Vibecoding / Agentic Engineering from a technological perspective: What could possibly go wrong?

Thanks to tools like Claude Code, GitHub Copilot (now with agentic mode), Cursor, Lovable, Bolt, and Replit, virtually anyone with an idea for an application can actually build it in a matter of hours. But is it really that simple? In our previous post about vibecoding for marketers, we outlined the opportunities and pitfalls from a marketing perspective: messy code, token limits, no CMS, limited SEO, and the absence of a strategic foundation.

In this article, we examine the innovation from a technological perspective: what happens when people without a technical background build software that actually goes into production?

The technology is evolving at lightning speed. Karpathy, who coined the term ‘vibecoding’ a year ago, now indicates that the term no longer captures the full scope. He now advocates for “agentic engineering” as a more accurate description. A signal that the domain is maturing, but also becoming more complex.

We’re seeing this impressive evolution in how the technology is being used as well. Platforms like Vercel and Netlify saw their user numbers surge massively in 2025, primarily thanks to vibecoders. Major tech companies like Google and Microsoft are already generating more than 20% of their code via AI. Gartner predicts that by 2028, as many as 75% of enterprise software engineers will use AI code assistants, compared to less than 10% in early 2023.

Vibecoding made the technology to build applications accessible to everyone. But while we celebrate technological democratization, we’d also like to pause and consider the risks. What could possibly go wrong?

Issue 1: Security as primary concern

According to Veracode’s GenAI Code Security Report 2025, based on more than 100 LLMs and 80 coding tasks, 45% of AI-generated code introduces security vulnerabilities. Almost half the time, the models choose an insecure method, consciously or unconsciously. In itself, this isn’t illogical: LLMs trained on public code repositories learn both secure techniques and widespread vulnerabilities. “Garbage In, Gospel Out”: the models may deliver functionally correct code, but the security quality consistently lags behind.

1.1 Authentication & identity management

AI models build a user management system by default, but do so without applying proper best practices. They know the concept of an Identity Provider (IdP), but rarely apply it proactively.

A proper IdP like Auth0, Cognito, or Azure Entra ID offers out-of-the-box: MFA, brute force protection, anomaly detection, token management, and compliance (SOC2, GDPR). You can’t replicate that in a few prompts.

What could possibly go wrong? A concrete example: The startup Enrichlead, built entirely via Cursor, saw how AI placed all security logic client-side. Within 72 hours, users discovered that changing one value in the browser console gave complete free access to all paid features. The founder couldn’t audit 15,000 lines of generated code.

1.2 OWASP Top 10, now squared

Cross-site scripting (XSS), SQL injection, broken authentication, security misconfiguration… these aren’t new risks. They’ve been in the OWASP Top 10 for years. Unfortunately, vibecoding makes them massively scalable. Research shows that LLMs fail to secure code against Cross-Site Scripting and Log Injection in 86% and 88% of cases respectively, two of the most common attack vectors. An application that’s publicly accessible without a WAF (Web Application Firewall) or rate limiting is an open invitation for hackers.

1.3 The cost of publicly running AI-agents

Everyone has access to AI-agents or backend services that are hosted publicly without authentication or access restrictions. Often, a vibecoder doesn’t even know their application is publicly accessible. Token and computing costs can therefore escalate exponentially. In the marketing version of this blog post, we already discussed token limits, but here that takes on a completely different dimension. Not just the conversation with the AI, but the running application itself burns through budget.

1.4 Hardcoded credentials & exposed API-keys

Vibecoding often chooses to hardcode API-keys, tokens, or database credentials directly into the code. With frontend-only applications that connect directly to Supabase or comparable backend-as-a-service platforms, the database keys are readable in the browser. Anyone with knowledge of developer tools can copy those keys and subsequently execute arbitrary queries, including dropping tables.

What could possibly go wrong? A concrete example: Moltbook, an AI-driven social network built entirely via vibecoding, had a misconfigured Supabase database that publicly exposed 1.5 million API-keys and 35,000 email addresses. This wasn’t a sophisticated hack, the leak was simply the result of building fast without a security foundation.

1.5 Legal framework: the EU Cyber Resilience Act

The EU Cyber Resilience Act requires manufacturers of software products to apply secure-by-design principles, mandatory risk analyses, and security updates for at least five years. Vibecoding that ignores this is not only technically risky but also legally vulnerable. The CRA uses three penalty levels: the highest fine for violation of essential cybersecurity requirements, followed by documentation and conformity violations, and misleading information. The final penalty amount depends on severity, duration, repetition, and company size.

Issue 2: Architecture & hosting

2.1 Monolith or microservices?

AI generates a monolithic application structure by default (everything in one block), unless you explicitly ask otherwise. That’s not necessarily wrong for small projects, but scales dramatically poorly. Without understanding the difference between a monolith and microservices, you’re implicitly making architectural decisions without knowing it, decisions that will have a major impact on performance, maintainability, and hosting costs. For mission-critical applications, this can have particularly significant consequences.

2.2 Kubernetes is not a toy

Vibecoded applications automatically generate Dockerfiles or even Kubernetes configurations as default deployment output, without any explanation or contextualization. Kubernetes is an extremely powerful but also extremely complex container orchestration platform that’s normally managed at enterprise scale by specialized teams. The tool just spits out infrastructure code without accounting for operational complexity (costs, overhead, network configuration, ingress management, secrets management, auto-scaling, monitoring, …). But while this complexity is way over the vibecoder’s head, it does have a direct impact on the bill and the application’s availability.

2.3 Vendor lock-in & supply chain risks

Vibecoding increases supply chain risk: AI assistants sometimes recommend vulnerable third-party libraries or introduce code with restrictive licenses, risks that a vibecoder doesn’t detect. Research also shows that 5% of commercially AI-generated code contains non-existent package names (“hallucinated packages”). Attackers register those package names and equip them with malware, ready for automatic installation at the next dependency update.

2.4 Technical debt at machine speed

Traditional technical debt occurs when developers prioritize speed over maintenance. Vibecoding Debt is the same phenomenon at AI speed: vulnerabilities are baked in from day one, in codebases that no one can read or audit anymore.

What could possibly go wrong? A concrete example: An SQL injection vulnerability can hide in a vibecoded data access layer. The AI used an ORM, for instance, but added raw queries in 3 places “for performance.” Those queries use string concatenation instead of parameterized statements. During a code review, it doesn’t stand out because the code looks “normal” among 10,000 other lines. Two years later, the database is emptied by attackers. Post-mortem: “We didn’t even know those queries were there.”

What does work: expertise-driven AI

Let’s definitely not get stuck in worst case scenarios. The power of vibecoding or agentic engineering lies in the fact that it drastically lowers the barrier to building. What used to take weeks or months can now be done in days or even hours. That’s not a threat to technology, but an invitation to use it more intelligently and efficiently.

Because where code without a foundation seems like quicksand, you can, with the right principles, choices, and guidance, turn that same speed into a lever for innovation. How do we approach this?

Blueprints & reusable components as foundation

Our experts build software based on a set of proven, opinionated building blocks and blueprints. Equally fast, because we use the technology of agentic engineering, but from years of expertise.

The difference isn’t in the tools, but in the foundation: security defaults, architectural choices, and infrastructure standards are already in our blueprints and components. We provide the framework, AI fills in. The result? The speed of vibecoding, but without the risks.

Expert-in-the-loop as principle

Karpathy already warned that if we’re not careful, agents simply generate “slop.” His conclusion: the primary task of the developer shifts from writing code to reviewing code. A bit like a talented intern: you wouldn’t push their work to production without review either, would you?

Another common comparison: agentic coding with expertise is like industrial farming with heavy machinery. The machine (AI) doesn’t eliminate the farmer, but gives them exponentially more production power if they know how to operate the tractor.

We use AI as a turbo engine, not as autopilot. The architecture, security choices, and hosting strategy remain human work, but fueled by expertise and experience.

Where can we help?

• Architecture review & guidance. We look along from a technical perspective, even before you get started. Which stack? Which hosting? What about authentication, data storage, and API security? This way we ensure the right choices from the beginning.
• “Vibe better” training. Want to experiment with agentic engineering yourself, but lack the background? We’ll teach you how to properly steer AI with the right architectural context and security guardrails, so that what you build is also secure and scalable.
• Support during vibetime. Prefer a partner who guides you while you build? We help you avoid classic pitfalls when they’re still cheap to solve, instead of afterwards.
• From vibed to robust. Already jumped into vibecoding and now running into one of the above issues? We’ve got you. We take over existing vibecoded applications and transform them into production-ready software with proper security, hosting best practices, and maintainable code.

Vibecoding and agentic engineering are here to stay. The question isn’t whether we should use these tools, but how we do so responsibly. With the right expertise, you build AI-driven development on a solid foundation, not on quicksand without load-bearing capacity.

Want to build fast and secure? We’ll help you get the best of both worlds. Contact us.