AI/ML , Generative AI , Application security , DevSecOps Vibe coding has cybersecurity asking what AI can — and can’t — replace May 11, 2026 Share By Laura French Vibe coding has the cybersecurity industry talking. As thousands of practitioners attended talks about the promise and risk of AI agents at RSAC 2026 in March, and hundreds of vendors — both legacy and startups — presented their latest AI-powered tools in the expo hall, hard questions about the impact of this technology on the field arose in the back of many attendees’ minds. At least one person expressed their thoughts on the industry’s future in the AI era by publishing a satirical website titled “RSA 2026: The Great Cooking.” The site , which saw some circulation among social media circles, states 61.9% of RSAC 2026 exhibitors “could be replaced by a weekend of vibe-coding in Cursor.” While created with unclear methodology, and an “unhealthy amount of spite,” as its creator states, the website’s sharp criticism seemingly resonated with several cybersecurity pros seeking to cut through the noise and really understand what AI can and can’t achieve. “The Great Cooking website was great satire on the reality of the current cyber market — lots of hype, lots of wrapper companies faking it until they make it, lots of legacy companies that are going to struggle to differentiate, and a few truly differentiating cyber companies that are solving hard problems,” Horizon3.ai CEO and Co-founder Snehal Antani, who shared the site on LinkedIn, told SC Media. Amy Chaney, SVP of technology at Citi, also praised the site as a “light-hearted review,” but said it is just that — a “funny read” and “not a buyer’s guide.” “Many of the RSA ‘cooked’ solutions are high viability market winners, many of the exhibits labeled ‘actually hard’ will solve no problems,” Chaney said. The satire taps into a large debate already going on in cybersecurity about how AI-assisted development — or “vibe coding” — is disrupting industry norms around software creation and the state of security itself. Even where claims about AI’s capabilities may be exaggerated, vibe coding’s explosion in popularity is undoubtedly making its mark on security teams and in boardrooms around the world. “I’ve never seen a bigger disconnect between what investors want to hear and what CISOs are trying to solve, and unfortunately, corporate marketing has over rotated to the investor narrative instead of focusing on solving problems that matter to practitioners,” Antani said. Why cybersecurity can’t ignore vibe coding Vibe coding specifically refers to the generation of code by a large language model (LLM) in response to natural language prompts. Vibe coding tools include foundational models like OpenAI’s ChatGPT, Anthropic’s Claude and Google’s Gemini, AI coding assistants and agents like GitHub Copilot, OpenAI’s Codex and Anthropic’s Claude Code, and AI-driven integrated development environments (IDEs) such as Anysphere’s Cursor and Google Antigravity. For less technically skilled users, vibe coding lowers the barrier for producing software and applications based on ideas rather than coding ability. For experienced programmers and developers, AI coding assistance is used to speed up production, generating code much faster than it can be written from scratch. Data shows AI-assisted coding is far from just a hobbyist’s tool: Stack Overflow’s 2025 Developer Survey found that 85.4% of professional developers used AI tools in their development process or planned to use them soon, with a little more than half of these developers using AI tools daily. Additionally, 59% of all respondents (75% of which were professional developers) said they partially used AI for writing code and 16.9% said they mostly used AI for this task, although only 17.2% said they have used or have tried using vibe coding specifically (generating software from LLM prompts). Individual developers are not the only ones leaning into AI code-generating tools — large tech companies are already investing heavily in the technology. Last month, Google CEO Sundar Pichai said 75% of all new code at the company was being generated by AI and reviewed by human engineers, and just last week, Airbnb CEO Brian Chesky said nearly 60% of the company’s code was written by AI, according to Business Insider . Cybersecurity companies and their customers are also increasingly using AI to write code. James Wickett, CEO of AI-native static application security testing (SAST) company DryRun Security, told SC Media that DryRun’s customer base are “building toward what we think of as the software factory of the future.” “Internally, our engineers are already working with multiple agents generating code, which lets us ship faster and iterate more aggressively. On the customer side, code volume and velocity are exploding. We have customers pushing over 60,000 AI-driven pull requests a month, and that number keeps climbing,” Wickett said. It’s clear that AI code generation isn’t going anywhere and will likely only become more relevant in the coming years. So, what should cybersecurity professionals know about these models’ capabilities — and what’s the catch? Cybersecurity gives vibe coding a reality check AI-assisted development can be seen as a wide spectrum between pure vibe coding, with just a prompt and no review, and a closer collaboration between human developers, AI tools and other technologies. At the former end of the spectrum, many cases have already shown why security pros are right to be wary about overreliance on AI code generation. In a blog post last month, Microsoft Senior Product Manager Rod Trent referred to vibe coded apps as “90% AI magic and 10% hacker bait,” and referenced several examples of AI-generated projects falling short of security standards. In one example, a startup founder marketed a software-as-a-service (SaaS) platform built with “zero hand-written code” and shut down the platform just four days later after vulnerabilities in the app were heavily exploited . Such case studies are backed up by empirical research into how LLMs handle security when generating code. Research last year from Backslash Security found that LLMs frequently produced code vulnerable to top 10 Common Weakness Enumeration (CWE) weaknesses, with OpenAI’s GPT-4.1, GPT 4.5 and GPT-4o producing nine out of the top 10 weaknesses when given vibe coding-style prompts. Veracode also found in its 2025 GenAI Code Security Report that LLMs produced insecure functions 45% of the time when given vibe coding tasks specifically designed to test whether models would produce SQL injection, cross-site scripting (XSS), log injection and broken cryptography flaws. These tests were conducted on more than 100 LLMs released between March 2023 and March 2025. At RSAC 2026, OX Security further discussed the risks of vibe coding, describing LLMs as being similar to “junior developers” and noting a consistent susceptibility to path traversal, XSS, command injection, server-side request forgery (SSRF) and open redirect flaws. “Vibe coding creates an ‘illusion of productivity,’ where code feels secure because it functions. But AI lacks context for real-world threats; it doesn’t ‘think’ about edge cases like prompt injections or runtime exploits,” Trent wrote. While these pitfalls are a cause for concern, they are not necessarily a reason to reject the use of AI in coding altogether, experts say. Trent recommends a “balanced approach” involving mandatory human oversight and the use of SAST and dynamic application security testing (DAST) to review AI-generated code. Further, Backslash found that LLMs were less likely to produce code weaknesses when given security-focused prompts, and OX Security argued that the mistakes made by AI coding assistants were the same ones commonly made by human developers, set apart only by the sheer volume of code produced. “The ability to quickly automate and produce functionality should be something we all embrace. But not all organizations are embracing it with the same rigor or a larger picture view of what value it can really bring,” GitGuardian Principal Developer Advocate Dwayne McDaniel told SC Media. Who gets ‘cooked’ when AI coding meets cybersecurity? The cybersecurity industry’s anxiety around AI has largely been focused on its potential use by cybercriminals to accelerate phishing , produce malware and exploit vulnerabilities, as seen with the recent announcement of Claude Mythos and Project Glasswing. An influx of vulnerabilities introduced by AI-generated code is also a major concern. But cybersecurity is not immune to fears of being “replaced” by AI , with both practitioners and organizations weighing how to stay relevant when tasks that previously required expertise can seemingly be done in minutes with just a prompt. “Vibe-coding is cybersecurity’s Home Depot moment. Everyone suddenly has access to tools that used to require specialists. That’s not a bad thing — but there’s a difference between tiling your bathroom and building a skyscraper,” Ryan Clarque, CISO at Black Rifle Coffee, told SC Media. Security leaders who spoke with SC Media seemed to agree that while anxiety and uncertainty exist about AI’s potential to disrupt the market, vibe coding is not yet at the level to displace entire security platforms, let alone entire companies. “You can build a demo. It’s much more complex to build something that collects telemetry at scale, integrates into enterprise environments, or survives contact with a real adversary,” Nome Security CISO Diana Kelley said. “The gap between a working prototype and a production security platform is enormous, and that gap is where most of this industry actually lives.” Ultimately, the companies that will fall behind in the vibe coding era are those that over-rely on and oversell AI’s capabilities, while those that embrace AI’s positivity gains, recognize its limitations and implement robust AI governance are more likely to