With the rise of AI-powered coding tools, vibecoding – the use of generative AI to write, debug, or optimize code – has proliferated. While vibecoding presents promise in terms of efficiency and accessibility, it also raises critical questions about security and accountability. For cybersecurity professionals, it’s essential to scrutinize the vibecoding being leveraged and understand why it cannot replace the need for skilled developers.

Data Breaches

We have already seen the limitation of vibecoded applications running up against the AI agents’ ability to meet cybersecurity requirements—with cases allowing security lapses and confidential user data breaches that have functionally destroyed the reputation of the apps, and companies. The reputed as vibecoded Tea app – which allows anonymous sharing of information for women about their experiences with men they have encountered – leaked over 72,000 images, including driver’s license info, and over 1.1 million private messages. A rival site, TeaOnHer – which may have been vibecoded and rapidly developed – had a similar breach. The concerns also lie with the vibecoding tools: Base44 – which was shown to have critical vulnerabilities that allowed full takeover of user accounts – exposing sensitive information.

The Weakness of AI: Nonfunctional Requirements

A persistent misconception about vibecoding is that it eliminates the need for programming knowledge; but in reality, a recent article indicated that “vibe coding does not eliminate the need for programming expertise” and that “… practitioners orchestrate… while maintaining selective and strategic oversight.” AI tools may generate code quickly, but they lack the nuanced understanding of system architecture, security best practices, and other nonfunctional requirements that human developers bring. Without this expertise, even the most sophisticated AI-generated code can introduce vulnerabilities, inefficiencies, and/or compliance issues – which essentially renders vibecoding as a code-generation acceleration practice rather than as software ‘development.’

Cybersecurity relies on rigorous validation, and AI’s outputs are no exception. Developers must continuously test, audit, and refine AI-generated code, as vibecoding tools are “trained with data from open-source repositories…[and] their models might embed widespread but insecure coding practices.” Common AI benchmarks “typically sacrifice realism for scale and efficiency… and use algorithmic evaluation that doesn’t capture many important capabilities” – meaning that the benchmark results published by AI companies are of limited use in evaluating a model’s real-world performance.

The Strength of Human Developers: Contextual and Strategic Awareness

AI-generated code can be integrated into a software project, provided that the engineers are able to maintain a mental map of the application and applying oversight to make good design decisions. The future of coding most likely will benefit from AI-accelerated development, not as full replacement of human software engineers. Developers must act as the “human-in-the-loop” stewards, balancing AI’s capabilities with their own judgment and awareness of development and security requirements – beyond the narrow scope of a particular piece of logic.

Based on my own experience, the loss of contextual awareness – leading to poor architectural and strategic choices in a software project – is a costly mistake; AI may accelerate routine coding tasks, but the prompt-to-prompt nature of current AI systems’ memories – incapable of organically seeing the ‘big picture’ – is poorly suited in designing secure, long-term solutions to large and complex problems.

Conclusion

Vibecoding is not a silver bullet. While AI tools can accelerate development, they cannot replace the critical thinking, ethical judgment, and security expertise of human developers. For cybersecurity professionals, the risks of leveraging vibecoding are of more critical. The effective and secure use of AI tools in software development requires cybersecurity professionals to:  continuously verify generated code; provide strategic oversight; and maintain a holistic view of the overall software development project. As we continue to evolve our embrace of AI’s coding potential, we must also guard against the risks.