Complete GuideAI App Building

What Is Vibe Coding and What Can It Actually Do?

You describe it. AI builds it. No syntax, no boilerplate. Vibe coding went from a single tweet to Collins Word of the Year 2025 in under 10 months - here's what it is, what it can genuinely do, and where it consistently breaks.

July 7, 202610 min read

Author
Hussein Janoowala
Head of Delivery | Data & AI

Key Takeaways

  • Vibe coding was coined on February 6, 2025 by Andrej Karpathy - and within 10 months Collins Dictionary named it Word of the Year 2025, reflecting a shift where 63% of people using these tools now identify as non-developers.
  • The functional ceiling is real: 25% of Y Combinator Winter 2025 startups had codebases that were 95%+ AI-generated, and 46% of all new code written today is AI-generated - but only 10.5% of AI-generated code passes a security review (Carnegie Mellon University).
  • The production gap is the consistent failure point: 40% of publicly deployed vibe-coded apps have exposed sensitive data, 45% of AI-generated code ships with OWASP Top 10 vulnerabilities, and 86% fail XSS defense tests - none of which are visible in a working demo.

This guide is for: Non-technical founders, product managers, and curious developers who want to understand what vibe coding actually is, what it can genuinely build, and where it consistently falls short before they ship to real users.

In this article

Vibe coding went from a niche developer workflow to Collins Dictionary Word of the Year 2025 in under 10 months. The core idea is simple: describe what you want in plain English, let AI generate the code, test it, refine with more prompts, repeat. No syntax. No boilerplate. No programming background required.

The speed advantage is real. The production gap is equally real. This article covers both.

Key Takeaways

1. Vibe coding was coined on February 6, 2025 by Andrej Karpathy - and within 10 months Collins Dictionary named it Word of the Year 2025, reflecting a shift where 63% of people using these tools now identify as non-developers. 2. The functional ceiling is real: 25% of Y Combinator Winter 2025 startups had codebases that were 95%+ AI-generated, and 46% of all new code written today is AI-generated - but only 10.5% of AI-generated code passes a security review (Carnegie Mellon University). 3. The production gap is the consistent failure point: 40% of publicly deployed vibe-coded apps have exposed sensitive data, 45% of AI-generated code ships with OWASP Top 10 vulnerabilities, and 86% fail XSS defense tests - none of which are visible in a working demo.

Chapter 01

Where Did Vibe Coding Come From?

Vibe coding means building software by describing what you want in plain English and letting AI write the code - no programming syntax, no boilerplate. Andrej Karpathy, a co-founder of OpenAI and former Tesla AI Director, coined the term in a post on X on February 6, 2025. The definition he gave: "There's a new kind of coding I call vibe coding, where you fully give in to the vibes, embrace exponentials, and forget that the code even exists." The post got 4.5 million views. By November 2025, Collins Dictionary named it Word of the Year.

Karpathy described the actual workflow in that same post: he was using Cursor with Claude Sonnet, talking via SuperWhisper (voice-to-prompt), accepting every AI suggestion without reading the diffs, copy-pasting error messages back to the AI, and watching a codebase grow beyond his own comprehension. His phrase for it: "it's not really coding - I just see stuff, say stuff, run stuff, and copy paste stuff, and it mostly works."

What made this land was not the novelty. It was the name. A lot of developers were already doing exactly this - prompting their way to working code without reading every line. Karpathy gave it a label, and that label spread from a niche developer X/Twitter thread to mainstream workplace practice in under 10 months.

Collins Dictionary's official 2025 definition: "the practice of writing computer programs by using natural language prompts to make a generative AI program output the desired code." That definition crystallised what the tools had enabled. The core loop is: describe what you want in plain English, AI generates working code, you test it, refine it with more prompts, repeat.

Chapter 02

Is Vibe Coding Just Using AI to Help Write Code?

No - and the distinction matters a lot in practice. Vibe coding is a specific mode of AI use, not the same as the AI-assisted coding most developers already do. The line sits at what happens after the AI writes something.

AI-assisted coding (the broad category): a developer uses GitHub Copilot, Cursor, or similar tools to write faster. The AI suggests code; the developer reads it, judges it, edits it, and decides whether it ships. The developer remains in control of every line that goes into the codebase.

Vibe coding (the specific mode): you fully delegate code generation. You describe the outcome you want. You do not read the diffs. You do not review what the AI wrote line by line. You prompt your way to a working result. The AI builds; you direct with natural language.

Karpathy was explicit about this in his original post - he was "barely touching the keyboard," accepting all suggestions, not reading what went in. That full delegation is what makes vibe coding distinct from ordinary AI tooling.

The Stack Overflow 2025 Developer Survey captures the gap clearly: 84% of developers use or plan to use AI tools, but only 29% trust AI - down 11 percentage points from the prior year. The 66% who cite "AI solutions that are almost right but not quite" as their top frustration are, largely, AI-assisted developers who read the code and catch the gaps. Vibe coders who skip that review step are the ones who don't catch them.

Chapter 03

Can You Actually Build a Real App With No Coding Experience?

Yes - and this is not theoretical. 63% of vibe coding users identify as non-developers, per Hostinger's 2026 research roundup. These are product managers, founders, marketers, and people who would never describe themselves as programmers. They are building working apps.

The tools that make this possible have converged around the same basic loop: describe the app you want, the AI builds it, you test it in a browser preview, refine with new prompts. Lovable, Bolt, Replit, Base44, and Joylo all operate this way. You are not writing code at any point. You are directing an AI in plain language.

25% of Y Combinator Winter 2025 startups had codebases that were 95% or more AI-generated. These are funded companies - not side projects. They got to a working product without a traditional development team.

What actually happens in practice follows a predictable curve. The first 80% of an app - the screens, the basic CRUD operations, the wired-up login flow, the database connections in isolation - comes together fast. An afternoon, sometimes less. The working demo is real. The data saves. The buttons do things.

The last 20% is where the ceiling appears. That's auth under real load. Database connections that stay stable when 500 people use the app at once. Error handling that doesn't expose stack traces to users. Rate limiting. Real payment flows. The things that matter when the app is deployed to strangers rather than tested by the person who built it. Non-technical builders who can build the first 80% quickly cannot always identify when the last 20% is broken - because from the outside, a working demo and a broken-at-scale app look identical until real users arrive.

Chapter 04

What Can Vibe-Coded Apps Actually Do?

The honest answer: quite a lot, in specific categories. Full-stack CRUD apps - dashboards, internal tools, SaaS MVPs, simple marketplaces, content management tools - are in the functional range of today's vibe coding tools. They can wire up a frontend, a backend, a database, a login flow, and basic payment processing from a prompt. These are not toy demos. They are working software.

The categories where vibe-coded apps consistently perform well out of the box include: internal tools for teams, form-based data collection apps, read-heavy content sites, simple subscription SaaS tools, and customer-facing portals with standard auth. These work because they follow familiar patterns the AI has seen thousands of times.

The categories where vibe-coded apps consistently hit walls include: anything with complex business logic that diverges from standard patterns, real-time features that require websockets or event streaming, integrations with enterprise systems that have unusual authentication requirements, and apps where the failure mode is invisible - security vulnerabilities, data leaks, or race conditions that only appear under real load.

Every Joylo build runs a real-time AI Confidence Score - an automated audit that flags uncertain or risky code patterns before you ship. It runs on every plan across five dimensions: scalability, security, reliability, integrations, and code quality. That score exists because the AI's confidence in what it generates is not uniform. It is high for standard patterns, low for edge cases, and it cannot always self-report where it ran out of certainty. The Confidence Score surfaces that signal so you know before shipping, not after. If you want a human engineer to review it, Expert Assist connects one within 24 hours.

Chapter 05

What Actually Breaks When Real Users Show Up?

This is the production gap - and the data on it is severe. 45% of AI-generated code ships with OWASP Top 10 security vulnerabilities, per Veracode's 2025 GenAI Code Security Report. 62% of AI-generated code solutions exhibit security flaws, per the Cloud Security Alliance 2025 report. Georgetown CSET research found that 86% of AI-generated code failed XSS defense tests. CodeRabbit found AI code has 2.74 times more XSS vulnerabilities than human-written code.

The real-world consequence: a May 2026 analysis by Red Access found that 40% of 5,000-plus publicly deployed vibe-coded apps had exposed sensitive data. Not demos. Deployed apps with real users.

The Carnegie Mellon University finding puts the functional-versus-secure gap in sharpest relief: 61% of AI-generated code functions correctly - meaning it does what it was designed to do - but only 10.5% passes a security review. The app works. The demo works. The data saves. And the auth is broken in a way that only shows up when someone probes for it.

The most common failure modes are not exotic. They are: session tokens that don't expire, database queries built from unvalidated user input, error handlers that return full stack traces to the browser, and rate limiting that was never added because the AI assumed the default framework behaviour was sufficient. None of these appear in the demo. All of them appear when a real user - or a scanner - looks for them.

The gap is not a failure of the tools. It is a structural feature of how AI generates code: it optimises for making things work, not for making things safe under adversarial conditions. That requires engineering judgment the AI cannot supply, and that a non-technical founder cannot apply without knowing what to look for.

If you want to go deeper on the specific vulnerabilities that appear most often in AI-built apps and how to audit for them before you ship, read Is Your AI-Generated App Secure Enough to Ship?.

Chapter 06

Is Vibe Coding Actually the Future of Software Development?

It is already the present for prototyping and first drafts. 46% of all new code written today is AI-generated, per Hostinger's 2026 research roundup. Gartner forecasts that number reaches 60% by the end of 2026. GitHub Copilot is deployed at 90% of Fortune 100 companies. These numbers are not predictions about the future - they describe what is already happening.

The question of "is it the future" depends on what you mean by "it." Vibe coding as the default workflow for getting to a working first draft is already the default - not the exception. You describe an app, the AI generates it, you test, refine, repeat. That loop has replaced the blank-page, syntax-first starting point for a large and growing share of software projects.

Vibe coding as production-ready software delivery - where the output of prompting an AI builder ships directly to paying customers with no engineering review - is a different claim. The security data says this is where the gap opens. 40% of deployed vibe-coded apps exposed sensitive data. 62% of AI-generated code has security flaws. The AI gets you to a working app fast; it does not get you to a safe app automatically.

The real trajectory is: vibe coding covers the first 80% faster than any previous workflow. Engineering judgment - either your own, or a real engineer's - covers the last 20%. The tools that survive will be the ones that handle both. That's not hype and it's not pessimism. It's the pattern the data shows.

Chapter 07

Will Vibe Coding Replace Software Engineers?

The labor market data does not support the replacement story - at least not uniformly. Security Online reported 67,000 software engineering vacancies in early 2026, a 3-year high. That is in the same period where 46% of all new code is AI-generated. The paradox is real: more AI-generated code, more demand for engineers.

Entry-level disruption is real and worth naming plainly. Stanford research found a 20% drop in employment for developers aged 22 to 25 since 2022. The boilerplate, tutorial-level tasks that used to be entry-level developer work are increasingly handled by AI. That is a genuine economic shift affecting the bottom of the career ladder.

Senior, architecture, and security roles are in higher demand, not lower. The reason is structural: as AI-generated code proliferates, the cost of insecure or fragile code goes up. Someone has to review what the AI wrote. Someone has to design systems the AI can generate within. Someone has to make the judgment calls the AI cannot safely make - when to prioritise security over speed, when a shortcut creates a technical debt that will break at scale, when the AI's confident output is actually wrong in a way that only shows up under load.

The job is shifting, not disappearing. Writing boilerplate is being automated. Reviewing AI-generated code, designing systems, and catching what the AI got wrong are growing in value. The maintainability challenges this creates for AI-generated codebases are worth understanding before they become your problem - How Do You Keep an AI-Generated Codebase Maintainable? goes into the specifics.

Chapter 08

Are People Actually Making Money From Vibe-Coded Apps?

Yes - with a specific pattern that works and a specific pattern that does not. The pattern that works: use vibe coding to get to a revenue-generating MVP fast, then close the production gap before real scale arrives. 25% of Y Combinator Winter 2025 startups had codebases that were 95% or more AI-generated. Those are funded companies building on vibe-coded foundations - not because the foundation is perfect, but because getting to a working product fast has real commercial value.

Multiple non-technical founders have documented building and selling SaaS products using AI builders. The speed advantage is genuine. You can get from an idea to a deployable app in hours or days instead of weeks or months. That changes what is economically viable to test.

The pattern that fails: shipping a vibe-coded app to paying customers without closing the security and reliability gap. 40% of publicly deployed vibe-coded apps exposed sensitive data. A data breach on a paying customer's app is not a demo problem - it is a company-ending problem. The commercial bet on vibe coding only holds if the app survives its first real users.

Joylo is built specifically to close that gap. Joylo is built by HST Solutions, an 18-year Dublin engineering firm with 140 in-house engineers who have seen this failure pattern enough times to know exactly where to look. The AI Confidence Score flags uncertain code before it ships on every plan. When the AI hits a wall, Expert Assist connects you with a named Forward Deployed Engineer - already in your codebase, available within 24 hours, at a fixed price - to close the gap before it becomes a production incident.

The commercial logic is: move fast with AI, ship safely with engineering. Not one or the other. Both.

If your vibe-coded app works in demos but breaks when real users arrive, Expert Assist connects you with a named Forward Deployed Engineer already in your codebase, available within 24 hours, at a fixed price. See current pricing at joylo.ai/pricing. Get Engineer Help

Frequently asked questions

What is vibe coding in simple terms?

Vibe coding means building software by describing what you want in plain English and having AI generate the working code - no programming syntax required. You describe an app, the AI builds it, you test it, and refine with more natural language prompts. Collins Dictionary named it Word of the Year 2025.

Who invented vibe coding?

Andrej Karpathy, co-founder of OpenAI and former Tesla AI Director, coined the term 'vibe coding' in an X post on February 6, 2025. The post received 4.5 million views and described a workflow where you fully delegate code generation to AI, accept all suggestions without reading diffs, and direct the process entirely through natural language.

Is vibe coding safe to use for a real business app?

Not without an engineering review step. 45% of AI-generated code ships with OWASP Top 10 security vulnerabilities (Veracode 2025), and Carnegie Mellon University research found that only 10.5% of AI-generated code passes a security review - even when 61% of it functions correctly. Apps that work in demos can have broken auth, exposed data, and XSS vulnerabilities that only appear when real users or scanners probe them.

What is the difference between vibe coding and AI-assisted coding?

AI-assisted coding means a developer uses tools like GitHub Copilot or Cursor to write faster while still reading, judging, and editing every line the AI suggests. Vibe coding means fully delegating code generation - you describe the outcome, the AI generates the code, and you do not review what went in line by line. The distinction matters because the review step is where most security flaws get caught.

Do I need any coding knowledge to vibe code?

No coding knowledge is required to get to a working demo. 63% of vibe coding users identify as non-developers. The tools are built for natural language input. The practical gap is not building the first version - it is recognising when the AI has generated code that is insecure or fragile, which requires either engineering judgment or a tool that flags it for you before you ship.

Written by

Hussein Janoowala
Head of Delivery | Data & AI

Hussein is Head of Delivery, Data & AI at Joylo, with 8+ years building and shipping software. He leads the team that turns AI-built apps into production-ready systems founders can trust. His focus is engineering accountability: making sure what ships actually holds up under real users and real traffic.

Ready to ship?

Ready to experience the Joylo difference?

Build with AI. If it gets stuck, a named engineer is in your codebase within 24 hours. Every app ships with a written production guarantee behind it.

No credit card required
Start in 30 seconds
GDPR-ready, enterprise-grade security