Where Vibe Coding helps—and where it doesn't: A field report

Vibe Coding is a programming approach that delegates virtually every task involved in working with source code—from understanding to creation to modification—to a GenAI, placing almost complete trust in the output of these kinds of AI. Based on a recent architecture and code review of a Space-as-a-Service platform (SPaaS platform) that was built from scratch with Vibe Coding, we provide an assessment of the suitability of this programming approach for the implementation of complex software products.

Spoiler: Without context-based structuring and orchestration of the used GenAI, the quality deficits of generated code outweigh supposed productivity gains.

The lure of speed—Anyone can develop now(?)

The promise of Vibe Coding is huge: with simple instructions in natural language (prompting), entire applications can be created in no time at all and without any knowledge of software development. This is made possible by increasingly powerful GenAIs based on Large Language Models such as Claude, Gemini, or GPT. With manageable costs and a growing selection of agents, tools, and platforms, the question arises: Can anyone now implement productive software, and will developers have to look for new jobs sooner or later?

We were confronted with this question when a customer recently tasked us to review a prototype of an SPaaS platform created entirely with Vibe Coding. The platform was developed with no programming experience within a few weeks using a small number of prompts and a specialized Vibe Coding portal. In addition to its core functionality of offering and booking locations, the platform integrates other complex functions such as user management, chat, and payment in a modern UI. Despite its prototypical nature and relatively small codebase (approx. 50,000 lines of TypeScript), initial tests showed that the application is fundamentally executable.

The aim of the commissioned architecture and code review was to assess whether the source code generated by GenAI represents a high-quality basis for bringing the prototype of the SPaaS platform to market maturity in the medium term.

In the following, we report on our findings from the review, and discuss the opportunities and risks of implementing software products with Vibe Coding, which still exist despite a large number of specialized providers.

The analysis—What our review revealed

For the review of the AI-generated SPaaS platform, we drew on established architectural evaluation methods and used analysis tools for the Node.js ecosystem on which the application is ultimately based. The following paragraphs describe our findings for each quality deficit identified.

Vendor lock-in: For the review, we downloaded the source code of the SPaaS platform from the used Vibe Coding portal and first checked it for possible malicious code. We then attempted to run the application locally. To do this, we first followed the AI-generated setup documentation, but this proved to be insufficient. After minor adjustments, the platform could be started locally, but registration and login could not be executed without errors. In addition, it remained unclear how the database management system required could be connected correctly to the platform. The setup documentation lacks the necessary information. Since the Vibe Coding portal can operate the platform without errors and additional configuration, there is a significant risk of vendor lock-in with the portal.

Risky dependencies: For the vast majority of security-critical functions, such as user management and payment, the GenAI followed the best practice of integrating with proven external libraries and frameworks. However, some of these were redundant or competing, such as the use of different hash methods for the same purpose, which can lead to runtime problems that are difficult to locate. In other cases, the AI referenced versions of dependencies that are outdated or whose production readiness is unclear. In one particularly serious case, certain user management functions relied on an external dependency that had not undergone any significant further development since 2014. This was only noticed because the version number appeared suspicious (less than 1.0) and we consequently checked the associated GitHub repository. The integration of outdated dependencies and the associated high risk of security vulnerabilities is particularly problematic for security-critical aspects of a web application that processes user sessions and customer data.

Lack of architecture-related security: While certain security features such as password hashing were successfully coded by the GenAI, we found them completely absent at the architectural level. For example, communication between the frontend and backend, which are essential components of the SPaaS platform's three-tier architecture, is not encrypted. All calls to the backend API by the frontend are made in plain text via HTTP. This means they can be relatively easily intercepted and manipulated, opening the door to man-in-the-middle attacks, session hijacking, and credential theft.

Improvable code quality: We used established static analysis tools to assess the quality of the AI-generated code. Unlike the security risks described above, the deficiencies identified in this process are initially less serious for a prototypical application such as the SPaaS platform under review. Nevertheless, they will become relevant at the latest after successful market validation, when the focus shifts to ensuring medium- to long-term software quality, especially maintainability. However, some of the code-related deficiencies may also come into play at an earlier stage if they cause runtime errors that affect platform operation in unforeseen ways. In fact, the reviewed source code has great potential for improvement, as a large number of smells were uncovered–ranging from high cognitive complexity of individual methods to unused or incorrect import statements and incorrectly implemented concurrency. In addition, we encountered strong coupling due to a lack of separation of concerns, a significant amount of unused code fragments, and a division of modules into folders that did not follow standard best practices. Taken together, all of the above findings suggest that the employed GenAI in conjunction with unstructured Vibe Coding exhibits weaknesses when it comes to extending the codebase: The integration of new features does not seem to be sufficiently accompanied by quality-oriented refactoring which includes, for example, purposeful modularization, establishing reusability, or the removal of obsolete code.

Inadequate test coverage: The risk of significantly reduced maintainability is increased by inadequate test coverage. Although the GenAI produced tests during Vibe Coding sessions even without explicit prompting, these tests do not validate business processes such as payment processing or the creation and booking of advertisements. Instead, they focus on the technical connection to the database by issuing INSERT statements and verifying the correct execution of these statements.

The bottom line—Consequences of unstructured Vibe Coding

In summary, the use of Vibe Coding in the case of the reviewed SPaaS platform led to a number of quality deficits of varying criticality. Despite the prototype stage, the security issues identified should be resolved in the short term, and in particular before the application is validated on the market. If market validation is successful, vendor lock-in and poor maintainability should be addressed during further development, as both deficits represent technical debt that can lead to significant follow-up costs in the medium term and thus impair competitiveness.

The development of software systems is often compared to building a house. If we stick with this analogy, the use of unstructured Vibe Coding likely results in the construction of a house with fragile foundations: the façade may look good and some rooms may be usable, but others may not and the entire building may be at the risk of collapse after moving in. Initial time savings then lead to a mortgage with unacceptably high interest rates, so that in the worst case the costs of renovation exceed those of a redevelopment. Additionally, these costs are usually very high for supposedly finished houses or productive software applications–and in both cases experts are needed to gradually uncover and fix the problems. Consequently, new job profiles such as “Vibe Coding Cleanup Specialist” currently emerge.

In conclusion, based on our review of the AI-generated SPaaS platform, we can say that Vibe Coding and specialized portals enable people with little to no experience in software development to quickly generate usable prototypes. However, without special precautions, these applications do not constitute sustainable, secure, and maintainable products. The dream of the “Citizen Developer” will not automatically come true in the AI age because it neglects the complexity of professional software development.

Our recommendation—Competitive advantages through structured Vibe Coding

If we disregard our findings, the use of GenAI accelerates the development of software systems–at least in the short term. This raises the question of how this speed advantage can be sustained in the medium to long term by ensuring that generated code is and remains of high quality. The answer to this question lies in combining AI tools with human expertise and structured methods.

Instead of relying solely on the current vibe, GenAI should be given guidelines, for example with approaches such as Product Requirements Prompts, Context Engineering, or BMAD (Breakthrough Method of Agile AI-Driven Development). These structured methods have in common that the product idea is defined together with coarse-grained technical specifications, such as the desired architecture style, and precise requirements for technical implementation. Together, this structured information provides the context and a plan for development that GenAI and its agents can follow. This can be illustrated very well by the BMAD method and the following mnemonic:

• Big Picture: The Big Picture explains the overall goal of the project to GenAI (“We are building a web-based SPaaS platform for...”).
• Methodology: The Methodology sets clear rules and guidelines (“Use React in the frontend, Express.js in the backend, and write all code in TypeScript.”).
• Action: The Action formulates precise, atomic instructions (“Create an Express route in the routes.ts file that...”).
• Details: The Details provide further information on implementing the action (“Define the API endpoints using OpenAPI”).

This information is usually stored in dedicated files in Markdown format in the repository of the application in question. The files follow a specific naming scheme so that GenAI can automatically identify them as context-relevant. This means that information about the application's intended use, its architecture, and the frameworks for its implementation does not have to be specified repeatedly for each code generation by the AI and is also subject to versioning when applying a revision control system such as Git. For prompts such as “Integrate a login button,” GenAI takes the provided context into account. This is not the case with unstructured Vibe Coding that lacks precise guidelines to limit the degrees of freedom of GenAI, so that the probability of producing deficient code is much higher than with a structured method.

The benefits of structured methods for AI-supported coding are obvious: with a clear target vision and unambiguous rules, GenAI can generate high-quality, secure, and maintainable code at high speed from natural language prompts, while technical debt remains relatively low. This is especially true when combined with deterministic approaches to ensuring high software quality, such as test automation and Infrastructure as Code, as well as the involvement of human expertise, which can assess, edit, and contextualize AI decisions in case of doubt.

Getting ready for the AI-supported future of software development

What does this mean concretely for our SPaaS customer? In the next step, we empower them with our AI-Assisted Coding Workshop, in which we teach the practical basics of structured AI-supported software development so that they can independently increase the quality of their platform with GenAI and ensure its long-term success when entering the market. For those who are still unsure how to find the right use cases for GenAI, we recommend an AI Use Case Workshop to identify and strategically prioritize promising AI use cases.

Conclusion

AI is not an autopilot that can generate complex, production-ready applications from simple instructions in natural language. Rather, in the right hands, AI is an extremely powerful co-pilot that can in fact accelerate software development. The Vibe Coding approach is useful for quick experiments such as clickable prototypes. However, building robust platform products that meet common security requirements and are maintainable in the long term requires more: a structured approach to the use of AI tools and trained developers. Therefore, it is important to invest not only in AI tools, but also in building knowledge to use them effectively. This makes the difference between an expensive experiment and a real competitive advantage.