Vibe-coded vs. engineered

"Vibe coding" – a term coined by Andrej Karpathy (February 2025) – describes an approach in which developers let AI models generate code and take the result largely at face value, with little review. The payoff: a working prototype in hours instead of weeks. Professional engineering uses the same AI tools but combines them with architecture planning, code review, automated tests, and security hardening. The difference is invisible in the demo – but in production, under load, and after 12 months of further development, it becomes existential. Wikipedia: Vibe Coding – origin and definition

What the data shows

The body of research on AI-generated code is growing denser – and the findings are nuanced:

45%

of AI-generated code contains security flaws (Veracode GenAI Code Security Report 2025)

7.9%

code churn rate in 2024 – nearly double the roughly 5.5% of 2020, since AI assistants became widespread (GitClear 2024)

43%

of developers trust the accuracy of AI code – around 30% actively distrust it; favorability fell from 77% (2023) to 72% (2024) (Stack Overflow Survey 2024)

20–40%

of the value of the technology estate is tied up in technical debt; 10–20% of the technology budget goes toward clearing it (McKinsey 2020)

Veracode: GenAI Code Security Report 2025 CodeRabbit: State of AI vs. Human Code Generation Report GitClear: AI's Downward Pressure on Code Quality (2024) Stack Overflow Developer Survey 2024: AI Section McKinsey: Tech debt – Reclaiming tech equity

Quality comparison in detail

Kriterium	Vibe-coded	Engineered
Initial speed	Very high – MVP in hours/days	Slower – MVP in 2–6 weeks
Security	No systematic review, known CWE patterns	OWASP Top 10 covered, dependency audit
Test coverage	Usually 0% – no testing strategy	60–80%+ unit/integration tests
Scalability	Collapses under load (N+1, no caching)	Architecture built for growth
Maintenance cost (year 1)	Low – as long as nothing goes wrong	Predictable – through monitoring and tests
Maintenance cost (year 2)	Exploding – technical debt accumulates	Stable – through clean architecture
Compliance (GDPR/NIS2)	Not addressed – has to be retrofitted	Built in from day one
Team onboarding	Hard – no consistent style, no docs	Structured – conventions and documentation
Dependencies	Uncontrolled – AI installs whatever is available	Curated – license and security audit
Deployment	Manual or not configured at all	CI/CD pipeline, infrastructure as code

The real cost comparison: SaaS MVP over 24 months (illustrative AnvilStack in-house model)

The upfront saving from vibe coding is real. But in most cases it flips into the opposite the moment the product goes to production and needs to grow.

Scenario: B2B SaaS platform with auth, dashboard, API, PostgreSQL

Phase	Vibe-coded	Professionally engineered
Initial development	€0–2,000 (AI + your own time)	€36,000 (fixed price)
Security assessment (month 3)	€5,000–10,000 (critical findings)	€2,000–3,000 (minor findings)
Refactoring for scale (month 6)	€15,000–30,000 (architecture rebuild)	€0 (designed to scale already)
GDPR/NIS2 retrofit	€8,000–15,000	€0 (built in from day one)
Maintenance over 24 months	€20,000–40,000 (firefighting, bug fixes)	€10,000–15,000 (planned updates)
Team onboarding (2 developers)	€5,000–8,000 (understanding + reworking the code)	€2,000–3,000 (clean structure)
Total cost over 24 months	€53,000–105,000	€34,000–61,000

In-house model from AnvilStack based on typical project costs. The order of magnitude – a factor of roughly 1.5–2x over 24 months – is plausible, but the specific euro figures are an illustrative estimate, not collected data. For background on the cost of technical debt: according to McKinsey, technical debt accounts for roughly 20–40% of the value of the technology estate (plus a 10–20% cost premium per project). McKinsey: Tech debt – Reclaiming tech equity

Why vibe-coded projects fail

The most common problems do not surface immediately, but in production:

1. Security flaws. AI models reproduce insecure patterns from their training data – SQL injection, missing input validation, hardcoded secrets, insecure deserialization. 45% of AI-generated code contains security flaws (Veracode). A separate analysis of 470 pull requests also found up to 2.74x more security issues in AI code than in code written entirely by humans (CodeRabbit). For an in-depth analysis with case studies, see our article Vibe coding done right. Veracode: GenAI Code Security Report 2025 CodeRabbit: State of AI vs. Human Code Generation Report

2. Architecture collapse under load. Without architecture planning, you get monolithic structures with N+1 queries, synchronous blocking, and no caching. That works fine with 10 users – and collapses at 1,000.

3. Uncontrolled dependencies. AI coding tools increasingly pick packages automatically – no longer hand-selected by maintainers based on maintenance status or license. As a result, the dependency tree grows uncontrolled: the median JavaScript project today carries more than 680 transitive dependencies, including packages with known CVEs or incompatible licenses. Socket.dev: AI Has Taken Over Open Source

4. Code churn as a warning sign. The code churn rate – the share of code that is reworked or reverted within two weeks – has nearly doubled since AI assistants arrived: from roughly 5.5% (2020) to 7.9% (2024). In other words, AI-generated code is measurably rewritten more often and faster than hand-written code. That points to lower first-pass quality. GitClear: Coding on Copilot – Code Quality Impact

When vibe coding is the right choice

A fair comparison has to acknowledge: not every project needs professional engineering.

Vibe coding is perfectly sufficient for:

Personal tools and automations
Internal prototypes for validating ideas
Hackathon projects and proofs of concept
One-off scripts for data cleanup or migration
Learning projects and experiments

Professional engineering is necessary for:

Products handling customer data (GDPR-relevant)
SaaS platforms with paying users
Regulated industries (finance, healthcare, energy)
Software that has to scale (>100 users)
Investor due diligence and exit scenarios
Platforms subject to NIS2 or EU AI Act requirements – in which case professional MVP engineering is the right approach EU AI Act: Regulatory Framework

The middle path: AI speed with engineering quality

The dichotomy of "vibe coding vs. engineering" is a false dilemma. The most productive approach combines both:

AI for speed: initial code generation, boilerplate, tests, documentation
Engineering for quality: architecture review, security audit, performance testing, CI/CD
Systematic validation: every AI-generated component goes through the same review process as hand-written code

This hybrid approach pairs AI speed in code generation with engineering quality in review, testing, and security – prototype speed with production-grade quality, without the technical debt of unreviewed vibe coding. McKinsey studies show that AI tools speed up routine tasks like documentation and code generation by 35–50%, without sacrificing quality, when developer and tool work together. McKinsey: Unleashing Developer Productivity with Generative AI

The decision matrix

Three questions determine whether vibe coding is enough:

Do you process personal data? If yes → engineering required (GDPR Art. 25: privacy by design)
Do you have paying customers? If yes → engineering required (availability, security, maintainability)
Should the software live longer than 6 months? If yes → engineering required (technical debt accumulates exponentially) Stripe: Developer Coefficient – the cost of poor code quality

If all three answers are "no," vibe coding is an efficient choice. Otherwise, professional engineering is not a cost decision but an investment decision.

In a free platform assessment, we evaluate your vibe-coded prototype for security flaws, architectural weaknesses, and scaling problems. For a fixed price of €36,000, we migrate and harden your platform – with a working app on Hetzner as the result.

Frequently asked questions

What is the difference between vibe coding and professional engineering?

Vibe coding takes AI-generated code largely at face value, with little review. Professional engineering uses the same AI tools but combines them with architecture planning, code review, automated tests, and security hardening.

What does vibe coding cost in the long run?

The upfront saving flips into the opposite: in an illustrative AnvilStack in-house model, a vibe-coded project costs €53,000–105,000 over 24 months vs. €34,000–61,000 for professional engineering – a factor of 1.5–2x.

When is vibe coding good enough?

For personal tools, internal prototypes, hackathon projects, one-off scripts, and learning projects. The moment customer data, paying users, or a lifespan beyond 6 months enters the picture, you need engineering.

What security flaws does AI-generated code have?

45% of AI-generated code contains security flaws – SQL injection, missing input validation, hardcoded secrets, insecure deserialization (Veracode). A separate analysis of 470 pull requests found up to 2.74x more security issues in AI code than in code written entirely by humans (CodeRabbit).

Can I salvage my vibe-coded prototype?

In most cases, yes. In a free assessment, we evaluate whether a refactor (4–8 weeks, €15K–40K) or a rewrite (8–16 weeks, €30K–80K) makes more sense.

How does AnvilStack combine AI with engineering?

AI for speed in code generation, engineering for quality in review, testing, and security. This hybrid approach pairs prototype speed with production-grade quality, without the technical debt of unreviewed vibe coding.