)
Document, automate, and plan cleanup sprints
Document architecture. Automated testing on every change. AI agents for routine updates. Human review for architectural and security changes. Periodic cleanup sprints.
The 80/20 Rule
Vibe code the 80% (UI, boilerplate, standard patterns). Engineer the 20% (auth, business logic, data integrity, security).
AI-native development is the default. 84% of developers use AI tools. The question has shifted from "should we use AI?" to "how do we use it safely?"
Agent teams are here. Claude Code's agent teams feature lets multiple AI agents work in parallel on different aspects of a project. This is the beginning of true AI-human hybrid teams.
The open-source crisis. A January 2026 arXiv paper argues vibe coding threatens the open-source ecosystem: users no longer visit docs, file bugs, or engage with maintainers. Tailwind CSS docs traffic down 40%. Stack Overflow questions in structural decline. How maintainers get paid must change.
Multimodal coding emerges. Voice-driven coding, visual programming interfaces, and screenshot-to-code workflows are entering mainstream tools.
Consolidation is accelerating. The Windsurf saga — a $3B acquisition attempt, Microsoft blocking, Google poaching, Cognition acquiring — signals a market entering its consolidation phase. Wix acquired Base44 for $80M cash. Anthropic acquired Bun.
"Agentic engineering" replaces "vibe coding" for professionals. Karpathy himself has moved beyond the term, now advocating for professionals orchestrating AI agents with oversight, not just vibes.
The IDEsaster wake-up call. 30+ vulnerabilities across every major AI IDE, 24 CVEs, 1.8M developers at risk. AI code is 2.74x more likely to introduce XSS than human code.
Near-Term (Late 2026)
Security tooling catches up. Agentic security tools reviewing AI code in real-time. "Move security into the act of creation."
Standardization emerges. Enterprise governance frameworks for AI-generated code.
Agent orchestration matures. Specialized agents for frontend, backend, testing, security working in concert under a lead agent.
Open-source funding models evolve. New models for compensating maintainers whose libraries power AI-generated code.
Medium-Term (2027-2028)
Natural language becomes a programming interface. Not replacing code, but a legitimate authoring medium.
AI-human hybrid teams are standard. Every team includes both human engineers and AI agents with defined roles.
The maintenance problem gets addressed. AI tools that understand, refactor, and improve AI-generated code.
Specialized domain models. Finance, healthcare, embedded — each gets domain-specific AI models.
Long-Term (2029+)
Intent-driven development. Describe outcomes, constraints, quality attributes. AI handles the rest.
Self-healing software. Applications that detect bugs in production and fix themselves.
The abstraction continues. The role evolves from "code author" to "system designer and quality guardian."
🔮
The fundamental question: AI will write an increasing share of the world's software. The question isn't whether — it's how we ensure it's secure, reliable, and maintainable. The developers who thrive will master both modes: vibe code a prototype on Saturday, architect a production system on Monday.
Conclusion
In twelve months, vibe coding went from a tweet to a dictionary entry to a multi-billion-dollar industry. Cursor alone is valued at $29.3 billion. Lovable at $6.6 billion. A vibe-coded startup sold for $80 million. GitHub Copilot has 4.7 million paid subscribers. Now, in early 2026, it has become the defining methodology of a new era in software development.
The numbers speak for themselves: Claude Code reached $1B ARR in six months. Cursor surpassed $1B ARR at a $29.3B valuation. Devin surpassed $155M ARR at a $10.2B valuation. GitHub Copilot crossed 4.7 million paid users. These are not experimental products. This is the new infrastructure of software creation.
The promise is real and accelerating: agent teams working in parallel, multimodal coding interfaces, and tools so capable that 75% of Replit's AI users write zero code themselves. The barrier between idea and working software has never been lower.
The challenges are evolving too: the open-source ecosystem faces an existential funding question, security remains a real concern with 69 vulnerabilities found across just 15 AI-built apps, and the "vibe coding hangover" of unmaintainable codebases is a documented phenomenon.
But the answer has become clear. Vibe coding is not a fad to be dismissed or a silver bullet to be worshipped. It is a powerful methodology that belongs in every developer's toolkit. The developers who thrive in 2026 and beyond will be those who master the spectrum — knowing when to vibe code a prototype on Saturday, when to collaborate with agents on Monday, and when to insist on human-reviewed engineering for the critical 20%.
The vibes are real. The exponentials are real. The opportunity is unprecedented.
Embrace the vibes. Engineer the foundations. Build the future.
200+ production-ready prompts for every stage of AI-native development. Updated monthly.
📚
Each prompt is tagged with Difficulty (Beginner/Intermediate/Advanced/Expert), Tool (which AI tools it works best with), and Time (expected completion). Copy-paste directly — customize the [bracketed] sections for your project.
Categories at a Glance
🏁
Project Kickoff
Complete spec, weekend prototype, clone templates
✚
Feature Addition
Auth, payments, real-time, search
🎨
UI/UX
Dashboards, forms, data tables
⚙
API & Backend
REST, database schema, middleware
🔎
Testing & QA
Test suites, security audits, a11y
⚛
Refactoring
Performance, cleanup, migration
🚀
Deployment
CI/CD, monitoring, production
🤖
Agent Orchestration
Multi-agent tasks, codebase analysis
📊
Content & Data
Seed data, docs, data migration
🖥
Platform-Specific
Chrome extensions, CLI, mobile
Sample: The Complete Spec Prompt (Expert)
Tool: Claude Code, Cursor Composer | Time: 30-60 min generation
I'm building [product name], a [type of application] for [target audience].
## Product Vision
[One-sentence description of what this product does and why it matters]
## Core Features (MVP - Priority Order)
1. [Feature 1]: [User story: "As a [user], I want to [action] so that [benefit]"]
2. [Feature 2]: [User story]
3. [Feature 3]: [User story]
## Technical Stack
- Framework: [Next.js / React / Vue / Svelte / vanilla]
- Styling: [Tailwind / CSS Modules / styled-components]
- Database: [Supabase / Firebase / Prisma+PostgreSQL]
- Auth: [Supabase Auth / NextAuth / Clerk / none]
Build the complete MVP. Start with the data model, then core layout, then features.
Sample: The Security Review Prompt
Tool: Claude Code | Time: 10-20 min
Review this codebase for OWASP Top 10 vulnerabilities.
For each issue: severity (Critical/High/Medium/Low),
file and line number, what's wrong, the fix, and how to test it.
Prioritize by severity. Check authentication, input handling,
data protection, access control, and dependency vulnerabilities.
A practical guide to hardening vibe-coded applications before they touch real users.
⚠
The reality: The December 2025 Tenzai study found 69 vulnerabilities across just 15 AI-built applications. The February 2026 IDEsaster disclosure revealed 30+ vulnerabilities and 24 CVEs affecting 1.8M developers. AI-generated code is 2.74x more likely to introduce XSS than human code. Security is not optional.
The 30-Minute Security Checklist
Run this on every vibe-coded application before showing it to anyone outside your team:
🔒
Authentication (5 min)
▼
Passwords hashed with bcrypt or argon2 (not MD5, SHA, or plaintext)
Sessions stored in HTTP-only, Secure, SameSite cookies (not localStorage)
CSRF tokens on every form
Rate limiting on login endpoint (5 attempts per 15 min)
No credentials hardcoded in source code
📝
Input Handling (5 min)
▼
All database queries use parameterized statements (no string concatenation)
HTML output sanitized (no raw user input rendered)
File uploads validated (type, size, name — no path traversal)
API request bodies validated server-side (not just client-side)
🛡
Data Protection (5 min)
▼
HTTPS enforced (HSTS header set)
API responses don't leak internal data (no password hashes, debug info, stack traces)
Sensitive data encrypted at rest (API keys, user PII)
Error messages are generic (no "user not found" vs "wrong password" distinction)
Environment variables for all secrets (not in code or git history)
👥
Access Control (5 min)
▼
Authorization checked server-side on every endpoint
Users can only access their own data (test by changing IDs in URL)
Admin functions require admin role verification
API keys have minimal permissions
📈
Monitoring (5 min)
▼
Error tracking set up (Sentry or similar)
Failed auth attempts logged
Rate limiting returns 429 with Retry-After header
No sensitive data in logs (passwords, tokens, PII)
Security Prompts for AI Tools
Review this codebase for OWASP Top 10 vulnerabilities.
For each issue found: severity (Critical/High/Medium/Low),
file and line number, what's wrong, the fix, and how to test it.
Prioritize by severity.
Automate real boring tasks. Tone: Relatable + practical
🤓 ...Fooled the Senior Dev
Can a senior dev tell AI code from human? Tone: Challenge + engagement
🎥
Watch more and subscribe: All videos (including vertical Shorts) are on YouTube @endofcoding. New tutorials every week. Subscribe for the latest vibe coding techniques.
What changed in the vibe coding world this month. Updated on the 1st of each month for subscribers.
📰
Headline: Andrej Karpathy, who coined "vibe coding" one year ago, officially declared it "passe." His new framework: agentic engineering — orchestrating specialized AI agents with structured oversight, testing rigor, and systems thinking.
Key Developments
FUNDING
Anthropic's $380B Moment
Closed a $30B Series G at $380B post-money valuation. Claude Code alone generates $2.5B+ in annual revenue. Company ARR hit $14B — 10x growth for the third consecutive year.
GROWTH
Emergent Hits $100M ARR
Indian vibe coding startup reached $100M+ ARR just 8 months after launch (Feb 17), with 6 million users across 190 countries. Validates global demand.
PRODUCT
Devin v3 Goes Live
Cognition released Devin v3 API out of beta (Feb 20) with role-based access control and session attribution. Devin Review launched Jan 22 — AI PR reviewer that detects bugs and copied code.
SECURITY
The Security Reality Check
Red Hat published "The Uncomfortable Truth About Vibe Coding" (Feb 17). Organizations that rushed to replace engineers with prompts hit hard constraints around security and maintenance.
Numbers Update
$34.6B
AI coding tools market (2026)
41%
of global code now AI-generated
~25%
of Google's code is AI-assisted
4.7M
GitHub Copilot paid subscribers
What to Watch in March 2026
VibeX 2026 academic workshop at the EASE conference in Glasgow
Expected Claude Code 2.2 release with expanded agent team capabilities
Google I/O developer event (potential Jules and Gemini updates)
Continued consolidation in the AI IDE market
🔗
Stay current: Get daily updates at EndOfCoding.com. Subscribe to the ebook for monthly intelligence briefs with full analysis, data, and actionable insights.
Real projects built with vibe coding by real people. Updated monthly with reader submissions.
Featured Projects
1
InvoiceBot — SaaS micro-tool built in a weekend
▼
Builder: Solo developer with 5 years experience
Tools: Claude Code + Supabase + Vercel
Build time: 14 hours over a weekend
Outcome: 200 users in first month, $400 MRR
Key prompt:
Build a SaaS that generates PDF invoices from a simple form.
Users log in, fill in client details + line items, and get
a professional PDF. Include Stripe subscription at $9/month.
Use Supabase for auth and database. Deploy to Vercel.
Lessons: "The first 80% took 4 hours. The payment integration took the other 10. Security review by a friend found 2 issues the AI missed."
2
TeamSync — Internal tool by a product manager
▼
Builder: Non-technical product manager
Tools: Lovable + Supabase
Build time: 3 days (evenings)
Outcome: Used by 45-person team daily, replaced a $200/month SaaS tool
Key prompt:
Build a team standup tool where each member posts a daily
update (what I did, what I'm doing, blockers). Show a
dashboard with all updates, filter by team member and date.
Add Slack notifications for new updates.
Lessons: "Lovable got the UI beautiful fast. I had to learn about Supabase Row Level Security when a teammate could see everyone's private notes."
3
QuickShip — Startup MVP that got into an accelerator
▼
Builder: First-time founder, junior developer
Tools: Cursor + Claude Code + v0
Build time: 2 weeks to MVP
Outcome: Accepted into a top accelerator, raised seed round
Lessons: "v0 for the UI, Cursor for the API, Claude Code for the complex business logic. The speed let me iterate on the idea 4 times before demo day. Hired a senior engineer in week 3 to audit security."
4
PixelQuest — A game built by a 16-year-old
▼
Builder: High school student, 6 months coding experience
Tools: Bolt.new + Claude
Build time: 1 week
Outcome: 5,000 plays in first week, featured on Hacker News
Lessons: "I described the game mechanics I wanted and Bolt built it. When something didn't work, I just told it what was wrong. I learned more about game design than coding — and that was the point."
Submit Your Project
🚀
Built something with vibe coding? Submit your project for the next monthly showcase! Include: project name, tools used, build timeline, key prompts, and lessons learned. Submit via EndOfCoding.com or share on Twitter with #VibeCoded.
Answer 6 questions to discover your vibe coding level.
★ Glossary
Vibe Coding
AI-assisted development where the developer describes intent in natural language and evaluates output through execution, not code review.
Accept All
The practice of accepting all AI-generated code changes without reviewing diffs.
Coding Agent
An autonomous AI system that can plan, implement, test, and deploy code changes independently.
Composer
A mode in AI IDEs (like Cursor) that generates multi-file code from natural language descriptions.
Error-Driven Development
Debugging by copy-pasting error messages to the AI rather than reading and understanding the code yourself.
MCP (Model Context Protocol)
Anthropic's open protocol allowing AI assistants to connect to external tools and data sources.
Prompt Engineering
The skill of crafting effective natural language instructions to produce desired AI outputs.
Vibe Coding Hangover
The phenomenon of teams struggling to maintain, extend, or debug AI-generated codebases. Documented by Fast Company in Sept 2025.
Zombie App
An application that is functional but unmaintainable because nobody understands the AI-generated code.
Complexity Ceiling
The point at which a vibe-coded application can no longer be extended because the underlying code is too tangled.
Hybrid Workforce
An organization where AI agents work alongside human engineers, as pioneered by Goldman Sachs with Devin.
The 80/20 Rule
Vibe code the 80% (UI, boilerplate, standard patterns). Engineer the 20% (auth, security, business logic).
Agent Teams
A feature in Claude Code (introduced with Opus 4.6) allowing multiple AI agents to work in parallel on different aspects of a project, coordinating autonomously.
Agent Mode
A capability in coding tools (GitHub Copilot, Cursor, etc.) where the AI autonomously identifies subtasks, makes multi-file edits, runs tests, and fixes errors without step-by-step human guidance.
Devin Wiki / Devin Search
Cognition's documentation generation and code search tools built into the Devin platform, enabling AI-generated documentation and natural language querying of codebases.
Multimodal Coding
An emerging trend combining voice, visual, and text-based inputs for AI code generation — including screenshot-to-code and voice-to-code workflows.