Editor’s Note

Hi, this month I want to talk about something that's been quietly building for two years and very loudly broke in April.

Your developers have stopped writing code.

Not all of them, not all the time, but a significant and growing chunk of your engineering org is now prompting AI tools to write it, doing a light read, and shipping to production.

The process steps that normally catch security issues? Gone. Replaced by vibes.

Three incidents in six weeks made this impossible to ignore. Let's get into it.

Lavanya Chandrasekharan,
Siemba

Three Incidents That Define the Problem

Lovable - April 2026. A $6.6 billion vibe coding platform with 8 million users. An IDOR (BOLA) vulnerability left a researcher's bug bounty report sitting unactioned for 48 days, during which users' source code, database credentials, and AI chat logs were exposed. When the story broke, their first response was to call the exposed data "intentional behavior."

They first blamed the documentation. Then HackerOne. And the same day, a partial CEO apology. Security researchers noted the communication spiral was more alarming than the vulnerability. (The original researcher broke it on X - Polymarket called it BREAKING. It went viral.)

Moltbook - February 2026. A founder launched a social network and publicly stated he "didn't write one line of code." Three days after launch, Wiz found a misconfigured database with 1.5 million authentication tokens and 35,000 email addresses wide open. The AI scaffolded full read/write access during setup. Nobody reviewed it. Nobody knew.

Vercel via Context.ai - April 2026. Attackers didn't target a vibe-coded app. They went after the AI dev toolchain itself - a compromised AI evaluation tool used by Vercel's own developers became the entry point for a $2 million breach.

Three vectors. One thread: vibe coding's pace removes the process steps that would've caught all of this.

The Numbers Are Worse Than You've Been Told

If you assume AI coding tools are maturing toward better security output, the data will disappoint you.

Veracode tested 100+ LLMs across 80 coding tasks and found 45% of AI-generated code introduces OWASP Top 10 vulnerabilities - flat across multiple test cycles into early 2026, despite vendor claims to the contrary. Java hits 72% failure. Cross-site scripting? 86% failure rate. Log injection? 88%. These aren't edge cases. They're the basics.

Georgia Tech's Vibe Security Radar - a project tracking CVEs directly caused by AI coding tools - recorded 35 new CVEs in March 2026 alone, up from 6 in January. Researchers estimate the real number is 5-10x higher, because most projects never flag the AI origin of a bug.

And when Escape.tech scanned 5,600 live vibe-coded applications, they found 2,000 critical vulnerabilities, 400 exposed secrets, and 175 instances of PII - including medical records - sitting in production apps with real users.

The kicker: AI-assisted developers ship at 3-4x the pace of their peers and introduce security flaws at 2.74x the rate of human-written code. Speed scales faster than vulnerabilities do, except vulnerabilities scale too.

Why It's a Process Problem, Not Just a Code Problem

Here's the uncomfortable truth: this isn't primarily about AI writing bad code. It's about AI removing the entire process that normally catches bad code.

No peer review. No SAST. No dependency scan. Straight to production. 80% of developers bypass AI security policies under deadline pressure - not because they're reckless, but because vibe coding's core promise is speed, and stopping for a security gate feels like betraying that promise.

There's also a subtler problem: the prompt itself can introduce the vulnerability. Describe your database structure accurately, include sample credentials, mention how your services connect - and the AI generates code that faithfully reflects your insecure patterns back at you. It didn't make a mistake. You asked for exactly what you got.

It's not just enterprise teams. This Indie Hackers thread documents a founder whose vibe-coded app was hacked for fun - including a paywall bypassed with two lines of CSS.

One person tweeted on X that he learned this the hard way - API keys maxed out, subscriptions bypassed, random entries in his database. He built his SaaS with Cursor, shared his process publicly, and became a target overnight.

And then there's the Vercel lesson. Your developers' AI tools - coding assistants, eval platforms, debugging bots - have access to your codebase, your credentials, sometimes your production environment. They're privileged systems.

The UK NCSC head said at RSA 2026 the industry needs to build "secure by design" AI tooling urgently. We're not there yet.

What Your Security Program Actually Needs Right Now

Gartner named vibe coding in their Top Cybersecurity Trends for 2026 as a driver of "unmanaged AI agent proliferation and unsecured code." The framing was polite.

The reality is blunter: there are vibe-coded applications living in your environment right now that have never seen a security review, aren't on your risk register, and are accessible to the internet.

Annual pentests don't catch this. Quarterly scans don't either.

The only model that keeps pace with vibe coding velocity is continuous - automated testing running at the same speed your devs ship, plus human review for the logic flaws and chained exploits that no scanner finds.

Three things that matter immediately:

1. Run DAST on every app before users do.
   
   Dynamic testing catches runtime flaws - broken auth, API misconfigs, logic errors - that static tools never surface. These are the exact vulnerability classes AI tools introduce at the highest rate.
   
   
2. Put your dev toolchain in your threat model.
   
   Every AI assistant and eval platform your developers use is a third-party system with privileged access to your environment. Assess it like one.
   
   
3. Pentest before launch, not after the breach.
   
   The Moltbook timeline: hours to build, three days to breach. An expert who thinks like an attacker before you go live breaks that equation entirely.
   
   

Built for Exactly This

If your devs are vibe coding - and at 46% of all new GitHub code being AI-generated in 2026, they statistically are so your security testing needs to run at the same speed.

Siemba's platform combines continuous automated testing with expert-led pentests in one place. No switching tools. No waiting for an annual cycle.

→Book a Demo

What's New in Siemba