For developers, each year brings a fresh set of automation tools designed to help them create code faster and roll out application updates that meet ever-changing business needs. Now, artificial intelligence (AI) and large language models (LLMs) have ushered in another era in this development known as “vibe coding.”
Vibe coding is an approach where a developer or, in many cases, an amateur coder, describes what they want to create in natural language, and an AI system generates, edits or debugs the code based on an ongoing set of instructions. This approach to application creation shifts some work from writing every line of code toward steering, reviewing and validating AI-generated output.
This technique for creating applications remains in its infancy but has caught on, especially as less-experienced coders and developers can take an idea and create an app using various AI platforms. A study by Gartner found that 40% of new business software could be created with techniques involving virtual chatbots and other AI tools. In large tech firms, such as Microsoft, company officials report that AI is creating about 30% of all code using these techniques.
The productivity increases — these chatbots can reason across a codebase, edit multiple files, run tests, respond to errors and continue iterating toward a stated goal — have a downside when it comes to ensuring apps are safe and tested for bugs and vulnerabilities.
Since many AI platforms scan the open internet, these agents can incorporate flawed code and use it while creating an application, building in vulnerabilities that can be exploited.
A less-experienced developer may lack the ability to run quality checks or incorporate DevSecOps techniques when building apps using vibe coding. A 2025 study by Veracode that investigated 100 LLMs found that 45% of code samples failed security tests and introduced OWASP Top 10 security vulnerabilities into the code.
More recently, security researcher Dor Zvi and his company, RedAccess, examined thousands of vibe-coded web apps created using vibe-coding platforms such as Lovable and Replit and found that more than 5,000 of these apps lacked security and vulnerability protections, according to Wired. Researchers also found that about 40% of these apps revealed sensitive information, including medical records and financial data.
Despite the security drawbacks, vibe coding is increasing in popularity, and this means a new set of issues cybersecurity professionals will face as these types of apps make their way into enterprise infrastructures.
“AI-assisted vibe coding is changing who can build software and how quickly ideas move from concept to deployment,” Nicole Carignan, senior vice president for security and AI strategy and field CISO at security firm Darktrace, told Dice. “That has value, especially for prototyping, but it also changes the security model. People with limited development or security experience can now build and publish applications that touch sensitive data, connect to third-party services, or enter an organization’s software supply chain without fully understanding the risk.”
Cyber Pros Need to Understand Vibe Coding Risks
For years, organizations have tried to enforce new ways to ensure developers use secure code to build applications. DevSecOps techniques and creating a software bill of materials (SBOM) are two attempts by security and IT teams to address issues of vulnerabilities built into apps.
The advent of vibe coding is making it harder to enforce these techniques. There are, however, ways to address these issues, and cybersecurity professionals should lead that initiative within their organization.
“The rise of vibe coding is similar to the early days of cloud and SaaS adoption, when usage often moved faster than policy. The answer is not to block AI coding tools. Used responsibly, they can help developers and non-developers work faster,” Carignan added. “Organizations need clear security-by-design architecture: secure code review, dependency and composition analysis, secrets detection, API security, access controls, data classification and testing before production. That includes AI-assisted code review and red-team testing to probe how generated code behaves under real-world attack scenarios, followed by mandatory human review before anything reaches production.”
For organizations that allow vibe coding, security, developers and IT teams must understand the risk associated with this approach. Collin Hogue-Spears, senior director of solution management at Black Duck, pointed to a 2025 incident in which an AI agent used during a vibe-coding project wiped out a company database during a code freeze.
“A plain AI assistant writes code when you ask. An agent acts without asking. That gap is where the speed comes from, and where the danger comes from,” Hogue-Spears told Dice. “The agent collapses the write-check-fix cycle into one fast run with no human in the middle, so the pause where someone used to catch the mistake disappears. Replit, a major vibe-coding tool, showed how that can end. In 2025, it deleted a live production database during a code freeze, then tried to hide it.”
At the same time, cybercriminals can use vibe-coding techniques to speed up attacks or scan for vulnerabilities in poorly developed applications.
“Obviously, time-to-value is key for threat actors, and the ability for lower-skilled actors to build and deploy these capabilities is made possible by vibe coding. What I’m most interested in will be how our threat intel operators find these lower-skilled groups integrating commercial crimeware into their vibe-coded payload delivery and management infrastructure,” Trey Ford, chief strategy and trust officer at Bugcrowd, told Dice. “I expect to see an increase in smaller-scale threat actor communities and an uptick in commercial crimeware adoption by these groups.”
Security Skills Matter in a Vibe Coding Era
While vibe coding may bring a level of democratization to software development, it is also clear that iterative AI prompting can compound security flaws, while autonomous agents can introduce novel risks such as AI package hallucinations and vulnerable developer extension architectures, said Ram Varadarajan, CEO at Acalvio. This is where cybersecurity professionals and their skill sets can make a difference.
“Cybersecurity professionals have to adapt by engineering real-time guardrails, auditing missing regulatory depth and implementing sandboxed, human-in-the-loop review processes,” Varadarajan told Dice. “Ultimately, securing this continuously expanding attack surface requires moving away from static point-in-time scanning toward dynamic, game-theoretic defenses that can keep pace with machine-speed development.”
Darktrace’s Carignan also noted that cybersecurity professionals can demonstrate their skills and abilities as vibe coding takes off.
“For cyber professionals, this shift creates a career opportunity. Organizations will need people who understand application security, DevSecOps, AI-assisted development, data governance and software supply chain risk,” Carignan added. “AI will not remove the need for secure development expertise. It increases demand for professionals who can validate AI-generated outputs, recognize where automation falls short and translate security principles into practical, scalable development workflows.”
What vibe coding also shows is that skilled AI security practitioners are now, and will be, in high demand, with a substantial need for AI guardrails to be implemented in parallel with the adoption of AI in the enterprise, said Diana Kelley, CISO of Noma Security.
“Technical AI skills encompass a very broad spectrum. Traditional AI skills, such as data science and machine learning engineers, continue to be popular. People who are diving in and vibe coding with AI agents are also setting themselves up for future-proofed AI skills,” Kelley said.
