In plain English
Vibe coding is a style of software development where you describe what you want in plain language, let an AI generate the code, and accept it without reading it carefully — trusting the "vibe" of the session rather than verifying each line. The term was coined on February 3, 2025, by AI researcher Andrej Karpathy (co-founder of OpenAI, former head of AI at Tesla) in a viral post on X that racked up over 4.5 million views.
Karpathy's original description was disarmingly honest: "I ask for the dumbest things like 'decrease the padding on the sidebar by half' because I'm too lazy to find it. I 'Accept All' always, I don't read the diffs anymore. When I get error messages I just copy paste them in with no comment, usually that fixes it. The code grows beyond my usual comprehension." He was using Cursor Composer with Claude Sonnet and a voice dictation tool called SuperWhisper — barely touching the keyboard.
A good analogy: imagine hiring a contractor to renovate your kitchen by shouting instructions through a closed door. Most of the time they get it right, and the kitchen looks great. But you haven't seen behind the walls — and if the plumbing is wrong, you won't find out until something floods.
Why it matters
The term hit a nerve because it named something millions of developers were already doing but had no word for. Merriam-Webster listed it as a "slang and trending" expression within weeks of the original post. Collins English Dictionary named it Word of the Year for 2025. Industry surveys found that by early 2026, over 90% of US-based developers were using some form of AI coding assistance — and a significant portion were accepting code wholesale.
For non-engineers and solo builders, vibe coding is genuinely transformative. Y Combinator reported that 25% of startups in its Winter 2025 batch had codebases that were 95% AI-generated. Founders validated ideas and shipped MVPs in days instead of months. Tools like Lovable, Bolt, Replit Agent, and v0 made web app generation accessible to people who had never opened a code editor. That is a real shift in who gets to build software.
For experienced developers, vibe coding is a speed tool for low-stakes work: throwaway scripts, internal dashboards, data-processing one-offs, and prototype UIs that get rebuilt anyway. The workflow eliminates the mental overhead of syntax and boilerplate, keeping attention on architecture and product decisions.
The reason this matters is that vibe coding is not going away — it is accelerating. Understanding exactly where it works and where it breaks is now a professional skill, not just a curiosity.
How vibe coding works
A vibe coding session has a recognizable loop. You start with a plain-language description — "build me a React dashboard that pulls from this API" — and the AI generates a working skeleton. You run it, something is off, you describe the problem back to the AI rather than reading the code to find it, and the AI fixes it. The loop repeats until the app behaves the way you expect.
The key thing missing from this loop is a comprehension step. In traditional development, you write or review code, form a mental model of what it does, and then run it. In vibe coding that step is intentionally skipped — it is the whole point. The AI's output is treated like a black box that either produces the right behavior or doesn't.
Which tools enable vibe coding
Any AI coding tool can be used for vibe coding, but some are purpose-built for it. Lovable and Bolt generate entire web apps from a single prompt, with no local development environment required. Replit Agent spins up a working project in a cloud IDE. Cursor and Windsurf are IDE-based tools that run locally and give more control — vibe coders use their "Composer" or "Cascade" modes to make sweeping multi-file edits in one shot. Claude Code and GitHub Copilot Agent bring the same agentic loop to the terminal and VS Code respectively.
| Tool | Environment | Best for |
|---|---|---|
| Lovable | Browser, no install | Full web apps from a prompt; non-developers |
| Bolt | Browser, no install | Beginner-friendly prototypes; StackBlitz-backed |
| Replit Agent | Cloud IDE | Full-stack apps with a database, no local setup |
| Cursor (Composer) | Local IDE | Developers who want control + vibe sessions |
| Windsurf (Cascade) | Local IDE | VS Code users; strong multi-file reasoning |
| Claude Code | Terminal / IDE | Engineers comfortable with agentic CLI workflows |
When vibe coding works well
Vibe coding's track record is genuinely good in a narrow band of use cases. The common thread is: the cost of failure is low, and speed matters more than correctness guarantees.
- Throwaway scripts and automation: a one-off script to rename files, parse a CSV, or hit an API. If it breaks, you fix it or discard it.
- Proof-of-concept prototypes: a demo you'll show once before rebuilding. Shippable in hours, destined for the bin.
- Internal dashboards: low-traffic admin tooling where the five people who use it can tolerate rough edges.
- Learning by doing: seeing generated code can teach patterns quickly — as long as you eventually read and understand what was built.
- Solo founders validating ideas: get a testable product to real users before investing in proper architecture.
When vibe coding goes wrong
The failure modes of vibe coding are well-documented and accumulating fast. Researchers found that 40–62% of AI-generated code contains at least one security vulnerability. Veracode's testing found AI models fail to prevent Cross-Site Scripting 86% of the time and produce Log Injection vulnerabilities 88% of the time. By March 2026, security researchers had directly attributed 35 CVEs to AI-generated code — up from 6 in January of that year.
Security: AI defaults to what its training data showed
AI models generate SQL queries using string concatenation instead of parameterized queries because that is how the majority of tutorial blog posts were written. The model learned from Stack Overflow answers from 2010, beginner guides, and quick-start examples — all of which favor simplicity over security. The result is classic SQL injection vulnerabilities, missing CORS headers, plaintext API key storage, and misconfigured authentication flows.
A real incident: in early 2025, Lovable — one of the most popular vibe coding platforms — was found to have generated security vulnerabilities in a significant portion of its output apps. Researchers discovered that 170 out of 1,645 Lovable-created applications had a broken access control flaw that would allow anyone to access other users' personal information. The Tea app, built largely with AI-generated code, exposed private direct messages between users due to broken authorization logic.
Maintainability: code you don't understand can't be evolved
Karpathy himself noted it in the original post: "the code grows beyond my usual comprehension." When you don't understand a codebase, you can't confidently change it. Bugs that seem unrelated interact in unexpected ways. Debugging takes longer than writing the code from scratch would have. Studies found that the majority of developers spend more time debugging AI-generated code than they would have spent writing it themselves.
Reliability: tests pass but the wrong thing is built
AI-generated code can satisfy a test suite while silently doing the wrong thing. The model optimizes for making your error messages go away, not for implementing the intent behind the prompt correctly. An AI-generated payment flow might process a transaction without recording it in your database. An AI-generated access check might pass for the happy path but fail when a field is null. These logic errors pass basic tests and only surface under real conditions.
- Accept all diffs without reading
- Paste errors, skip root-cause analysis
- No security review
- No tests authored by a human
- Codebase grows past your comprehension
- Fast to a working prototype
- Review every diff before accepting
- Understand why the fix works
- Audit generated auth and data access code
- Write tests that encode your actual intent
- Maintain a mental model of the system
- Slower but safely scalable to production
Going deeper
The deeper tension in vibe coding is about ownership and expertise. Traditional software engineering rests on a developer's ability to understand, reason about, and evolve a system over time. Vibe coding deliberately trades that comprehension for speed. That trade is fine when the system is disposable — and increasingly dangerous as the system grows.
Simon Willison, a respected open-source developer, drew a useful line: "Not all AI-assisted programming is vibe coding." A developer who uses an AI to draft a function, reads it critically, revises it, and writes a test for it is doing something categorically different from a developer who prompts, accepts, and ships. The word "vibe" in vibe coding signals that the quality signal is subjective feeling, not objective verification.
Karpathy himself acknowledged in a 2026 retrospective post that the original tweet was a "shower of thoughts throwaway" he never expected to go viral. His actual practice was more nuanced — he was building personal tools where he understood the overall structure even if he wasn't reading every line. The meme that spread was a more extreme version.
The emerging hybrid model
The most productive engineering teams in 2025 and 2026 are not choosing between vibe coding and traditional development — they're segmenting by risk. They vibe-code the exploratory, throwaway, and internal-only work. They apply normal engineering discipline — code review, threat modeling, test coverage — when the code goes into production systems that handle real users or real money.
A practical checklist before shipping vibe-coded work to production:
- Read every file the AI generated. Yes, all of it. If you can't, it's not ready.
- Audit authentication and authorization logic manually — these are the highest-risk paths.
- Search for hardcoded secrets: API keys, database URLs, and tokens inside the codebase.
- Run a dependency audit (
npm audit,pip-audit, or equivalent) on AI-chosen packages. - Write at least a few tests that encode your actual intent, not just tests the AI generated to pass its own code.
- Ask the AI to explain the riskiest part of what it built. If the explanation is wrong, you found a problem.
Vibe coding named a real pattern, and the name stuck because it was accurate. The vibe is genuinely good — fast, frictionless, often surprising in what it can produce. The question every builder must answer honestly is: at what point does the vibe stop being a reliable signal, and what breaks when it does?
FAQ
Who invented the term vibe coding?
Andrej Karpathy coined the term on February 3, 2025, in a viral post on X. Karpathy is a co-founder of OpenAI and former head of AI at Tesla. The post described using Cursor Composer with Claude Sonnet and a voice tool to build software without reading the generated code. Collins English Dictionary named it Word of the Year for 2025.
Is vibe coding the same as using GitHub Copilot?
Not exactly. GitHub Copilot is a tool; vibe coding is a workflow style. You can use Copilot in a careful, review-every-suggestion way (AI-assisted development) or in a full accept-without-reading way (vibe coding). The tool is the same; what differs is whether you understand and verify the output before it lands in your codebase.
Can beginners learn to code by vibe coding?
Vibe coding lets beginners build working things quickly, but experts strongly caution against using it as a primary learning path. When the AI writes the code, the learner misses the process of reasoning through a problem and forming mental models of how code works. It can teach patterns passively, but only if you slow down and read what was generated.
What kinds of security vulnerabilities appear in vibe-coded apps?
The most common are SQL injection (string-concatenated queries instead of parameterized ones), broken access control (no check that the logged-in user owns the resource they're accessing), missing security headers, hardcoded API keys, and permissive CORS configurations. These map directly to the OWASP Top 10 and appear because AI training data is full of simplified tutorial code that skips those protections.
Is vibe coding bad for production apps?
Shipping vibe-coded code to production without review is genuinely risky. Research found that 40-62% of AI-generated code contains at least one vulnerability, and real incidents — including user data exposures — have been traced to AI-generated access control logic. That doesn't mean AI-generated code can't go to production; it means it must be reviewed, audited, and tested before it does.
What is the difference between vibe coding and agentic coding?
Agentic coding refers to AI agents that can autonomously run terminal commands, edit multiple files, run tests, and iterate without human input on each step. Vibe coding is about the human's level of review and comprehension, not the AI's autonomy. You can have a highly agentic tool (like Claude Code) that you use carefully, and you can use a simple autocomplete tool in a vibe-coding style. The terms describe different dimensions.