In February 2025, Andrej Karpathy tweeted a phrase that would become the software industry's most expensive punchline: vibe coding. Describe what you want, let the model ship it, ignore the code. By Q4 2026, thousands of the startups who took him literally were quietly paying agencies to rebuild the result.
This is a fair, data-driven look at what AI coding actually delivers, where it fails, and when hiring a web development agency is still the smartest move. No gatekeeping. No nostalgia. Just the numbers and the reality we see every week.
The TL;DR
- 01 Vibe coding is fast, cheap, and genuinely useful for prototypes, demos, and throwaway tools.
- 02 45% of AI-generated code fails OWASP Top 10 security tests (Veracode 2025). XSS defenses fail 86% of the time.
- 03 Once you count rebuild, lost SEO revenue, and breach risk, vibe coding runs ~€25K over 3 years vs ~€14K for an agency. It only looks cheap on day one.
- 04 Vibe coding cannot ship complex projects at all — multi-language e-commerce, LMS platforms, marketplaces, ERPs, and regulated systems require an agency. The question is just which one.
What is vibe coding, and why did it take over in 2026?
Vibe coding is the practice of building software by prompting an AI and shipping whatever it produces, without reviewing the code. The term was coined on February 2, 2025 by Andrej Karpathy, OpenAI co-founder and former Tesla AI lead. His original description: "There's a new kind of coding I call vibe coding, where you fully give in to the vibes, embrace exponentials, and forget that the code even exists."
Collins English Dictionary named it Word of the Year 2025. Merriam-Webster added it as slang. By mid-2026 it had become the default description for anyone building software by voice-prompting Cursor, Claude Code, Lovable, or Bolt.new without ever opening a file.
The important distinction, made clearly by Simon Willison, is that not all AI-assisted programming is vibe coding. A senior engineer using Claude Code with full code review, tests, and architectural judgment is not vibe coding. A founder prompting Lovable for an hour and deploying the result to production is.
Why did it take over? Because it works just well enough to feel like magic, and the tools got genuinely good in late 2025. The GitHub Octoverse 2025 report counted more than 20 million Copilot users and over 1 million pull requests submitted by the Copilot agent in a single quarter. AI coding crossed from novelty to default.
Can you actually ship a business website by vibe coding it?
Yes. You can ship one in an afternoon. The question is whether it survives contact with real users, real traffic, and real regulators.
Vibe-coded sites hit production every day and some of them work fine. The ones that work are almost always the ones where nothing is at stake: a landing page for a single campaign, a portfolio, a personal blog, a static marketing page with minimal interactivity. When the surface area is small, the blast radius of mistakes is also small.
The failure mode is not immediate. A vibe-coded site rarely crashes on day one. It slowly bleeds out. SEO performance never materializes because the HTML is bloated and the semantic structure is broken. Forms leak data because nobody checked the validation. Security vulnerabilities sit quietly for months until an automated scanner finds them. Core Web Vitals never pass because no one profiled the bundle.
We have seen exactly this sequence on client audits. The founder assumes the site is fine because it is live. Six weeks later, the traffic has not arrived and the checkout is silently throwing errors. The cost of "fast and free" comes due, with interest.
What does the data say about AI-generated code quality?
The single most-cited finding of 2025 comes from Veracode's GenAI Code Security Report. Veracode tested more than 100 large language models across 80 coding tasks and found that 45% of AI-generated code failed OWASP Top 10 security tests. The failure rates by category were brutal: 86% for cross-site scripting defenses, 88% for log injection, 72% for Java overall.
GitClear's 2025 research analyzed 211 million lines of code and found an 8× increase in duplicated 5+ line blocks after AI assistants became common. Duplication is the accountant of technical debt: every copy-paste is a future bug that has to be fixed in multiple places.
The developer trust picture is even more telling. The Stack Overflow 2025 Developer Survey polled 65,437 developers across 185 countries. 84% use AI tools. Only 29% trust the output. 66% say they are frustrated by "almost-right" AI code that wastes more debugging time than it saved. The people using AI every day are the same people who refuse to trust it.
The productivity upside is real and worth naming. McKinsey measured that developers using AI complete routine tasks up to 56% faster, with a 25–30% lift in task completion rates. This is not nothing. This is why every serious agency, including ours, uses AI every day. Speed is genuine. What is missing is judgment.
What breaks when a vibe-coded site hits real traffic?
We audit codebases for clients several times a month. The patterns repeat with almost comic regularity. Here are three anonymized vignettes that mirror what Trend Micro and Altersquare's audit of five vibe-coded startups found. The specifics are ours.
The Lovable landing page with no Row Level Security
A SaaS founder shipped a waitlist page via Lovable in a weekend. The form wrote to a Supabase table. The client-side bundle included the service role key and there was no Row Level Security policy on the table. Anyone with a browser console could read every submitted email, company, and note. The leak sat in production for 41 days before a security researcher flagged it. This pattern mirrors the Moltbook incident of early 2026, where 1.5 million API tokens were exposed through an unguarded Supabase client.
The Bolt MVP that could not pass Core Web Vitals
An e-commerce founder generated a product catalog in Bolt.new. First Contentful Paint measured 4.2 seconds. Interaction to Next Paint hit 840 milliseconds on mid-range Android phones. Every product image was a PNG served full-resolution. No code splitting, no lazy loading, no image optimization. Google's CrUX data buried the site in search rankings. We rebuilt it on a hand-tuned stack: INP dropped to 148ms and LCP to 1.7s. Conversion tripled within two months. (We wrote the performance playbook in Optimizing Three.js for a Perfect PageSpeed Score.)
The Cursor-built checkout with no CSRF protection
A founder prompted Cursor to build a Stripe checkout. The AI produced functional code. It also skipped CSRF protection entirely because the model was trained on simpler patterns. A security audit flagged it before anything was stolen, but the client was one clever request away from financial fraud liability. The developer had never heard of CSRF because the AI never mentioned it.
These patterns are not edge cases. Stack Overflow's own analysis called 2026 "the year the rescue queue overflowed." The Georgia Tech Vibe Security Radar tracked a jump from 6 CVEs linked to vibe-coded apps in January to 35 in March 2026 alone.
How much does hiring a web development agency cost in 2026?
The honest answer ranges from €800 to €60,000, and the range is not marketing fluff. It reflects genuinely different products.
- Freelancer. €800–€3,000 for a simple brochure site. Good for local businesses, tight budgets, and projects with low complexity. Quality varies wildly.
- Mid-market agency. €3,000–€15,000 for a professional multi-page site with custom design, SEO, and basic integrations. This is the sweet spot for most SMBs.
- Premium agency. €15,000–€60,000 for custom engineering, performance-first architecture, full brand work, e-commerce, custom applications, and ongoing support. This is where businesses that depend on their website to generate revenue actually build.
We broke this down in detail in Best Ways to Get a Fair Quote for Your Website. The key insight: comparing sticker prices is the wrong frame. The right frame is total cost of ownership, and that is the next section.
Vibe coding vs hiring an agency: the 3-year Total Cost of Ownership
Sticker price is a trap. What actually matters is what you spend over the life of the site: build, hosting, maintenance, bug fixes, lost revenue from a site that does not rank or convert, rescue work, breach recovery, and the eventual rebuild. Here is the honest math across three paths for a typical small-to-mid business website over 36 months.
| Path | Month 0 | Year 1 | Year 2 | Year 3 | 3-yr TCO |
|---|---|---|---|---|---|
| Vibe coding Lovable / Bolt / Cursor, unsupervised | €600 | +€7,500 hidden | +€14,000 rebuild | €3,000 | ~€25,100 |
| Freelance developer Template + some custom | €2,500 | €1,500 | €1,500 | €1,500 | ~€7,000 |
| Agency build Engineered, SEO, GDPR | €8,000 | €2,000 | €2,000 | €2,000 | ~€14,000 |
The vibe coding hidden costs are not theoretical. In Year 1 alone, a real business site bleeds roughly €2,500 in bug fixes and patches a developer has to make (the founder cannot), €3,000 in lost revenue from a site that does not rank because the SEO fundamentals are broken, and €2,000 in wasted time debugging AI output that is almost right. Add the tool subscriptions and the Year 1 vibe coding total is already €8,100 before anything serious breaks.
In Year 2 the real bill lands. A rescue rebuild by a qualified engineer runs €10,000 to €12,000. A security incident — an exposed Supabase key, a GDPR complaint, an exfiltrated user table — adds another €2,000 to €4,000 in cleanup, legal review, and user notification. The exact numbers vary. The direction does not.
Three things jump out, and none of them favor vibe coding. First, the freelancer path is cheapest if the developer is competent, which is a coin flip. Second, the vibe coding path is the illusion. The €0 sticker price evaporates the moment you count what the site actually costs you: lost revenue from an unranked site, bugs a human has to fix, the rebuild when the data layer breaks, the breach response, the GDPR exposure. On a real business website, vibe coding lands around €25,000 over three years — roughly 80% more than the agency path. The Tech Startups industry reporting estimated the global cleanup cost for vibe-coded software at $400 million to $4 billion by the end of 2026. Somebody is paying that bill, and it is not the AI vendor.
Third, and most importantly: vibe coding cannot ship complex projects at all. Multi-language e-commerce with custom checkouts, LMS platforms with enrollment and payment flows, marketplaces with two-sided logic, custom ERPs, regulated fintech, internal business software connected to a Dolibarr or SAP backend — none of these are achievable by prompting a model. The architecture is too dense, the failure surface too broad, the integration points too specific. For anything beyond a single-purpose small site, the question is not "vibe coding or agency." The question is just "which agency."
Already vibe-coded something that needs rescuing?
We audit, harden, and rebuild AI-generated codebases into production-grade systems. Or we build it right the first time.
When does vibe coding actually make sense?
This is the part where most agency blog posts lose credibility. We will not. There is a real set of projects where vibe coding is the right answer and paying an agency is overkill.
Use vibe coding for internal tools that three people will use, hackathon projects you plan to throw away, investor demos that need to look alive, landing pages for single-day campaigns, quick concept validation, personal portfolios, and rapid prototyping during early product discovery. In all these cases, the risk profile is low, the lifespan is short, and speed is the only metric that matters.
We use vibe coding ourselves, every week, for exactly these use cases. An agency that tells you AI coding is useless is protecting its margin, not your interests. The question is never "AI or not." The question is "at what stakes."
One boundary worth naming directly: vibe coding has a hard complexity ceiling. Multi-language e-commerce with custom checkouts, LMS platforms with enrollment and payment flows, marketplaces with two-sided logic, custom ERPs, regulated fintech, any serious integration with third-party APIs — these projects cannot be shipped by prompting a model, no matter how many tokens you burn. The architecture is too interconnected, the edge cases too many, the failure modes too silent. Every attempt we have seen to vibe-code a real application hit the same wall: a prototype that demos beautifully and collapses the moment a second user logs in. For anything past the smallest single-purpose site, vibe coding is not a cheaper option. It is not an option at all.
When should you hire an agency instead?
When the site has to earn its keep. Hire an agency when your website is the primary way customers find you, when it handles payments or personal data, when your brand depends on premium perception, when you plan to run it for years, or when you do not have the technical background to audit the code yourself. If you cannot tell whether the AI is lying to you, you need someone who can.
To make this concrete, score your project on the six dimensions below. Each gets a 1 to 5. Sum the total and check the zone.
6–12 points: vibe coding is fine. 13–20 points: hybrid zone, meaning AI-assisted work under professional review. 21 points or more: hire an agency. The scoring is deliberately conservative. A single "5" in compliance scope should override almost everything else because GDPR fines do not care about your budget.
Vibe code it
- ✓ Prototypes, hackathons, and throwaway concept demos
- ✓ Internal tools used by a small, trusted team
- ✓ Investor demos and validation MVPs
- ✓ Personal portfolios and single-day campaign pages
- ✓ Drafting copy, generating test fixtures, scaffolding ideas
Hire a pro
- ✗ Checkouts and anything that handles money
- ✗ Sites that collect personal or GDPR-regulated data
- ✗ Long-lived brand sites you will run for years
- ✗ SEO-critical launches that depend on organic traffic
- ✗ Anything with compliance exposure (PCI, HIPAA, ANSPDCP)
The rescue economy: what we fix when vibe-coded sites land on our desk
There is a new line item on agency invoices in 2026: rescue work. Tech Startups called it "the vibe coding delusion" and estimated that roughly 8,000 of the 10,000 startups that built on AI-first platforms in 2025 now need a partial or full rebuild. The queue is real and growing.
The work is almost always the same shape. We receive a working but fragile codebase. We audit it against the OWASP Top 10, WCAG accessibility guidelines, Core Web Vitals, and the client's actual compliance scope. We find the silent leaks, the exposed keys, the missing RLS policies, the broken semantic HTML, the CLS bombs, the unoptimized bundles. Then we rebuild the load-bearing parts on a sane architecture. The front-end usually survives. The data layer usually does not.
A typical rescue runs €4,000 to €12,000. Security-critical incidents can push it higher. The founders who call us are rarely upset at the AI. They are upset at the marketing copy that told them the AI was enough.
Is vibe-coded software GDPR compliant in Romania and the EU?
Almost never, and this is the angle most English-language writing on vibe coding misses entirely. Under the GDPR and Romania's local enforcement body ANSPDCP, any business that processes personal data of EU residents is liable for the technical and organizational measures protecting that data. The law does not care whether a human or an AI wrote the code.
The failure patterns we see in vibe-coded builds are the exact patterns that trigger GDPR fines. Hallucinated cookie banners that claim consent was collected when it was not. Supabase and Firebase projects with no Row Level Security, exposing personal data through client-side queries. Missing Records of Processing Activities. No Data Protection Impact Assessment for high-risk features. Forms that send personal data to third-party analytics without a legal basis. Client-side API keys that let anyone exfiltrate the entire user table.
CNIL in France and ANSPDCP in Romania have both issued multi-thousand-euro fines for exactly these configurations. An AI assistant does not know your lawful basis. It does not know your retention schedule. It does not know what a DPO is. A professional does. This is not an abstract risk. This is a line item waiting to land on your business.
The hybrid model: how smart teams use AI and still hire a pro
The winning pattern in 2026 is neither "pure vibe coding" nor "AI is dangerous, avoid it." It is the hybrid model, and it looks like this: an engineer or agency that uses AI aggressively as leverage, under constant review, inside a real development process.
In practice this means AI scaffolds components, writes first drafts, generates tests, and handles boilerplate at 3x the old speed. A human reviews every piece for security, SEO, accessibility, and architectural fit. A human decides what ships. A human owns the outcome. As we argued in AI in Web Development: the tool, not the replacement, this is how every serious agency operates now, including ours.
Gartner forecasts that by 2028, 90% of enterprise software engineers will use AI assistants, and by 2030 AI will automate 70% of routine coding work. The ceiling is not AI replacing engineers. The ceiling is engineers with AI out-producing engineers without it, by enormous margins. Vibe coding is the shortcut. The hybrid model is the strategy.
Frequently asked questions
What is vibe coding and who invented the term?
Vibe coding is the practice of building software by prompting an AI and shipping whatever it produces, without reviewing the code. The term was coined by Andrej Karpathy, OpenAI co-founder and former Tesla AI lead, on February 2, 2025. Collins English Dictionary named it Word of the Year 2025.
Is AI-generated code safe for production in 2026?
Not without human review. Veracode tested 100+ large language models across 80 coding tasks and found 45% of AI-generated code failed OWASP Top 10 security tests. XSS defenses failed 86% of the time. AI code is shippable only after an engineer hardens it.
Is vibe coding actually cheaper than hiring a web agency?
No. It only looks cheaper on day one. Once you count hidden costs — bug fixes, lost revenue from an unranked site, the rescue rebuild, breach response, GDPR exposure — a vibe-coded business site lands around €25,000 over three years. An agency build averages €14,000. The agency path is roughly 40% cheaper, produces a better asset, and is the only viable option for any project of meaningful complexity.
Can Lovable, Bolt, or Cursor replace a web development agency?
For prototypes, internal tools, and throwaway demos, yes. For production business websites that handle traffic, payments, or user data, no. These tools accelerate engineering, they do not replace it. An agency supplies the architecture, security review, SEO engineering, and brand work that determine whether the site actually earns revenue.
What are the biggest security risks of AI-built websites?
The most common failures are exposed API keys committed client-side, missing Row Level Security on Supabase or Firebase, skipped CSRF protection on forms, hardcoded secrets, and broken authentication flows. Wiz and Trend Micro research found roughly 10% of publicly deployed Lovable apps had critical vulnerabilities.
When does vibe coding actually make sense for a business?
When the stakes are low and the lifespan is short. Internal dashboards, investor demos, landing pages for single-day campaigns, rapid concept validation, and personal portfolios are all legitimate vibe coding territory. Anything that handles money, personal data, long-term brand perception, or SEO traffic should not be vibe coded.
Is vibe-coded software GDPR compliant?
Rarely. AI builders hallucinate cookie banners, miss DPA records, misconfigure database permissions, and leak personal data through unsecured endpoints. In Romania and the EU, the ANSPDCP and other data protection authorities have fined businesses for exactly these patterns. Compliance is an engineering discipline, not a checkbox an LLM can infer.
Will hiring a web agency still be worth it in 2027?
Yes, and arguably more than ever. Gartner forecasts that by 2028, 90% of enterprise engineers will work with AI assistants. The agencies that matter in 2027 are the ones using AI as leverage, not as a replacement. Judgment, architecture, security, brand, and accountability remain human work.
We build. We rescue. We harden.
Whether you are starting from zero or untangling a vibe-coded build that stopped working, we engineer sites that rank, convert, and survive real traffic.
