Table of Contents
- 1. What is vibe coding?
- 2. Karpathy coined it — and proposed a rename a year later
- 3. The typical workflow
- 4. The leading tools
- 5. The dark side — security and quality reality
- 6. Vibe vs agentic engineering
- 7. "Vibe & Verify" — the rules for putting it to work
- 8. Who should vibe code, on what, and how far
- Summary
- FAQ
In February 2025, OpenAI co-founder and former Tesla AI lead Andrej Karpathy posted a single sentence on X that sent a new term around the world: vibe coding.
"There's a new kind of coding I call 'vibe coding', where you fully give in to the vibes, embrace exponentials, and forget that the code even exists."
One year later, in 2026, the term sits at the center of a polarized debate. Karpathy himself has proposed renaming it, enterprises are seeing a spike in security incidents, and yet for indie developers, startups, and internal tools it has settled in as a standard coding style. This article walks through the definition and the latest debate using official sources and industry data.
Vibe coding = "let the AI handle it without reading the code"
— sitting between traditional coding and agentic engineering
Vibe coding is unbeatable for throwaway prototypes.
If you're shipping to production, you need to slide toward the agentic engineering end of the spectrum.
1. What is vibe coding?
Vibe coding is a programming style built around talking about what the code should do, rather than writing or reading the code itself. You describe what you want to an AI (Claude, GPT, Cursor Composer, etc.) in natural language, and you keep running and asking for fixes without reading the generated code.
Three ideas sit at the core:
- Let go of attachment to the code: drop the sense of ownership over "code I wrote."
- If it runs, it's good: once it works, understanding the internals comes later — or never.
- Drive it through conversation: when bugs or errors show up, just tell the AI to "fix it." Pasting in the stack trace is enough.
A typical example: an indie developer prompts "build a Tetris game in Pygame" → Claude returns 500 lines of code → they run it → the ball doesn't fall, so they tell it "the blocks aren't rotating" → they get a fixed version back. Done without writing a single line themselves.
2. Karpathy coined it — and proposed a rename a year later
The phrase "vibe coding" was coined by Andrej Karpathy on X (formerly Twitter) in February 2025. He used it to describe the experience of pairing Cursor Composer (running Sonnet at the time) with SuperWhisper (voice input) to build apps almost entirely by talking.
What happened over the following year:
- August 2025: major LLMs cleared 60% on SWE-bench, and vibe coding started feeling real.
- December 2025: Karpathy reported a dramatic flip in his own workflow — 80% hand-written in November, 80% AI-generated in December.
- February 2026: Karpathy proposed dropping the name "vibe coding" and replacing it with "agentic engineering". The distinction: vibe = saying what you want and accepting whatever comes back; agentic engineering = designing the system, specifying constraints, and using AI to accelerate an implementation you've already thought through.
So vibe coding is in an odd spot — the term that popularized the concept, but the person who created it no longer recommends it. The market still uses it anyway, because no other word captures the same flavor of "casual" and "freed from reading code."
3. The typical workflow
Enough abstraction — here's the actual loop people run.
Describe → Generate → Run → Talk back
You run this 4-step loop dozens to hundreds of times to assemble a feature.
It's a different beast from the traditional linear "design → implement → test" flow.
4. The leading tools
As of May 2026, here are the tools where the vibe coding style works particularly well.
| Tool | Vendor | Strengths | Typical use |
|---|---|---|---|
| Claude Code | Anthropic | Long-running autonomous tasks, MCP integration, narrate-then-code helps you actually understand the code | Large changes to existing repos, greenfield projects |
| Cursor Composer | Cursor | IDE-integrated, multi-file editing, exploded in popularity because Karpathy uses it | Indie dev, startup MVPs |
| Codex CLI | OpenAI | GPT-5.5 integrated, strong at terminal automation | CLI tools, scripts, ops automation |
| Lovable | Independent startup | A dedicated "talk an app into existence" UI, deploys for you too | Non-engineer SaaS prototypes |
| v0 | Vercel | Specialized in UI components, smooth path from generation to deploy | Landing pages, frontend-only work |
| Bolt.new | StackBlitz | Runs entirely in the browser, generates full-stack web apps from a template | Learning, demos, internal tools |
| Devin | Cognition | Autonomous agent. Hand it a ticket, it produces a PR | The "extra engineer" slot on a team |
If you're a non-engineer using this for learning or prototypes, look at Lovable, v0, and Bolt.new. If you're a professional engineer working on existing code, the current go-tos are Claude Code, Cursor, and Codex CLI.
5. The dark side — security and quality reality
"Vibe coding feels great. Shipping it to production is another story." That gap became impossible to ignore in 2026, and the third-party numbers are unforgiving.
The dark side of vibe coding, in numbers
— "fun" doesn't mean "safe"
vs January 2026: roughly 6x
Georgia Tech Vibe Security Radar
Industry survey median
100% introduced the same kind of SSRF flaw
Tenzai, December study
Security vulns: 2.74x
CodeRabbit, 470-PR analysis
Human commits: 1.5% — about 2x
CSA 2026
86% contained an XSS vulnerability
Georgetown CSET
Escape.tech scanned 5,600 publicly deployed vibe-coded apps and turned up 2,000 critical vulnerabilities, 400 exposed API keys, and 175 PII leaks (medical and payment data). "It runs" and "it's safe" are not the same thing.
This isn't an "AI is bad" story — it's a structural problem with a development style that pushes unread code into production. The same AI, run by humans who add review and verification, posts dramatically lower incident rates.
6. Vibe vs agentic engineering
Karpathy's 2026 rename proposal is worth understanding — it sharpens the operational call you have to make.
| Dimension | Vibe Coding | Agentic Engineering |
|---|---|---|
| Starting point | "I want to build this" | "This is how I want it designed" |
| Constraints | Implicit, left to the AI to interpret | Explicit, communicated to the AI |
| Code understanding | Not required — just confirm the result | Required — the AI is an accelerator |
| Review | Just "does it run?" | Diffs, design decisions, security |
| Where it fits | Personal experiments, learning, throwaway code | Production systems, long-term ops, shared assets |
| Failure mode | Security incidents, unmaintainable code | Slower pace, getting boxed in by the AI |
| Who's in charge | The AI | The human (AI is an amplifier) |
You can use the same tools (Claude Code, Cursor) and turn them into vibe coding or agentic engineering depending on the stance you take. The important thing is consciously knowing "which mode am I in right now?" and switching deliberately.
7. "Vibe & Verify" — the rules for putting it to work
The best practice that's standardizing in 2026 is "Vibe & Verify": keep the lightness of letting AI do the writing, but always insert verification on the back end.
(1) Switch modes by stakes
- Low stakes (personal tools, learning, scripts): full vibe is fine.
- Medium stakes (internal tools, MVPs, throwaway prototypes): vibe + a smoke test + a quick security scan.
- High stakes (production, customer data, anything public-facing): agentic engineering mode is mandatory. Even if you wrote it in vibe mode, don't push without human review + automated security scans + added tests.
(2) Three things to always do with AI-generated code
- Look at the diff: skipping every line is fine for throwaway code. For shared code, at least eyeball the diff.
- Run a security linter:
semgrep,bandit,truffleHog, etc. Mechanical checks for secrets, SSRF, and XSS are non-negotiable. - Make the AI write tests: always tack on "now write tests for this" to the same AI. Code without tests doesn't even count as vibe coding.
(3) Don't lose the skill of reading code
Get too used to vibe coding and the moment the AI gets it wrong — or the moment you have to take over someone else's code — you'll find you can't read it. Karpathy himself has repeatedly emphasized that the ability to understand AI-generated code at the detail level matters. Even when vibing, build the habit of stopping occasionally to actually read the code; over the long run, that's where the real skill gap forms.
(4) Don't vibe your secrets
API keys, database passwords, production access tokens — never hand them to the AI or let it write them into the code. The discipline of .env + .gitignore + environment variables is not negotiable, vibe or not. Those 400 exposures Escape.tech found were exactly the cases where this basic hygiene broke down.
8. Who should vibe code, on what, and how far
| Profile | Where vibe coding fits | What to watch out for |
|---|---|---|
| Non-engineers (PMs, designers, founders) | Prototypes, internal tools, automation scripts | Anything touching real customer data — bring an engineer in |
| Junior engineers (0–2 years) | Learning, personal projects, work-side helpers | Vibe too much and your fundamentals don't develop. Carve out deliberate "read the code" time |
| Mid-level engineers | Speeding up routine tasks, generating docs, adding tests | For production refactors, lean toward agentic engineering |
| Senior engineers | Sparring partner for spec design, fast multi-option prototypes, reading legacy code | The real value is using vibe as a thinking accelerator |
| Security / SRE | Ops tools, monitoring scripts, dashboards | Anything that touches production needs strict Vibe & Verify |
Summary
- Vibe coding is the "let AI handle it without reading the code" style Karpathy proposed in February 2025.
- Karpathy himself has since proposed renaming it to "agentic engineering" in 2026 — production work needs design, constraints, and human judgment.
- Major tools: Claude Code, Cursor Composer, Codex CLI, Lovable, v0, Bolt.new, Devin.
- Security reality: 40–62% of AI code contains vulnerabilities, SSRF was found in all 5 major agents, and CVEs grew 6x in three months.
- Vibe & Verify: switch modes by stakes, look at diffs, run security scans, make the AI write tests, never vibe your secrets.
- Don't drop "the ability to read code" — the more you vibe, the more occasionally stopping to understand what's happening becomes the long-term skill differentiator.
FAQ
Q1. If Karpathy renamed it, is "vibe coding" already a dead term?
It's still widely used in the market, because there's no other phrase that captures the "casually leave it to the AI" flavor. The pragmatic move is to treat them as complementary: "casual exploration mode = vibe coding," "production mode = agentic engineering."
Q2. Is it OK for a beginner to start with vibe coding?
Yes — but read the code too. If you only vibe, you'll have no judgment to fall back on when the AI gets things wrong. A realistic path is to use the joy of "I have working code" as motivation up front, then gradually raise the share of time you spend actually understanding the code.
Q3. How do I sell vibe coding to my boss at work?
Bring three things: (1) Vibe & Verify operational rules, (2) security scanning integrated into CI, and (3) code reviews stay as strict as before. Once you can clearly say "we're raising the speed without lowering the guards," most organizations will sign off.
Q4. How is vibe coding different from older "AI-assisted coding" (Copilot, etc.)?
The difference is who's in the driver's seat. Copilot is a "pair programming" model — the human writes code while the AI completes it. Vibe coding makes the AI primary, with the human only conversing and confirming. The boundary is fuzzy, and in practice many developers move back and forth between the two.
Q5. Which tool should I start with?
For indie dev or learning, try Lovable, Bolt.new, or v0 (browser-only, nothing to install). For serious software development, try Claude Code or Cursor — Claude Code is a CLI, Cursor is IDE-integrated, pick by taste. Karpathy's pick is Cursor Composer.
Q6. What about copyright on AI-written code?
As of May 2026, the baseline in both the US and Japan is that code generated solely by AI is not protected by copyright. Code that a human substantially modified or curated can become protectable. The bigger commercial-use risk is license contamination — the AI re-emitting GPL or other licensed code into your codebase — so add a license checker to your CI.
Q7. Will vibe coding "take engineers' jobs"?
The market rate for "engineers who only write code" is heading down. On the other hand, the value of spec design, architecture decisions, security, and production operations has, if anything, gone up because of vibe coding's spread. People who can "read, judge, and fix" the large volume of code AI produces are in tight supply as of 2026.
![Generative AI Knowledge Cutoff Dates Compared: ChatGPT, Claude, Gemini & More [2026]](https://arte.itlibra.com/images/articles/ai-cutoff-featured-en.svg)
![Claude vs ChatGPT Pricing Comparison [2026]: Free Plans, Subscriptions & API Costs Explained](https://arte.itlibra.com/images/articles/claude-vs-chatgpt-pricing.svg)