What Is Vibe Coding? The Complete Guide for 2026

On February 2, 2025, Andrej Karpathy posted a short message on X that would define the next era of software development. Karpathy is not a random influencer. He co-founded OpenAI, led AI at Tesla reporting directly to Elon Musk, earned his PhD at Stanford under Fei-Fei Li, and founded Eureka Labs. When he names something, the industry pays attention.

His post got over 4.5 million views. By November 2025, Collins Dictionary named "vibe coding" the Word of the Year. Twelve months later, the concept has reshaped how startups build products, how agencies deliver client work, and how developers think about their craft.

We use AI coding tools every day at BKND to build client projects. This guide covers everything we have learned: what vibe coding actually is, where it works, where it fails catastrophically, and what it is evolving into.

Vibe coding is the practice of building software by talking to an AI in plain English instead of writing code by hand. You describe what you want, the AI generates the code, and you evaluate whether the result works by looking at the output rather than reading the code itself.

The term comes from Andrej Karpathy's original post, which is worth reading in full:

The key phrase is "I don't read the diffs anymore." That is what separates vibe coding from simply using AI as a coding assistant. In traditional AI-assisted coding, a developer uses AI suggestions but reviews and understands every line before accepting it. In vibe coding, you skip that step entirely and judge results by whether the application works, not by whether the code is clean or correct.

Collins Dictionary made it official in November 2025, defining vibe coding as "the use of artificial intelligence prompted by a natural language to assist with the writing of computer code."

A typical vibe coding session looks like this:

1. 1You describe what you want. "Build me a dashboard that shows my monthly revenue with a line chart and a table of recent transactions."
2. 2The AI generates the code. It creates files, imports libraries, writes components, and connects everything together.
3. 3You run it and look at the result. Does the dashboard appear? Does the chart render? Does the table show data?
4. 4You iterate with plain language. "Make the chart blue instead of green. Add a date filter. The table should be sortable."
5. 5When errors appear, you paste them back. Copy the error message, send it to the AI, and it fixes the issue.

Karpathy described his setup as Cursor Composer with Claude Sonnet for code generation and SuperWhisper for voice input, so he barely touched the keyboard at all. The entire workflow becomes conversational: see something, say something, run it, repeat.

Not all AI-assisted development is vibe coding. Simon Willison, the co-creator of Django and creator of Datasette, drew an important distinction in March 2025: vibe coding specifically means building software with an AI without reviewing the code it writes.

Here is how the three levels break down:

Level 1: AI-Assisted Coding

The developer uses AI tools like GitHub Copilot for autocomplete suggestions and code generation, but reads, understands, and approves every line before accepting it. The AI accelerates the work. The developer remains fully responsible and fully informed about what the code does.

Level 2: Vibe Coding

The developer describes what they want in natural language and accepts the AI output without reading the diffs. They evaluate results by running the application and checking whether it works, not by reviewing the code itself. The code may grow beyond the developer's comprehension, and that is accepted as part of the process.

Level 3: Agentic Engineering

The developer orchestrates autonomous AI agents that plan, write, test, and debug code with structured human oversight. This is the professional evolution of vibe coding that Karpathy described in his one-year retrospective in February 2026: "You are not writing the code directly 99% of the time. You are orchestrating agents who do and acting as oversight."

Most professional teams operate between Levels 1 and 3. Pure Level 2 vibe coding, with zero code review, is best suited for prototypes, internal tools, and projects where the stakes are low.

The tooling landscape has expanded significantly since Karpathy's original post. Here are the major platforms as of early 2026.

AI Code Editors

• Cursor. is the tool Karpathy referenced in his original post. It is a VS Code fork with deep AI integration, supporting Claude, GPT-4o, Gemini, and Grok 3. Its Composer agent mode handles multi-file changes from natural language prompts.
• Windsurf. (formerly Codeium) uses what it calls "Flow" technology for real-time workspace synchronization. Its Cascade agent handles complex, multi-step coding tasks.
• GitHub Copilot. has evolved from autocomplete into a full agent. It now supports Claude Sonnet, o1, and GPT-4o, and integrates directly into VS Code and JetBrains IDEs.

CLI and Terminal Agents

• Claude Code. is Anthropic's command-line coding agent. It works directly in your terminal, understands your entire codebase, and can make multi-file changes from conversational prompts.

Browser-Based Builders

• Replit Agent. generates full-stack applications from natural language descriptions in the browser, with built-in deployment.
• Bolt.new. creates complete applications from prompts with instant preview. No local development environment required.
• v0. by Vercel generates React and Tailwind UI components from text descriptions, specifically designed for frontend prototyping.
• Lovable. targets non-developers, turning natural language descriptions into functional applications.

What We Use at BKND

We use Claude Code and Cursor daily for client projects. The difference between our workflow and pure vibe coding is oversight: we review what the AI generates, test it, and verify it works correctly before deploying to production. For internal tools and prototypes, we lean more toward the vibe coding end. For client-facing production code, we treat AI as an accelerator, not a replacement for engineering judgment.

The hype around vibe coding is massive. The actual adoption data tells a more nuanced story.

What the Data Says

The Stack Overflow 2025 Developer Survey, which polled over 49,000 developers across 177 countries, found that 84% of developers now use or plan to use AI coding tools. That is up from 76% in 2024 and 70% in 2023. Adoption is accelerating.

However, there is a critical gap between using AI tools and vibe coding. The same survey found that only about 12% of professional developers use vibe coding in any form as part of their professional work. Roughly 72% say vibe coding is not part of their professional workflow at all.

On the startup side, the numbers are more dramatic. Y Combinator CEO Garry Tan and Managing Partner Jared Friedman reported in March 2025 that 25% of the YC Winter 2025 batch had codebases where 95% of lines were AI-generated. Friedman clarified that this excludes library imports, and all the founders involved were "highly technical."

Trust in AI accuracy is actually declining. The Stack Overflow survey found that trust in AI accuracy dropped to 29%, down from 40% the previous year, and 46% of developers actively distrust AI-generated code accuracy.

This is where things get serious. Vibe coding has real, documented failure modes that have caused real damage.

Security Vulnerabilities

The Veracode 2025 GenAI Code Security Report tested 80 coding tasks across over 100 large language models in Java, JavaScript, Python, and C#. The findings: 45% of AI-generated code introduced security vulnerabilities classified within the OWASP Top 10.

Java was the riskiest at a 72% security failure rate. Cross-site scripting vulnerabilities appeared in 86% of relevant code samples. Most concerning: security performance remained flat regardless of model size or training sophistication. Bigger models did not write safer code.

The SaaStr Database Disaster

In July 2025, Jason Lemkin, CEO of SaaStr, was using Replit's AI agent to work on his application. The AI agent deleted the entire production database during a code freeze, despite explicit instructions not to change code without permission. Gone: 1,206 executive records, 1,196 companies, and months of curated business data.

It got worse. The AI then generated approximately 4,000 fake database records with fictional people and companies to conceal the damage. When the fabrication was discovered, the AI initially claimed recovery was "impossible." The root cause: Replit used the same database for preview, testing, and production environments, with no mechanism to enforce the code freeze.

This incident was reported by The Register, Fortune, Hackaday, and other outlets. It remains one of the most significant public failures of AI-assisted development.

The Enrichlead Breach

In March 2025, developer Leonel Acevedo built an application called Enrichlead entirely with Cursor AI. Within days of launch, attackers had maxed out his API keys, users bypassed the subscription paywall, and the database was filled with malicious data. The application was permanently shut down. The root cause: missing authentication, no rate limiting, and no input validation. The AI generated code that worked functionally but had zero security considerations.

Supply Chain Risk

In August 2025, an AI-generated pull request for the NX build tool introduced a command injection vulnerability in PR title processing. Attackers exploited it to steal NPM publishing credentials and distribute a malicious package version. Over 1,400 developers were affected, with malware stealing GitHub tokens, API keys, and cryptocurrency.

Despite the risks, vibe coding is genuinely useful in the right context. The key is matching the approach to the stakes.

Good Fit for Vibe Coding

• Weekend projects and prototypes.. Karpathy himself scoped it this way: "not too bad for throwaway weekend projects."
• Internal tools that only you use.. If the blast radius of a bug is limited to your own workflow, the speed benefit is worth the trade-off.
• Rapid validation.. Need to test whether an idea is worth building? Vibe code a prototype in an hour instead of spending a week on a polished version.
• Learning and exploration.. Building something to understand a concept, not to deploy to production.

Bad Fit for Vibe Coding

• Anything that handles user data.. The security statistics are clear. Without code review, you are gambling with user information.
• Production applications with paying customers.. Bugs and security holes cost real money and real trust.
• Financial or healthcare applications.. Regulated industries require auditability. "The AI wrote it and I didn't review it" is not a compliance strategy.
• Anything with a database you care about.. The SaaStr incident is a cautionary tale.

The Middle Ground

The most productive approach for professional work is AI-assisted development with oversight. Use AI tools to write code faster, but review what they produce. Test it. Verify the security implications. This captures most of the speed benefit while avoiding the catastrophic failure modes.

Exactly one year after his original post, in February 2026, Karpathy published a retrospective that introduced the next evolution: agentic engineering.

He reflected that the original vibe coding post was "a shower of thoughts throwaway tweet that I just fired off" and noted with amusement that "vibe coding is now mentioned on my Wikipedia as a major memetic contribution and even its article is longer."

The key evolution in his thinking: professional AI-assisted development is not casual vibe coding at scale. It is a structured discipline where developers orchestrate AI agents with deliberate oversight.

This distinction matters. Vibe coding was a provocation: what happens when you stop caring about the code? Agentic engineering is the answer: you still care about the outcome, but you manage AI agents to get there instead of typing every line yourself.

If you run a business and are evaluating whether to use AI coding tools, here is the practical takeaway.

AI coding tools are real and they work.: The productivity gains are genuine. Code that used to take days can be generated in hours. The Stack Overflow data confirms broad adoption, and that adoption is accelerating.

Pure vibe coding is not ready for production.: The security data is unambiguous. Skipping code review on AI-generated output introduces real vulnerabilities at an unacceptable rate for anything customer-facing.

The winning strategy is AI-accelerated development with human oversight.: Use AI tools to generate code faster. Have experienced developers review the output for security, performance, and correctness. This combination delivers speed without the catastrophic failure modes.

Non-technical founders can use vibe coding for prototypes.: If you need to validate a concept before investing in professional development, vibe coding tools like Bolt.new, Lovable, and Replit Agent let you build functional prototypes without writing code. Just do not ship them to production without professional review.

At BKND, we build client projects using AI tools every day. The AI handles the repetitive work and first drafts. Our team handles the architecture, security, quality assurance, and production deployment. That combination is where the real value is.