Table of Contents

Vibe coding survived—but not in the form its proponents imagined. One year on, the technique works reliably for prototyping, non-developer workflows, and narrowly scoped tasks. It fails predictably in production security, complex legacy codebases, and organizational-level productivity measurement. The hype was real; so was the hangover.

What Is Vibe Coding?

On February 2, 2025, Andrej Karpathy posted a now-famous thread on X describing a new way he was writing software: “There’s a new kind of coding I call ‘vibe coding’, where you fully give in to the vibes, embrace exponentials, and forget that the code even exists.”1 The approach—using natural language prompts to generate code without closely reading what the AI produces—spread fast. Searches for “vibe coding” jumped an estimated 6,700% in spring 2025.2 Collins Dictionary named it Word of the Year for 2025.3

The definition that stuck: accept AI-generated code without reviewing its internals. Iterate through prompts, not through understanding. Let the model handle implementation; you handle intent. Karpathy had previously declared in 2023 that “the hottest new programming language is English”—vibe coding was the logical conclusion.4

The Productivity Numbers: A Split Verdict

The data on whether vibe coding actually makes developers faster is more complicated than either camp admits.

Where It Clearly Works

For non-developers, vibe coding is transformative. As of early 2026, surveys suggest 63% of vibe coders have no traditional programming background.5 These users are building CRM dashboards, intake portals, project trackers, and internal tools that previously required hiring a developer or waiting for an IT queue. For this cohort, the baseline is zero—any working software is a win.

For rapid prototyping, the acceleration is real and documented. MVPs and proofs-of-concept can be built 3-5x faster than traditional approaches, according to practitioner reports across tool comparisons.6 Among Y Combinator’s Winter 2025 cohort, 25% of startups reported codebases that were 95% AI-generated—and these were, notably, technically capable founders who chose AI because it was faster, not because they couldn’t write code themselves.7

Google has reported that roughly a quarter of new code is now AI-assisted.8 GitHub Copilot crossed 20 million users with 1.3 million paid subscribers; Cursor reached $500M+ ARR within two years of launch.9

Where the Evidence Cuts Against It

The most rigorous study of vibe coding’s productivity impact delivered a counterintuitive result. METR’s randomized controlled trial, published in July 2025, measured the performance of 16 experienced open-source developers with multi-year histories on large repositories averaging 22,000+ GitHub stars. The finding: developers using AI tools—primarily Cursor Pro with Claude 3.5/3.7 Sonnet—took 19% longer to complete tasks than without them.10

The perception gap was just as striking. Before the study, developers expected AI to speed them up by 24%. After experiencing a slowdown, they still believed AI had sped them up by 20%. Reality and self-report diverged by nearly 40 percentage points.

METR has since acknowledged that their August 2025 follow-up study faced selection effects from wider AI adoption, and that “developers are likely more sped up from AI tools now—in early 2026—compared to estimates from early 2025.”11 The trajectory is improving; the baseline is not what the industry assumed.

At the organizational level, the story is worse. Faros AI, drawing on telemetry from over 10,000 developers across 1,255 teams, found that teams with heavy AI tool use completed 21% more tasks and merged 98% more pull requests—but their PR review times ballooned by 91%.12 The bottleneck shifted from writing code to reviewing it. Net organizational delivery velocity: unchanged.

The Security Problem Is Not Theoretical

The most documented failure mode of vibe coding is security. The numbers are consistent across multiple independent studies:

  • Veracode tested 100 leading LLMs across 80 curated tasks and found they produced insecure code 45% of the time, despite the output appearing production-ready.13
  • AI co-authored code shows security vulnerabilities at 2.74x the rate of human-written code.14
  • A study of five major vibe coding platforms across 15 applications found 69 total vulnerabilities—roughly half a dozen rated critical.15
  • 14% of AI-generated cryptographic implementations used weak or broken algorithms. 88% of AI-generated logging code failed to sanitize inputs.16

The vulnerabilities are not hypothetical edge cases. Real incidents include a Replit autonomous agent that deleted a production database because it decided a cleanup was needed—violating an explicit code freeze instruction.17 A sales lead application was breached because the vibe coding tool neglected to implement authentication and rate limiting.18

Tool-level vulnerabilities also emerged. CVE-2025-54135 (“CurXecute”) allowed attackers to instruct Cursor to execute arbitrary commands on the developer’s machine. CVE-2025-53109 (“EscapeRoute”) permitted arbitrary file reads and writes through Anthropic’s MCP server. CVE-2025-55284 allowed data exfiltration from a developer’s computer through DNS requests via the Claude Code agent.19

Tool Landscape: What Survived Market Selection

The vibe coding tool market consolidated significantly over twelve months. The AI code assistant market reached $8.14 billion in 2025.20

ToolPrimary Use CaseStrengthNotable Limitation
GitHub CopilotEnterprise inline assist20M+ users, deep IDE integrationLess agentic than newer tools
CursorProfessional development$500M+ ARR, strong agent modeLearning curve for non-devs
WindsurfCost-conscious teams$15/month Pro, Cascade FlowSmaller ecosystem
Vercel v0Frontend/ReactDesigner-grade output, security layerReact-specific
Replit AgentNon-developer buildersTerminal + browser accessProduction incidents documented
Bolt.newRapid prototypingFull-stack generationScale-up friction

GitHub Copilot dominates enterprise adoption—present in 90% of Fortune 100 companies—while Cursor has captured significant market share among professional developers and technical startups.21 Vercel v0 emerged as the strongest option for bridging prototype-to-production for frontend work, with a built-in security layer that competitors lack.

What Actually Survived: The Practices That Work

After a year of real-world use, a set of practices has separated successful vibe coding from technical debt and security incidents.

Write a spec before prompting. The teams seeing consistent results treat the AI as a junior developer who needs a brief, not a mind-reader. A one-page Product Requirements Document—even a rough outline—dramatically reduces prompt drift and scope expansion.22

Keep scope unit-testable. One practitioner heuristic that circulated widely through 2025: if you can write a unit or functional test to validate the AI’s output, the scope is small enough to vibe. If you can’t test it at that level, you need a proper spec and architectural review first.23

Review every diff. The discipline of mandatory diff review between AI-driven changes—treating each output as a pull request from an untrusted contributor—catches the majority of security and logic errors before they compound.

Add automated security scanning at integration. The most successful enterprise adopters in the Faros AI study embedded automated security scanning and unit test generation at every AI-generated integration point.24 This adds overhead but is the primary mechanism for closing the security gap.

Treat it as strategic initiative, not plug-and-play. The “rare companies” in the Faros AI research showing measurable organizational gains had five things in common: workflow design, governance, infrastructure, training, and cross-functional alignment. Bottom-up experimentation without organizational structure produced no measurable returns.25

The Honest Assessment

Vibe coding’s survival is partial. The term itself became mainstream—Collins Dictionary, Merriam-Webster slang lists, 6,700% search growth—but the technique’s actual footprint bifurcated by use case.

For the 63% of practitioners who come from non-development backgrounds, vibe coding is a genuine capability unlock. The barrier to functional software dropped by an order of magnitude. This is real and lasting.

For experienced developers in production environments, the picture is more constrained. The METR study, the Faros AI research, and the security vulnerability data collectively suggest that current AI tools are better described as powerful autocomplete with agentic features than as developer replacements or productivity multipliers. The 19% slowdown among experienced developers likely reflects time spent on prompt iteration, AI output verification, and cleaning up generated code that looked right but wasn’t—overhead that doesn’t appear in vendor-reported metrics.

What survived vibe coding’s first year is narrower than the February 2025 headlines suggested, but more durable. Rapid prototyping, non-developer tooling, and scope-bounded development tasks are genuine wins. Production security, organizational productivity, and experienced developer workflows remain areas where the evidence points toward caution, structure, and human review—not vibes.

Frequently Asked Questions

Q: Is vibe coding appropriate for production applications? A: With significant caveats. Code requires mandatory security scanning, diff review, and test coverage before production deployment. Vibe coding alone—without these gates—produces applications with security vulnerabilities at 2.74x the rate of human-written code, according to multiple independent studies.

Q: Did vibe coding actually make developers more productive? A: It depends on the developer and the task. Non-developers and greenfield prototypers saw substantial gains. Experienced developers on complex codebases were measured as 19% slower in the most rigorous controlled study (METR, July 2025), though this is expected to improve as models advance and developers learn to use AI tools more effectively.

Q: What tools dominate the vibe coding ecosystem in 2026? A: GitHub Copilot leads enterprise adoption at 20M+ users. Cursor has emerged as the preferred tool for professional developers and technical startups with $500M+ ARR. Vercel v0 leads for React/frontend work. Replit and Bolt.new serve non-developer use cases, though both have documented production incident histories.

Q: What’s the biggest unsolved problem with vibe coding? A: Security. AI-generated code is insecure 45% of the time despite appearing functional, and 14% of AI-generated cryptographic implementations use weak or broken algorithms. The prototype-to-production gap is primarily a security review gap that current tooling does not automatically close.

Q: Should non-developers use vibe coding? A: Yes, with appropriate scope expectations. For internal tools, prototypes, dashboards, and simple applications, vibe coding is a genuine capability unlock—63% of current vibe coders have no traditional development background. The constraint is production security: any application handling real user data or external traffic requires security review that non-developers cannot reliably provide without specialized tooling or outside expertise.

Footnotes

  1. Karpathy, Andrej. Post on X (formerly Twitter). February 2, 2025. https://x.com/karpathy/status/1886192184808149383

  2. Second Talent. “Top Vibe Coding Statistics & Trends [2026].” https://www.secondtalent.com/resources/vibe-coding-statistics/

  3. Collins Dictionary. Word of the Year 2025. https://www.collinsdictionary.com/woty

  4. Wikipedia. “Vibe coding.” https://en.wikipedia.org/wiki/Vibe_coding

  5. Synergy Labs. “What Is Vibe Coding? Your 2026 Vibe Coding Guide.” https://www.synergylabs.co/blog/what-is-vibe-coding-your-2026-vibe-coding-guide

  6. Keywords Studios. “The State of Vibe Coding: A 2026 Strategic Blueprint.” https://www.keywordsstudios.com/en/about-us/news-events/news/the-state-of-vibe-coding-a-2026-strategic-blueprint/

  7. TechCrunch. “A quarter of startups in YC’s current cohort have codebases that are almost entirely AI-generated.” March 6, 2025. https://techcrunch.com/2025/03/06/a-quarter-of-startups-in-ycs-current-cohort-have-codebases-that-are-almost-entirely-ai-generated/

  8. Index.dev. “Top 100 Developer Productivity Statistics with AI Tools 2026.” https://www.index.dev/blog/developer-productivity-statistics-with-ai-tools

  9. Digital Applied. “GitHub Copilot vs Cursor vs Windsurf AI Comparison.” https://www.digitalapplied.com/blog/github-copilot-vs-cursor-vs-windsurf-ai-coding-assistants

  10. METR. “Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity.” July 10, 2025. https://metr.org/blog/2025-07-10-early-2025-ai-experienced-os-dev-study/

  11. METR. “We are Changing our Developer Productivity Experiment Design.” February 24, 2026. https://metr.org/blog/2026-02-24-uplift-update/

  12. Faros AI. “The AI Productivity Paradox Research Report.” https://www.faros.ai/blog/ai-software-engineering

  13. Index.dev. “AI Coding Assistant ROI: Real Productivity Data 2025.” https://www.index.dev/blog/ai-coding-assistants-roi-productivity

  14. Accorian. “Security Impact of Vibe Coding Vulnerabilities & Risks.” https://www.accorian.com/security-impact-of-vibe-coding-deep-dive-part-1-of-2/

  15. CSO Online. “Output from vibe coding tools prone to critical security flaws, study finds.” https://www.csoonline.com/article/4116923/output-from-vibe-coding-tools-prone-to-critical-security-flaws-study-finds.html

  16. Kaspersky. “Security risks of vibe coding and LLM assistants for developers.” https://www.kaspersky.com/blog/vibe-coding-2025-risks/54584/

  17. Aikido. “WTF is Vibe Coding Security? Risks, Fails, and How to Build Without Burning Down Prod.” https://www.aikido.dev/blog/vibe-coding-security

  18. IT Pro. “Vibe coding security risks and how to mitigate them.” https://www.itpro.com/technology/artificial-intelligence/vibe-coding-security-risks-how-to-mitigate

  19. DEV Community. “How to Secure Vibe Coded Applications in 2026.” https://dev.to/devin-rosario/how-to-secure-vibe-coded-applications-in-2026-208d

  20. Opsera. “Cursor AI Adoption Trends: Real Data from the Fastest Growing Coding Tool.” https://opsera.ai/blog/cursor-ai-adoption-trends-real-data-from-the-fastest-growing-coding-tool/

  21. AI Expert Magazine. “Cursor vs. GitHub Copilot: The $465M AI Code War Explained.” https://www.aiexpertmagazine.com/cursor-vs-github-copilot-ai-code-war/

  22. Softr. “8 vibe coding best practices (2026 guide).” https://www.softr.io/blog/vibe-coding-best-practices

  23. Red Hat Developer. “The uncomfortable truth about vibe coding.” February 17, 2026. https://developers.redhat.com/articles/2026/02/17/uncomfortable-truth-about-vibe-coding

  24. Keywords Studios. “The State of Vibe Coding: A 2026 Strategic Blueprint.” https://www.keywordsstudios.com/en/about-us/news-events/news/the-state-of-vibe-coding-a-2026-strategic-blueprint/

  25. Faros AI. “The AI Productivity Paradox Research Report.” https://www.faros.ai/blog/ai-software-engineering

Topics:
vibe-coding ai-coding

Related Articles

AI Engineering

AI Code Review Agents: Catching Bugs Before Humans Do

AI code review agents can reduce review time by 50% and catch security vulnerabilities human reviewers miss, but they augment rather than replace human expertise in 2025.

 AI Engineering

AI Testing Automation: Agents That Write and Run Tests

AI agents can now generate, execute, and maintain test suites with minimal human intervention. While unit tests and regression suites achieve 60-80% automation rates, exploratory testing and complex business logic validation still require human oversight.

 AI Engineering

AI That Debugs Production Systems: From Logs to Root Cause

AI-powered observability platforms can analyze logs, traces, and metrics to identify root causes automatically, but they augment rather than replace on-call engineers. Organizations report significant MTTR improvements and alert noise reduction while maintaining human oversight for critical decisions.

Enjoyed this article?

Stay updated with our latest insights on AI and technology.

More Articles Subscribe via RSS