A year ago, you typed code. Today, you talk about\u00a0it.<\/p>\n
Somewhere between Andrej Karpathy\u2019s now-famous February 2025 tweet about \u201cvibe coding\u201d and the explosion of tools like Claude Code, Cursor, and Windsurf, the way developers build software changed. We stopped writing every line by hand and started having conversations with AI\u00a0instead.<\/p>\n
But here\u2019s where it gets messy. People started calling everything \u201cvibe coding,\u201d from a Saturday-night side project to the way Anthropic engineers ship production code. Karpathy himself came back in February 2026 to clean it up. He proposed a better name for the serious version: agentic engineering<\/strong>.<\/p>\n So which one are you actually doing? And which one should<\/em> you be\u00a0doing?<\/p>\n This guide breaks down both, shows you what they look like in real code, walks through the security traps nobody warns you about, and helps you figure out where each approach actually fits. No buzzwords. No hype. Just the stuff you need to know before your next pull\u00a0request.<\/p>\n Vibe coding is exactly what it sounds like. You describe what you want in plain English, the AI builds it, and you ship it without reading every\u00a0line.<\/p>\n You\u2019re going with the flow. The AI is the engineer. You\u2019re the product manager who says \u201cmake the button blue\u201d and trusts the\u00a0result.<\/p>\n It looks something like\u00a0this:<\/strong><\/p>\n You: \u201cBuild me a to-do app where users can add tasks, mark them done, and filter by\u00a0status.\u201d<\/em>AI: <\/em>Generates 200 lines of React\u00a0code.You: \u201cCool, ship\u00a0it.\u201d<\/em><\/p>\n That\u2019s vibe coding. No code review. No questions about architecture. No checking what dependencies got pulled in. Just\u00a0vibes.<\/p>\n And honestly? It works great for a lot of things. Weekend hacks. Throwaway prototypes. That landing page you need by Friday. A tool only you will ever\u00a0use.<\/p>\n The problem starts when \u201cship it\u201d means \u201cdeploy to a server with real users and real\u00a0data.\u201d<\/p>\n Agentic engineering keeps the same AI tools but adds something vibe coding throws away: your judgment<\/strong>.<\/p>\n You\u2019re still not typing every keystroke. You\u2019re directing AI agents that read your codebase, run tests, fix failures, and open pull requests. But you scope the work, you review the output, and you own the\u00a0result.<\/p>\n Karpathy split the term into two halves on purpose. Agentic<\/em> means agent-driven, you\u2019re orchestrating the work, not doing it. Engineering<\/em> means there\u2019s still craft, judgment, and expertise involved. The agent is your collaborator, not your replacement.<\/p>\n A typical agentic engineering session looks more\u00a0like:<\/p>\n Write a clear specification (often in a file like AGENTS.md or CLAUDE.md)Ask the agent to plan before it\u00a0codesLet the agent implement and run the test\u00a0suiteReview the diff like you would any teammate\u2019s pull\u00a0requestIterate when something\u2019s off<\/p>\n Less \u201cmake me an app.\u201d More \u201chere\u2019s the architecture, here are the constraints, here are the tests, now\u00a0go.\u201d<\/p>\n Vibe coding optimizes for the speed of getting something working<\/strong>. Agentic engineering optimizes for confidence that what got built will keep\u00a0working<\/strong>.<\/p>\n That\u2019s it. That\u2019s the whole framework.<\/p>\n Speed matters when you\u2019re testing an idea. Confidence matters when other people depend on the thing you\u00a0built.<\/p>\n Let\u2019s get concrete. Here\u2019s the same task handled both ways, so you can see where the gap actually shows\u00a0up.<\/p>\n The task:<\/strong> Build an API endpoint that lets users update their email\u00a0address.<\/p>\n You\u2019d type something like: \u201cAdd an endpoint to update a user\u2019s\u00a0email.\u201d<\/em><\/p>\n The AI gives you\u00a0this:<\/p>\n app.post(‘\/update-email’, async (req, res) => { It runs. Postman returns a 200. You move\u00a0on.<\/p>\n But look at what\u2019s missing. Anyone who knows a userId can change anyone’s email. There’s no authentication check. No validation that the email is actually an email. No rate limiting. No verification email. The user could enter “haha not an email” and it would\u00a0save.<\/p>\n This is the vibe coding trap. The code works<\/em> in the narrow sense that it doesn\u2019t crash. It\u2019s also a security incident waiting to\u00a0happen.<\/p>\n You write a spec first. Something like:<\/p>\n # Task: Email Update Endpoint<\/p>\n ## Requirements You hand this to the agent. It plans, implements, runs the tests, and produces something more\u00a0like:<\/p>\n import rateLimit from ‘express-rate-limit’; const emailSchema = z.object({ Same feature. Roughly the same effort on your end. Massively different outcome.<\/p>\n The agent did the typing. You did the thinking about what \u201cupdate an email\u201d actually means in a system real humans\u00a0use.<\/p>\n Vibe coding gets dunked on a lot, but it has a real place. Use it\u00a0when:<\/p>\n You\u2019re prototyping an idea.<\/strong> Speed matters more than polish. You\u2019ll throw the code away\u00a0anyway.It\u2019s a personal tool.<\/strong> A script that organizes your photos doesn\u2019t need an audit\u00a0log.The blast radius is tiny.<\/strong> No real users, no real data, no integrations with anything that\u00a0matters.You\u2019re learning.<\/strong> Sometimes you just need to see code working to understand how something fits together.It\u2019s a one-off.<\/strong> A migration script, a data cleanup, a quick analysis.<\/p>\n Vibe coding is a hammer. Useful, but not for every\u00a0problem.<\/p>\n Pretty much everything else. Specifically:<\/p>\n Production systems.<\/strong> Anything users depend\u00a0on.Anything touching money, identity, or health data.<\/strong> Mistakes here aren\u2019t bugs, they\u2019re incidents.Multi-developer codebases.<\/strong> Consistency matters when other humans have to read what got\u00a0built.Long-lived projects.<\/strong> Code you\u2019ll maintain for years deserves the upfront\u00a0thought.Anything regulated.<\/strong> Healthcare, finance, government, education. Auditors don\u2019t care that \u201cthe AI did\u00a0it.\u201d<\/p>\n The deeper truth: most professional code falls into the agentic engineering bucket. Vibe coding is the exception, not the\u00a0default.<\/p>\n This is where vibe coding goes from risky to genuinely dangerous, and it\u2019s the section most blog posts hand-wave through. Let\u2019s\u00a0not.<\/p>\n Recent research isn\u2019t kind to AI-generated code. Studies have found that around 45% of AI-generated code contains classic vulnerabilities<\/strong> from the OWASP Top 10, and that figure has barely budged in two years. Roughly 20% of vibe-coded apps ship with serious vulnerabilities or misconfigurations<\/strong> baked\u00a0in.<\/p>\n Researchers at Georgia Tech\u2019s School of Cybersecurity built a scanner that hunts for AI-introduced vulnerabilities in public security advisories. They\u2019ve already confirmed dozens of cases, with critical and high-risk severity\u00a0ratings.<\/p>\n This isn\u2019t a future problem. It\u2019s already happening.<\/p>\n Here are the security failures that show up over and over in vibe-coded apps:<\/p>\n Hardcoded secrets.<\/strong> API keys, database passwords, and tokens end up directly in the source code. The AI doesn\u2019t know what\u2019s a secret, so it just leaves placeholders that developers forget to\u00a0remove.<\/p>\n Authentication that gets quietly weakened.<\/strong> During iterative prompting (\u201cmake it work without the login for now\u201d), auth checks get removed and never put back. Endpoints stay\u00a0exposed.<\/p>\n SQL injection and similar attacks.<\/strong> AI-generated code often concatenates user input directly into queries instead of using parameterized statements. It compiles. It runs. It\u2019s also wide\u00a0open.<\/p>\n Slopsquatting.<\/strong> This one\u2019s wild. AI sometimes hallucinates package names that don\u2019t exist. Attackers register those exact names with malicious code inside, knowing the AI will keep suggesting them. Your app installs malware on npm\u00a0install.<\/p>\n Authorization holes.<\/strong> The AI builds the happy path. It rarely checks \u201cshould this user be allowed to do this?\u201d The endpoint above (where you can change anyone\u2019s email by passing their userId) is a textbook\u00a0example.<\/p>\n Dependency bloat.<\/strong> AI pulls in whatever library makes the code work fastest. You end up with hundreds of transitive dependencies you\u2019ve never reviewed, each one a potential entry\u00a0point.<\/p>\n Security in AI-assisted development isn\u2019t about banning the tools. It\u2019s about building habits that catch what AI\u00a0misses:<\/p>\n Run AI-generated code through static analysis.<\/strong> Tools like Semgrep, Snyk, or your existing SAST scanner. Treat AI output the same way you\u2019d treat code from a junior contractor: assume nothing, verify everything.<\/p>\n Use prompt-level guardrails.<\/strong> Add security requirements to your spec files. Things like \u201call endpoints require authentication,\u201d \u201call user input must be validated with a schema,\u201d \u201cnever log secrets.\u201d Modern coding agents respect these when they\u2019re in CLAUDE.md or AGENTS.md.<\/p>\n Pin dependencies and review what gets installed.<\/strong> Don\u2019t let the agent freely add packages. Require approval for new dependencies, even if it slows you\u00a0down.<\/p>\n Test the running app, not just the code.<\/strong> Dynamic Application Security Testing (DAST) tools probe your actual deployed app for vulnerabilities. They catch the stuff that looks fine in code but is exploitable at\u00a0runtime.<\/p>\n Keep humans in the review loop.<\/strong> Especially for anything touching authentication, payments, or personal data. The agent can implement; a human still needs to\u00a0approve.<\/p>\n The bottom line: AI doesn\u2019t know your threat model. You do. Don\u2019t outsource that\u00a0part.<\/p>\n If you\u2019ve been vibe coding and want to level up to agentic engineering, you don\u2019t have to overhaul everything tomorrow. A reasonable path:<\/p>\n Start writing specs.<\/strong> Even a paragraph helps. Tell the agent what you want, the constraints, and how you\u2019ll know it\u00a0worked.Add an AGENTS.md or CLAUDE.md to your repo.<\/strong> Describe your stack, your conventions, your security requirements. Every agent that touches the repo will read\u00a0it.Make tests non-optional.<\/strong> If the agent can\u2019t write a passing test for the change, the change isn\u2019t\u00a0done.Review the diff before merging.<\/strong> Even a five-minute scan catches a\u00a0lot.Run a security scan in CI.<\/strong> Set it up once, benefit\u00a0forever.<\/p>\n You\u2019ll move slower for a week. You\u2019ll move faster for the rest of the\u00a0project.<\/p>\n Vibe coding and agentic engineering aren\u2019t enemies. They\u2019re tools for different jobs.<\/p>\n If you\u2019re sketching, exploring, or building something that nobody but you will ever use, vibe coding is fine. Have fun. Move\u00a0fast.<\/p>\n If you\u2019re shipping software that other people will run, depend on, or trust with their data, agentic engineering is the bar. The AI still does most of the typing. You still do the engineering.<\/p>\n The shift happening in 2026 isn\u2019t really about AI replacing developers. It\u2019s about what \u201cbeing a developer\u201d means now. Less time writing for-loops, more time writing specs. Less time debugging syntax errors, more time reviewing pull requests from agents. Less typing, more thinking.<\/p>\n Pick the right approach for the work in front of you. And whatever you do, please run a security scan before you\u00a0deploy.<\/p>\n Found this useful? The agentic engineering field is moving fast; what\u2019s true today might shift in three months. Bookmark this and check back, or experiment with both approaches on your next side project to feel the difference firsthand.<\/em><\/p>\n Vibe Coding vs Agentic Engineering: Which One Should You Actually Use in 2026?<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":" A year ago, you typed code. Today, you talk about\u00a0it. Somewhere between Andrej Karpathy\u2019s now-famous February 2025 tweet about \u201cvibe coding\u201d and the explosion of tools like Claude Code, Cursor, and Windsurf, the way developers build software changed. We stopped writing every line by hand and started having conversations with AI\u00a0instead. But here\u2019s where it […]<\/p>\n","protected":false},"author":0,"featured_media":167589,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-167588","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/167588"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=167588"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/167588\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/media\/167589"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=167588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=167588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=167588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}What Is Vibe\u00a0Coding?<\/h3>\n
What Is Agentic Engineering?<\/h3>\n
The Real Difference, In One\u00a0Sentence<\/h3>\n
Real-Life Code\u00a0Examples<\/h3>\n
Vibe Coding\u00a0Approach<\/h3>\n
const { userId, newEmail } = req.body;
await db.users.update({
where: { id: userId },
data: { email: newEmail }
});
res.json({ success: true });
});<\/p>\nAgentic Engineering Approach<\/h3>\n
– Authenticated users can update their own email only
– New email must be validated (RFC 5322)
– Send a verification email to the new address before committing
– Old email should remain active until verification
– Rate limit: 3 attempts per hour per user
– Audit log entry for the change
## Tests Required
– Unauthorized requests rejected with 401
– Cross-user updates rejected with 403
– Invalid email format rejected with 400
– Rate limit returns 429 after 3 attempts<\/p>\n
import { z } from ‘zod’;
import { requireAuth } from ‘.\/middleware\/auth.js’;
import { sendVerificationEmail } from ‘.\/services\/email.js’;
import { auditLog } from ‘.\/services\/audit.js’;<\/p>\n
newEmail: z.string().email()
});
const limiter = rateLimit({
windowMs: 60 * 60 * 1000,
max: 3,
message: ‘Too many email change attempts’
});
app.post(‘\/update-email’, requireAuth, limiter, async (req, res) => {
const result = emailSchema.safeParse(req.body);
if (!result.success) {
return res.status(400).json({ error: ‘Invalid email format’ });
}
const { newEmail } = result.data;
const userId = req.user.id; \/\/ from auth middleware, not request body
const token = await createVerificationToken(userId, newEmail);
await sendVerificationEmail(newEmail, token);
await auditLog.record({ userId, action: ’email_change_requested’, newEmail });
res.json({
message: ‘Verification email sent. Please confirm to complete the change.’
});
});<\/p>\nWhen Vibe Coding Is Actually the Right\u00a0Call<\/h3>\n
When Agentic Engineering Is the Right\u00a0Call<\/h3>\n
Security: The Part Everyone Glosses\u00a0Over<\/h3>\n
The Numbers<\/h3>\n
What Actually Goes\u00a0Wrong<\/h3>\n
What Actually\u00a0Helps<\/h3>\n
How to Make the Switch (If You Need\u00a0To)<\/h3>\n
Conclusion<\/h3>\n
Quick Reference<\/h3>\n