Vibe Coding for Paying Clients: Why Cheap and Fast Is a Time Bomb
I met a developer at a meetup last month. Smart, friendly, building fast. He was three drinks in and pitching me on his stack: Claude Code, a Stripe key, a Supabase project, and a Vercel account. He’d shipped four small SaaS products for clients in the last quarter. Each one took about a week. Each one priced like a weekend project.
I asked him how he was handling multi-tenant data isolation across the four apps.
He looked at me like I’d asked him for the molecular weight of helium.
This post is for the people writing the cheques on the other side of those conversations — business owners, ops managers, and CTOs being told “AI lets us build it in a week, not two months.” That comparison is a misdirection. You’re not buying a cheaper version of the same product. You’re buying a different product entirely, with most of its cost hidden until something goes wrong.
The “2 months vs 1 week” comparison only works if the deliverables match
When someone tells you they can build it in a week instead of two months because they’re using AI, what they’re really saying is: I can produce the happy-path version in a week.
The happy path is the demo. It’s the screenshot. It’s the part you see during the sales call. And honestly, AI tools are now genuinely excellent at the happy path. Andrej Karpathy — the OpenAI co-founder who coined “vibe coding” in the first place — recently dropped the term in favour of “agentic engineering”, noting that the model isn’t writing pages of code unsupervised any more; you’re orchestrating agents who do, and acting as oversight. That word matters: oversight. Whoever is steering the agents has to know what to look for.
The two-month version exists because the 80% the AI handles isn’t the part that fails in production. The 20% it can’t reach is — and that 20% is invisible until real users, real data, and real money pass through the system.
If you only compare the demo on day seven against the demo on day sixty, of course the demo on day seven looks like a steal. You’re comparing the visible parts of two very different products.
What the client is actually buying
When a vibe-coded build skips the 20%, the things being skipped aren’t optional polish. They’re the parts that decide whether your business is exposed.
The data is now public. Veracode’s GenAI Code Security Report found that 45% of AI-generated code contains a known security vulnerability. A 2026 industry analysis found 41% of AI-generated backend code shipped with overly broad permission settings. Cloud Security Alliance research flagged a surge in vibe-coded apps exposing API keys, service-account credentials, and passwords in client-side JavaScript — meaning anyone who opens browser dev tools can read them. 86% of generated code samples failed cross-site scripting defences; 88% were vulnerable to log injection.
In concrete terms, here is what is typically not in your one-week build:
- Multi-tenant data isolation. If you run a SaaS where every customer’s data lives in the same database (and almost all of them do), one missing
WHERE tenant_id = ?somewhere is the difference between a working app and a class-action lawsuit. Vibe-coded apps regularly miss this on the queries the demo didn’t exercise. - Real authentication and authorisation boundaries. Login screens are easy. Knowing which users are allowed to see which records, under which conditions, with which permissions, at which API endpoints — that’s the hard, boring, expensive part. It rarely shows up in a prompt.
- Edge cases and failure recovery. What happens when the payment provider times out mid-transaction. What happens when the queue backs up. What happens when two users edit the same record at once. These are the situations the demo never encountered.
- Audit logs and observability. When something goes wrong six months in, can anyone reconstruct what happened, to whom, when, and by whose hand? If not, regulators have an opinion on that.
None of this is on the invoice. But it’s all in the product.
The risk transfer no one mentions in the quote
Here’s the part business owners need to understand clearly. When a developer ships a vibe-coded product to a paying client and skips the 20%, the cost of that 20% doesn’t disappear. It gets transferred. To you.
If your customer data leaks into a competitor’s hands because of an unscoped query, the developer doesn’t lose customers — you do. If your platform gets used to exfiltrate someone else’s data, the Australian Privacy Act notification obligation lands on your company, not the contractor’s. If a regulator finds out you collected payment data through an app where the Stripe key was sitting in client-side JavaScript, the fine goes to your business name. If a hostile actor finds the exposed credentials and pivots into your accounting system, you’ll explain that to the board. Not them.
The 68% of SMBs that reported at least one SaaS-related security incident in the last twelve months didn’t sign up for one. They commissioned software. The incidents came free with the build.
And reputational damage is the one most underestimated. You can recover from a fine. You can rebuild a database. Rebuilding customer trust after a public disclosure — particularly in a mid-market segment where buyers research before they sign — costs far more than the price difference between the seven-day build and the sixty-day one.
Vibe coding has a legitimate home — just not this one
This isn’t an argument against AI-driven development. It would be a strange argument for us to make, given that we run on four purpose-built AI systems ourselves. Used well, the tooling is extraordinary.
Vibe coding is genuinely excellent for:
- Prototyping an idea you’re still validating
- Internal tools where the only user is you and the blast radius is your own coffee
- Throwaway scripts for one-off data work
- Exploration of a new framework, library, or pattern
- Wireframes and design spikes that will be rebuilt before they ship
The pattern in all five is the same: low blast radius, single-tenant, no real users, no real data, no real money. That’s where AI-driven generation shines, and that’s why Karpathy himself reframed it as “agentic engineering” rather than “vibe coding” — to make the orchestration and oversight visible, instead of pretending the code wrote itself.
The problem isn’t the tool. The problem is using a prototyping tool as a delivery method for software with real users on the other end of it.
What production work for paying clients actually requires
When the people on the other end of the software are paying customers, the bar moves. The 20% that vibe coding can’t reach on its own is where production engineering lives:
- Threat modelling before the first line of code — who can do what, what’s the worst-case query, where does the data flow
- Multi-tenant tests that actively try to break tenant isolation, not just confirm the happy path
- Parallel expert review — architecture, security, QA, UX, and SEO looking at the same change with different lenses (this is exactly what we built Janus to do — five specialist agents review every change in parallel before it ships)
- Maintainability — code someone other than the original author can read, modify, and extend in two years’ time
- Change resilience — automated tests, version control discipline, rollback strategy, observability hooks
You can absolutely use AI to do this work faster. We do. But “faster” is a multiplier on a process that already exists. If the process underneath is “prompt and ship,” multiplying that gets you to the time bomb sooner, not to a better product.
The question every buyer should ask
If you’re commissioning software right now and someone is quoting you AI-driven delivery, ask them this:
- How do you handle multi-tenant data isolation, and how is it tested?
- Who reviews the generated code, against what checklist?
- Where do API keys and secrets live, and how do I see proof they aren’t in the bundle?
- What’s your rollback strategy when something breaks at 2am?
- If a regulator audits this build in eighteen months, who answers the questions?
If the answers are vague, fast, or vibes-based, you’re not buying a cheaper product. You’re buying a time bomb with their initials on the build and your business name on the invoice.
If you’d like the boring, expensive 20% built in from day one — the part that makes the difference between a demo and a product — that’s the work we do. Have a chat with us.
Social Package
I met a developer at a meetup last month who’d shipped four SaaS products for clients in three months. Each one took about a week.
I asked how he handled multi-tenant data isolation across the four apps. He looked at me like I’d asked him for the molecular weight of helium.
The “2 months vs 1 week” pitch only works if the deliverables match. They don’t. One is a product. The other is a working demo that happens to be running in production with real customers’ data inside it.
What gets skipped when “AI lets us ship it in a week”:
— Multi-tenant data isolation (the difference between an app and a class-action) — Real authn/authz boundaries (not just login screens) — Edge cases and failure recovery — Audit logs (the things regulators ask for) — Secrets management (45% of AI-generated code ships with a known vulnerability — Veracode, 2025)
None of it is on the invoice. All of it is in the product.
Vibe coding is a brilliant prototyping tool. It is not a delivery method for software with real users on the other end of it. The difference matters most for the client — because when something breaks, the contractor doesn’t lose customers. The business that paid for the build does.
Worth asking your next quote: who answers the questions when a regulator audits this in 18 months?
#softwaredevelopment #ai
Twitter/X Thread
1/ Met a developer at a meetup who’d shipped 4 SaaS products for clients in 3 months. One week each.
I asked how he handled multi-tenant data isolation across them.
He looked at me like I’d asked the molecular weight of helium.
2/ The pitch is always “AI lets us ship it in a week instead of two months.”
But that comparison only works if the deliverables are the same.
They aren’t. One is a product. The other is a demo running in production.
3/ What’s the difference?
The 20% the AI can’t reach on its own: — Multi-tenant data isolation — Real authn/authz boundaries (not just login) — Edge cases and failure recovery — Audit logs — Secrets management
The boring expensive part. Where the time bomb hides.
4/ The numbers aren’t subtle.
Veracode: 45% of AI-generated code ships with a known vulnerability. 41% of AI-generated backend code has overly broad permissions. Cloud Security Alliance: vibe-coded apps regularly expose API keys in client-side JS.
Every prompt is a roll of those dice.
5/ Here’s the part nobody says out loud:
When a vibe-coded build leaks data, the contractor doesn’t get sued. You do. Your business name is on the data collection. Your customers walk. Your insurer raises premiums.
The 20% wasn’t on the invoice. It’s still in the product.
6/ Vibe coding is genuinely brilliant for: — Prototypes — Internal tools — Throwaway scripts — Exploration — Wireframes
Low blast radius. Single tenant. No real users.
The problem is using a prototyping tool as a delivery method.
7/ Five questions every buyer should ask a fast-AI-build quote:
- How do you isolate multi-tenant data?
- Who reviews generated code, against what?
- Where do secrets live? Prove it.
- Rollback strategy at 2am?
- Who answers a regulator in 18 months?
If the answers are vibes, walk.
8/ Wrote the long version of this, with the stats and the buyer’s checklist:
[link]
Reply with the most outrageous thing you’ve inherited from a “we built it in a week” handover. I’ll start: an unscoped DELETE.
Email Excerpt
I met a developer at a meetup last month who’d shipped four SaaS products for paying clients in the last three months. Each one took about a week.
I asked him how he handled multi-tenant data isolation across the four apps. He blanked.
The pitch is always: “AI lets us build it in a week, not two months.” But the comparison only works if the deliverables match — and they don’t. One is a product. The other is a working demo that happens to be running in production with real customers’ data inside it.
When AI-driven delivery skips the boring 20%, the cost doesn’t disappear. It gets transferred — to the business whose name is on the invoice when a regulator calls. Here’s what’s actually in the box you bought, and the five questions every buyer should ask before signing.
Read the full post →