What is Vibe Coding : Why 90% Fail and How Winners Build
A friend of mine built a working web app last year. He runs a small logistics company. No coding background. Never taken a programming class in his life. He described what he wanted in plain English, watched the AI generate the code, tested it, described what needed fixing, and shipped it in a weekend.
When he told me, I asked him what programming language he used. He laughed. He said he had no idea. That moment is exactly what this shift in software development looks like. And it is happening millions of times a day right now across the world.
This new approach went from a single tweet in February 2025 to Collins Dictionary’s Word of the Year for 2025. Searches for the term jumped 6,700 percent in the months after it was coined. A quarter of startups in Y Combinator’s Winter 2025 batch had codebases that were 95 percent or more AI-generated. GitHub reports that 46 percent of all new code being committed today is written by AI.
This is not a trend. This is a shift. Let me walk you through everything you need to know, where it came from, how it works, which tools matter, what the real risks are, and whether it has a serious future.
What is Vibe Coding? The Real Definition
The practice involves building software by describing what you want in plain language, letting an AI generate the code, and iterating on the result through more prompts. You do not write the code yourself. You describe outcomes and judge results.
According to Wikipedia, it is a software development practice where the developer describes a project in a prompt to a large language model, which generates source code automatically. It may involve accepting AI-generated code without thorough review, instead relying on results and follow-up prompts to guide changes.
Google Cloud describes it as marking the end of an era where software development required years of technical training, turning millions of non-coders into creators who can build and launch applications.
The term was coined on February 3, 2025 by Andrej Karpathy, a co-founder of OpenAI and former senior director of AI at Tesla. His original post on X described a new way of working where he would “fully give in to the vibes, embrace exponentials, and forget that the code even exists.” He described barely touching the keyboard, using voice input, and accepting AI changes without reviewing every line.
That post cleared 4.5 million views. Merriam-Webster listed it as a slang and trending expression in March 2025. Collins Dictionary named it Word of the Year for 2025.
It was not an invention. It was a name for something millions of developers and non-developers were already doing.
Table of Contents
Where Did Vibe Coding Come From?
To understand it properly, you need to understand what Karpathy was describing.
In 2023, Karpathy said “the hottest new programming language is English.” That was his observation that large language models had become capable enough that you could describe what you wanted in natural language and get working code back. At the time it sounded like an interesting idea. By early 2025 it had become a practical reality that tens of millions of people were living every day.
Karpathy’s February 2025 post described his personal experience using Cursor Composer with voice input through SuperWhisper. He would speak his requests, barely touch the keyboard, accept all AI-generated changes, paste error messages directly back to the AI for resolution, and let the codebase grow without fully understanding every part of it.
The key idea he was capturing was not just that AI could help you code. That had been true for years. The new idea was that you could fully give in to the AI, stop trying to understand every line, and judge the software by whether it worked rather than by whether you understood how it worked.
The approach was not about chaos. It was about a specific relationship with software where your role shifts from author to director.
How Does Vibe Coding Actually Work?
The workflow has three steps that repeat until you have what you want.
The first step is describing. You tell the AI what you want to build in plain English. Not code. Just intention. “Build me a dashboard that shows monthly sales by region” or “Create a login page with email and password that stores users in a database.”
The second step is generating. The AI writes the code. Depending on the tool you use, it might build just a component, or it might build an entire frontend, backend, authentication system, and database all at once.
The third step is Repeating. You test what was built. Something does not work or does not look right. You describe the problem back to the AI. “The chart is not filtering by date range correctly” or “The login button should be blue not gray.” The AI fixes it. You test again.
This loop replaces the traditional development cycle of planning, writing code, debugging, and deploying. The developer, or non-developer, stays focused on outcomes while the AI handles syntax, logic, and structure.
IBM describes it as a fresh take on coding where users express their intention using plain speech and the AI transforms that thinking into executable code.
The experience of it, for people who have tried it, is completely different from anything that came before. You stay in a creative state the whole time. You are never pulled out of thinking about what you want to build by having to think about how to code it.
The Best Vibe Coding Tools in 2026
The AI app building market has grown fast. As of 2026, the market is estimated at 4.7 billion dollars and projected to reach 12.3 billion dollars next year. Here are the tools that actually matter.
Cursor
Cursor is an AI-first code editor built for developers who want full control over their codebase while using AI to handle the repetitive work. It indexes your entire project so you can describe changes in plain English. It proposes diffs across multiple files that you can accept or reject before anything merges.
Cursor is better suited for people with some coding experience. It reduces the work without removing the developer from the loop entirely. For serious work on complex projects, Cursor combined with Claude Code is widely considered one of the strongest combinations available.
Lovable
Lovable is a full-stack AI development platform that builds, iterates on, and deploys web applications from natural language descriptions. It generates frontend, backend, authentication, and database layers from a single prompt. The output is real exportable code that you can pull into GitHub and keep building.
Lovable reached 50 million dollars in annual recurring revenue within six months of launch. The platform generates 25,000 projects daily and has powered over 1.2 million apps since launch. It is best suited for founders, consultants, and non-technical builders who need a working prototype fast.
Bolt.new
Bolt is known for speed. It lets you quickly test concepts before committing to a full build, enabling rapid iteration across multiple frameworks with minimal friction. It is ideal for casual prototypes and fast idea validation. Less suited for production apps without additional work.
Claude Code
Claude Code is a terminal-based AI agent that handles difficult tasks across multiple files. It is well suited for deep, Expansive codebases where the AI needs to reason through a complete task from start to finish. It requires more technical context from the user but produces more consistent results on complex projects.
Replit
Replit provides an all-in-one browser-based environment for building and deploying apps. It handles hosting so you do not need to set up servers or manage infrastructure. Strong for teams focused on internal tools and dashboards, and for students getting into development for the first time.
Free AI Coding Options
Several strong free options exist. Bolt.new has a free tier for prototyping. Replit offers a free plan with limitations. Google’s Gemini CLI is free and integrates with Google services. GitHub Copilot is free for students and verified open-source contributors. The free tiers are useful for learning and early-stage projects.
Is Vibe Coding Bad? The Real Security Picture
This is the most important question anyone using vibe coding tools needs to answer honestly.
The short answer: vibe coding is not bad. But it produces vulnerable code at a rate that anyone building real products needs to take seriously.
Here is the actual data from verified sources.
According to Veracode’s 2025 GenAI Code Security Report, 45 percent of AI-generated code contains security flaws. An analysis of 470 open-source GitHub pull requests found that AI-written code produces flaws at 2.74 times the rate of human-written code. A first-quarter 2026 assessment of more than 200 vibe-coded applications found that 91.5 percent contained at least one vulnerability traceable to AI hallucination. More than 60 percent exposed API keys or database credentials in public repositories.
Georgia Tech’s Vibe Security Radar tracked 35 CVEs attributed to AI-generated code in March 2026 alone, up from 6 in January.
Escape.tech audited 5,600 publicly available vibe-coded applications and found over 2,000 vulnerabilities, plus 400 exposed secrets and 175 instances of personal data leakage.
Why 90 Percent of Vibe-Built Apps Have Serious Problems
These are not theoretical risks. Real companies have been hurt.
In January 2026, an AI-built social network called Moltbook was breached within three days of launch. It exposed 1.5 million API authentication tokens and 35,000 email addresses through a misconfigured database with no row-level security. The founder had not written a single line of code himself.
Enrichlead, a B2B startup whose founder announced that 100 percent of its code was written by Cursor AI, was shut down just days after launch when security researchers found anyone could access paid features or alter other users’ data. The project was abandoned after the founder could not fix it using the same AI tools that built it.
The most common Weakness found across AI-built apps are missing row-level security policies, exposed API keys in client bundles, client-side-only authentication, and hallucinated packages that attackers can hijack.
The fix is not to stop vibe coding. It is to treat AI-generated code as untrusted code that needs security review before it handles real users and real data.
What Linus Torvalds Says About Vibe Coding
Linus Torvalds, the creator of Linux and one of the most respected programmers alive, has acknowledged using AI tools for hobby projects. His position is nuanced. He is not opposed to AI-assisted development and uses it himself in low-stakes contexts. He remains skeptical of this approach for serious systems work, particularly anything touching kernel-level code or infrastructure where correctness and security are non-Flexible.
His view reflects the broader consensus among senior engineers: vibe coding is a powerful tool for the right context. It is not a replacement for engineering judgment on complex, security-critical, or production-scale systems.
Does Vibe Coding Have a Future?
Yes. The data makes this clear.
Developers completed tasks 25 to 55 percent faster with AI assistance. Senior engineers reported productivity gains of up to 81 percent. Non-developers are building apps they could never have built before. The tools have attracted billions in venture funding because the productivity gains are real and measurable.
In Y Combinator’s Winter 2025 batch, 25 percent of startups had codebases that were 95 percent or more AI-generated. According to GitHub, 60 percent of all new code will be AI-generated by the end of 2026.
The shift is not whether vibe coding will exist. It is how it will mature.
The next phase is less about “describe it and ship it” and more about structured AI-assisted development. How Winners Build: The Habits That Separate Good From Bad
The teams building reliable software in 2026 write technical product requirement documents before they open any AI tool. They define data models, integration points, and security guardrails first. They build one component at a time, test it, understand it, and then move to the next. They treat every AI-generated change as untrusted code that needs review before anything touches production.
Building apps this way as a pure “one prompt, ship it” workflow has limits that the market has now learned in public. A disciplined AI-assisted approach is how serious builders are using it.
Conclusion: A New Way to Build. A New Set of Rules.
This shift changed what it means to build software. My friend who shipped a working app without knowing what programming language it used is not a rare story anymore. It is happening everywhere.
The productivity gains are real. The Modernization is real. The ability for a founder with an idea and no engineering background to build and ship a working product in a weekend is real.
The security risks are also real. The companies that have been breached are real. The Exposure in AI-generated code are measurable and documented.
This is not a shortcut that breaks software development. It is a new set of tools that requires a new set of habits. Build fast with AI. Review before you ship. Treat generated code as untrusted until it has been checked. Define security requirements before the first prompt.
The people who learn those habits now are building a genuine advantage. The ones who skip them are building the next Moltbook.
Vibe coding is here. The question is not whether to use it. The question is whether you use it well.
Frequently Asked Questions
What does this term mean Vibe Coding ?
It means building software by describing what you want in plain English, letting an AI generate the code, and iterating through prompts until the result works. The term was coined by Andrej Karpathy in February 2025 and named Collins Dictionary Word of the Year for 2025.
Is this real coding?
Vibe coding is a real way to build working software. Whether this counts as “real coding” depends on your definition. You are not writing syntax. You are directing an AI. Some experienced developers use vibe coding for prototypes and low-stakes projects. For production systems, most engineers combine AI coding tools with code review and security scanning.
Is AI-generated development bad?
The approach itself is not bad. The productivity gains are real and well-documented. The risk is that AI-generated code contains security vulnerabilities at a high rate. Research shows 45 percent of AI-generated code contains flaws. It becomes dangerous when developers skip security review and ship directly to production with real user data.
What are the best tools for vibe coding ?
The leading tools in 2026 are Cursor, Lovable, Bolt.new, Claude Code, Replit, and Windsurf. For non-technical users, Lovable and Bolt are the most accessible. For developers who want AI assistance without losing control, Cursor and Claude Code are the strongest options.
Are there free AI coding tools?
Yes. Several tools offer free tiers. Bolt.new, Replit, and Gemini CLI are free for basic use. GitHub Copilot is free for students and open-source contributors. Free tiers are enough for learning and prototyping. Serious projects usually need paid plans for the usage limits and features required.
Can you build complex apps this way?
You can prototype complex apps quickly with these AI tools. Building and maintaining complex production apps entirely through AI generation without engineering oversight is where the major security and maintainability problems appear. Most serious teams use AI assistance for speed and AI-generated scaffolding, then apply engineering discipline for anything touching real users or real data.
What is the difference between vibe coding and AI-assisted coding?
AI-assisted coding means using AI tools to help you write code faster while still reading and understanding what gets committed. In Karpathy’s original definition, the approach, means fully giving in to the AI, accepting code without reviewing every line, and judging software by whether it works rather than by understanding how it works. In practice many people use the terms interchangeably, though the distinction matters for security and maintainability.
