Vibe coding – the rapid generation of code using AI tools like Cursor, Lovable or Claude – is reshaping software development faster than any other tooling wave of the past decade. But unreviewed productivity simply defers the cost: into technical debt, security holes and compliance risk. This guide shows how AI-assisted development works when engineering discipline drives the process, not the AI tool.
What vibe coding is and why it is exploding
The term was coined in February 2025 by Andrej Karpathy – a founding member of OpenAI and former head of AI at Tesla. His description was deliberately provocative: "There's a new kind of coding I call 'vibe coding,' where you fully give in to the vibes, embrace exponentials, and forget that the code even exists." Wikipedia: Vibe Coding Collins Dictionary named the term Word of the Year 2025. CNN: Vibe Coding, Collins Word of the Year 2025
The numbers behind the trend are striking:
Jared Friedman, Managing Partner at Y Combinator, confirmed in March 2025 that a quarter of the W25 cohort have codebases that are more than 95% AI-generated. TechCrunch: 25% of YC W25 startups with almost entirely AI-generated code Cursor crossed the $2 billion ARR mark in early 2026. TechCrunch: Cursor surpasses $2B ARR
The problem: unreviewed AI code in production
Veracode's GenAI Code Security Report tested more than 100 LLMs: 45% of the generated code samples failed security testing and introduced OWASP Top 10 vulnerabilities. The most alarming findings: 86% of samples were vulnerable to cross-site scripting, 88% to log-injection attacks. Veracode: GenAI Code Security Report 2025 BusinessWire: Veracode, AI Code poses risks in 45% of tasks
Escape.tech scanned 5,600 publicly reachable vibe-coded apps and found more than 2,000 high-severity vulnerabilities, 400+ exposed secrets (Supabase keys, API tokens) and 175 PII exposures, including medical reports, IBANs and email addresses. Every vulnerability was sitting in a live production system. Escape.tech: 2,000+ vulnerabilities in vibe-coded apps
Case study: the Moltbook breach
Moltbook, an AI social network, was by its founder Matt Schlicht's own account entirely "vibe coded". Not a single line of code written by hand. Wiz security researchers discovered a misconfigured Supabase database that granted full read and write access to all platform data: Wiz Blog: Moltbook, 1.5M API keys exposed
- 1.5 million API authentication tokens exposed
- 35,000+ email addresses accessible
- 4,060 private messages readable, including third-party API credentials
The root cause: a Supabase API key in client-side JavaScript with no Row Level Security policies enabled – a textbook security mistake that any experienced engineer would catch instantly in review. Infosecurity Magazine: Moltbook exposes user data and API keys
Moltbook is not an isolated case. In July 2025, Wiz Research uncovered a critical authentication vulnerability in the vibe-coding platform Base44 (acquired by Wix): through publicly accessible app IDs, attackers could bypass authentication entirely, including SSO protection, and reach every private enterprise application. The exposure covered internal chatbots, knowledge bases and HR systems holding personal data. Wiz Blog: Critical vulnerability in the Base44 vibe-coding platform
In every case the code ran – and in every case a senior review would have caught the flaw: the missing Row Level Security at Moltbook, the bypassable auth flow at Base44. AI tools generate working code, but not secure systems. The missing layer is human engineering review.
The AnvilStack approach: AI for speed, engineering for quality
We use AI assistance consistently, but not a single commit ships to production without human code review. The decisive difference lies not in the tool, but in the process.
The six-step workflow for production-ready AI development
- Prompt engineering. Precise, context-rich prompts with architecture constraints, security requirements and code-style guidance
- Code generation. The AI generates code suggestions based on the specified context
- Engineering review. Every generated line is checked by a senior engineer for logic, security and architectural conformance
- Automated testing. Unit, integration and end-to-end tests validate functionality and catch regressions
- Security scan. Static analysis (SAST), dependency check and secret detection before every merge
- Controlled deployment. CI/CD pipeline with a staging environment, health checks and a rollback mechanism
Why this process works
AI tools are excellent at generating code that is syntactically correct and satisfies the requirement on the surface. What they systematically miss: edge cases, race conditions, authorisation gaps, N+1 database queries and implicit security assumptions. The six-step workflow catches this class of defects before they reach production.
The productivity gain is real, but context-dependent: on clearly scoped tasks, AI assistance accelerates development significantly; with experienced teams working in complex codebases, the effect shrinks or even reverses. METR: Impact of AI on Experienced Open-Source Developer Productivity (2025) Instead of writing code from scratch, our engineers review the AI's suggestions – and the decisive lever is that the speed advantage comes without any loss of quality.
When vibe coding works and when it does not
| Kriterium | Suitable (with review) | Unsuitable (without engineering) |
|---|---|---|
| Prototyping | Ideal for rapid concept validation | Prototype ≠ production |
| Internal tools | Dashboards, admin panels, scripts | Not for customer-facing systems |
| Production SaaS | Only with a full review process | Direct deployment = security risk |
| Regulated industries | AI assistance + audit trail + compliance | No audit trail = NIS2 breach |
| Customer data | Only with security hardening and GDPR review | Exposed secrets, missing encryption |
The EU dimension: GDPR and NIS2 for AI-generated code
For European companies, a regulatory layer comes into play that the US vibe-coding debate often overlooks:
GDPR (Art. 25, data protection by design): AI-generated code rarely implements privacy-compliant defaults. Missing encryption, excessive data retention and exposed personal data are typical findings – in its study of more than 5,000 vibe-coded apps, Escape.tech found 175 cases of exposed personal data. Escape.tech: 175 PII exposures in vibe-coded apps
NIS2 (since December 2025): Since the German NIS2 implementation act took effect on 6 December 2025, roughly 29,500 companies have to secure and systematically assess their supply chain – including the question of whether the code they deploy is checked for vulnerabilities. Vibe coding without a review process is a documentable supply-chain risk. OpenKRITIS: NIS2 implementation act in Germany (in force since December 2025)
EU AI Act (high-risk obligations): Originally scheduled for 2 August 2026. Following the "Digital Omnibus on AI" tabled by the European Commission on 19 November 2025 and a political agreement in early May 2026, the high-risk obligations for Annex III systems are being postponed to 2 December 2027; the European Parliament confirmed the delay in June 2026. It becomes legally binding upon publication in the Official Journal, expected before 2 August 2026. Systems that deploy AI-generated code in regulated domains need documented data sources, quality controls and complete audit trails. Pinsent Masons: High-risk AI obligations delayed under the EU Omnibus (2026) IAPP: AI Act Omnibus, where things stand and what comes next
For DACH companies this means, in concrete terms: anyone deploying AI-generated code into customer-facing systems without a documented review process risks not only technical problems but regulatory consequences. A free assessment by experienced engineers establishes the foundation for compliant production systems.
Conclusion: vibe coding is a tool, not a substitute for engineering
The question is not whether to use AI tools for software development. The question is what process you build around the AI generation. Companies that pair AI speed with engineering review ship faster and more securely. Companies that skip review accumulate technical debt and security risk that come due at the latest with the first incident or the next funding round.
The data is unambiguous: a 45% vulnerability rate, 2,000+ vulnerabilities in live systems, millions of exposed credentials. Vibe coding without engineering is not a development approach but a calculable risk. With engineering review, the very same tooling becomes a dependable route into production.
You have an AI-generated application and want to know whether it is production-ready? In a free intro call we assess the architecture, security and compliance and map out the concrete path to a hardened production platform on Hetzner. We deliver the full implementation at a fixed price of €36,000.
Frequently asked questions
What is vibe coding?
Is vibe coding dangerous?
How does AnvilStack use AI tools safely?
Can my vibe-coded prototype be saved?
Why do so few AI prototypes reach production?
Is vibe coding GDPR- and NIS2-compliant?
Sources
- Wikipedia: Vibe Coding
- CNN: Vibe Coding, Collins Dictionary Word of the Year 2025
- TechCrunch: 25% of YC W25 startups with AI-generated code (2025)
- TechCrunch: Cursor surpasses $2B ARR (2026)
- Veracode: GenAI Code Security Report, 100+ LLMs tested
- BusinessWire: AI-Generated Code poses risks in 45% of tasks (Veracode)
- Fortune: MIT report, 95% of AI pilots with no measurable ROI (2025)
- Escape.tech: 2,000+ vulnerabilities in 5,600 vibe-coded apps
- Wiz Blog: Moltbook breach, 1.5M API keys exposed
- Infosecurity Magazine: Moltbook exposes user data and API keys
- Wiz Blog: Critical vulnerability in the Base44 vibe-coding platform
- Sonar: State of Code Developer Survey 2026
- METR: Impact of AI on Experienced Open-Source Developer Productivity (2025)
- OpenKRITIS: NIS2 implementation act in Germany
- Pinsent Masons: High-risk AI obligations delayed under the EU Omnibus (2026)
- IAPP: AI Act Omnibus, where things stand and what comes next
- Panto: Lovable Statistics 2026, Users, Revenue & Adoption
- Shipper: 35+ Replit Statistics 2026, User Growth & Revenue