Before we start, my credentials: I’m a software engineer at a big tech company that uses AI coding tools like Cursor and Copilot. I write production code daily, deal with real-world incidents, and yes, I do this for a living.

AI is amazing — it unlocks things you never thought you could do. But it’s also a dangerous tool. So, BEWARE! Here’s how to vibecode1 without setting your laptop (or career) on fire — straight from someone in the trenches.

1. Don’t Use It for Important Stuff

I’m not here to yell at you or gatekeep software. AI coding tools are here, people will use them, and honestly, it’s great to see coding becoming more accessible.

That said, vibecoding is a loaded gun—and not a tiny one. There’s a reason software engineers spend years getting told “no, not like that” by more experienced peers. It’s easier to write bad code than good code, and AI can only help so much.

So here’s lesson one: don’t vibecode anything important. I know, I know: you want to build an app, launch a startup, make millions. But that’s 1) a gambler’s fantasy and 2) incredibly risky. If you’re dealing with money, private data, or anything sensitive, just don’t. Even experienced engineers mess this up, and when they do, it’s catastrophic.

2. Security Is Not a Vibe

I know, you’re tired of this warning already. But I’m repeating myself because you are not as safe online as you think. Even if you’re careful, you don’t have the knowledge to spot every trap.

Rule of thumb: If it touches money, double-check it. Then triple-check it. Then ask yourself if you even need it in the first place. Same for private data. And connecting to the internet.

But advice is boring—examples are scarier.

1. AI will happily serve you security vulnerabilities.
   A developer spun up a website using Copilot. It looked great, worked fine… until he checked the code and found zero protection against SQL injections. Had he launched it, hackers would have cracked it in under an hour. When he asked ChatGPT to fix it, it did – but he knew what to ask for. You, dear reader, don’t know what a SQL injection is2, why it’s bad3, or if ChatGPT actually fixed it4.

2. Vibecoding made this one guy’s project an all-you-can-steal buffet. He shared his AI-coded app, launched it on Twitter, and within hours:

• Users bypassed his subscription paywall (free pro features!)

• Bots maxed out his API keys (costing him $$$)

• Hackers corrupted his database (more $$$)

He thought he was unlucky, and that one bad guy found his stuff. He wasn’t. The internet is full of people who will steal your money the second you give them an opening. You are never safe, and there’s thousands of them.

If you don’t understand how you’re deploying your project, how your database authentication works, or who has access to what, you’re already compromised.

Senior AI “entrepreneurs” will tell you, “Oh, just ask ChatGPT to write secure code.” But AI is a professional liar – it hallucinates, bullshits, and will cheerfully assure you that your security holes are fine.

There’s a massive gap between “it works on my computer” and “it’s safe on the internet.” You cannot protect what you don’t understand, and AI is building things you don’t understand. Q.E.D.5

Now, if you’re following my advice, here are some tips to make the process go a bit smoother.

3. “It compiles” isn’t the same as “it works”

Compilation is the process of transforming the code you wrote in a programming language into another language, one that is closer to the machine and not really meant for humans to read. When code compiles, it simply means that the syntax is correct – the structure of the code follows the rules of the language, and the computer can process it.

However, just because code compiles does not mean that it works. Code that works is code that behaves as expected – it produces the correct results, does what you wanted it to, handles inputs properly, and doesn’t break under real-world conditions. AI-generated code will often compile just fine, but that does not mean it’ll work when time comes to ship it.

AI does not understand intent. It will generate something that follows your request literally, but it will not grasp the deeper logic of what you meant. Despite the name, AI coding tools do not “think” or “understand” – they just predict plausible-looking text. The illusion is deep, but you will find the bugs in the matrix, and it won’t quite do what you want.

To avoid this, it is important to be as precise as possible when describing what you want. Instead of just asking for code that performs a task, describe the expected behavior in detail. AI needs clear instructions, not assumptions.

4. Debugging Is 80% of the Work—And AI Makes It Harder

If you’re new to coding, just getting a few lines to compile might feel like a huge victory. But any software engineer will tell you: that’s only the first step. The real battle is making sure the code actually works, and that means debugging.

Debugging AI-generated code is even trickier because AI doesn’t write code the way a human would. A human gradually builds an understanding of their own code, adding comments, structuring it logically, and keeping track of decisions. AI on the other hand, generates code in disconnected chunks, often without a clear structure. This makes it much harder to figure out where things go wrong.

5. Write tests! AI is actually perfect for that

Testing your application manually is a pain. If you're building a website, you have to start the server, spin up the database, load the app, and then click around endlessly just to see if one tiny function works. Luckily, there's a better way: automated testing. Thankfully, this is a format where AI truly shines!

Tests are little bits of code that don’t run in production but can be executed on their own to verify that everything behaves as expected. There are two main types you’ll want to write: unit tests and end-to-end (e2e) tests.

Unit tests focus on small, isolated pieces of your code — usually individual functions. AI is absurdly good at generating them. The trick is to start by making sure the AI understands what the function is supposed to do. Before generating tests, prompt it with:

"Write a comment that documents the behavior of this function."

Once the AI summarizes it correctly, you can then ask:

"Generate unit tests for this function, covering all edge cases."

The AI will handle the tedious work of writing the tests; you just need to double-check that the expected results actually match reality. A good rule of thumb: if a function takes more than one sentence to explain, write a test for it.

End-to-end tests take a step back and look at your app as a whole, mimicking real user behavior. Instead of testing individual functions, they check the entire workflow. For example:

• Filling out a signup form, then

• Submitting the form, then

• Logging in with the newly created account, END
  

E2E tests don’t care about what happens inside the code at each step; they just make sure the feature works from start to finish.

Each type of test does something different, and they are both useful for a healthy app. Unit tests are great for pinpointing where something is broken. They make debugging manageable since you're only working with small chunks of code. But even if all your unit tests pass, the interactions between components can still fail—this is where E2E tests save you.

Testing is something most software engineers hate to do, because you have to be so precise to test all the edge cases, all the weird stuff, and it takes a lot of effort to make sure it’s written correctly. It one of the only steps where I truly see the value as a professional – so take advantage of it!

6. Learn What’s Under the Hood

Let’s say you’ve done everything by the book: you’ve used AI to write your code, you’ve written tests, and everything seems to be working fine. Then, one day, your app goes viral. A flood of users sign up, and suddenly… everything grinds to a halt.

Why? Because deep in your code, there’s a function that loops over an array (a list of things with certain properties) twice in a nested fashion6. When you were testing, the array had maybe 10 items. Now that thousands of users are sending data, that same function is choking on millions of entries. Your app isn’t just slow – it’s unusable.

This is the kind of issue that tests won’t catch. Your function still works perfectly… just at a scale too small to reveal the disaster waiting to happen. And it’s not just performance. Concurrency issues in databases7, memory leaks8 – these problems only show up under real-world conditions, and if you don’t know what to look for, they’ll blindside you.

AI can help, but you need to know what to ask. To avoid these pitfalls, you need to learn enough to ask the right questions. AI is great at answering things, but only if you feed it the right prompts.

These are just the first layer of questions. The real key is to keep asking "why?" Don’t stop at an AI-generated answer—make it name the concept, tool, or algorithm so you can look it up yourself. This is how you go from vibecoding to actually understanding what’s happening under the hood.

Last bit of advice: don’t ask coding AIs like Cursor – they’re not meant for it. Use a general AI like ChatGPT, but always double-check. AI is confident, but confidence isn’t the same as correctness

7. Read Every Line of Code, VERY Carefully

At this point, you’ve generated code, made sure it compiles, tested and debugged it until it behaves correctly, and asked AI what’s happening under the hood. Now it’s time for ⭐ code review ⭐, where you take a critical look at everything and make sure you haven’t made a catastrophic mistake.

The challenge? Reading is passive. Writing forces you to think through every step, but when AI does the writing, you lose the deep understanding that comes from struggling through it yourself. Software engineers deal with this all the time when reviewing each other’s code, but they have safeguards:

• Code review limits (e.g., “no more than 1,000 lines at a time”).

• Detailed explanations of what changed and why.

• Colleagues who (hopefully) aren’t trying to sneak nonsense past them.
  

Personally, I do the opposite of what I just described: I write the feature myself first, then ask AI to summarize it, suggest edge cases, and help me test it. If I let AI write the whole thing, I fall into passive mode and inevitably miss major problems.

I’m not saying this to gloat – it’s just that writing a clear prompt for AI often requires as much effort – if not more! – as writing the code itself. AI is most useful when it’s handling tedious autocomplete-style work, not when it’s taking wild guesses based on a vague request.

Since you don’t have the option of writing code from scratch, you have to be extra careful when reviewing AI’s output. Read every line. Think critically. Try to understand all the implications. If something looks weird, assume it’s wrong until proven otherwise.

8. Git Is Your Friend—Version Control Is a Must

Ever heard of version control? Think of it like Google Docs' version history, but for code (and way more powerful). The industry standard is git, and while it can get complicated, for a solo project you only need a few basic commands:

• commit – Saves your work as a snapshot. Think of it as a "checkpoint" in a video game. If your code is working (or at least kinda working), commit it.

• log – Shows a history of your commits. Useful when you realize, "Wait, when did everything break?"

• revert – rolls back a specific commit. This is your undo button—if you commit often, this will take you back to the last stable version. It’s easier than ctrl-z, because lines of code are often interdependent, so you need to change a bunch of files at once.

• push / pull – If you’re saving your code online (like on GitHub), these commands sync it with the cloud. Optional if you’re working locally, but a lifesaver if your laptop dies.

That’s all you really need for a basic project. No need to worry about other stuff you’ll find in tutorials like branches, merges, or rebases, unless you start collaborating with others.

But why do I need this? Well, one of AI’s worst habits is chaotic, unnecessary changes. Ask it to tweak one file, and suddenly it’s “helpfully” rewriting half your codebase. Now you're stuck trying to untangle the mess.

On top of that, software development is iterative, which means you often have to undo or redo things to make new stuff work. git makes all of this easy as cake! It also forces you to save a copy of your work in the cloud, so that when your macbook finally dies, you won’t cry too many tears (only $3,000, sorry).

And when Git inevitably confuses you (it confuses everyone), here’s a lifeline: Oh Shit, Git!?!

9. You will NOT become a software engineer by vibecoding

I know everyone is shilling their ai-training-become-rich-startup-money course right now, but don’t fall for that. Software engineering is a complex thing to master, and it takes time, effort, and education to get there. You can definitely get yourself to a decent level on your own, but it won’t be by vibecoding.

Don’t pretend, or you will be mocked. We (software engs) aren’t making fun of Melinda in sociology who’s using AI to code nice visualisations of her data! She’s using a tool to enhance her work, double checking the results with her professional knowledge and making sure it’s all safe and good. No, but we are laughing at 20 yo college student Kevin who thinks he’s better than everyone else because he coded a (broken, unsafe, unmaintainable) app over the week-end, checkmate old nerds.

If you’re serious about learning, then get yourself on a university e-course9 and follow those lectures. It will teach you all those fundamentals I was talking about. Then practice, a lot, and mostly on your own. Write your code first, and then ask the AI about it – either to double check, or when you’re stuck. But all in all, use your own brain and your own thinking capabilities to build those problem-solving muscles.

10. Ask for help before putting anything on the internet

If your app connects to the internet in any way, you need to have it audited by a professional. No exceptions. I know it’s expensive. I know they’ll tell you to change a ton of things. I know it’s hard to even find someone competent and trustworthy to do it. But skipping this step is like leaving your front door wide open and hoping no one walks in.

A proper security audit will save you money, lawsuits, and sheer existential dread down the line. If you can’t afford one, then—harsh truth—you can’t afford to launch an app either.

Now, there’s one tiny problem. Professionals don’t want to touch AI-generated spaghetti code. Why? Because it’s usually incomprehensible, poorly structured, and riddled with subtle issues that make it a nightmare to review. That means if you vibecode your app, expect to pay a premium to get it audited—if you can even find someone willing to do it.

That’s the price of vibecoding safely. Either invest in security now, or get ready to learn the hard way when a botnet makes your app its new home.

Vibecode with Joy (and a Little Caution)

Congratulations! You now have the power to create all sorts of things—little tools, silly automations, weird experiments that make your life easier or just make you laugh. Coding, even vibecoding, is magic. It turns ideas into reality. It’s fun. It’s powerful. And now, it’s within your reach.

So go wild! Build things, break things, learn things. Enjoy the process. Just… maybe don’t put anything on the internet unless you’re absolutely sure it won’t get you hacked. Your local machine is a great playground. The web? That’s a battlefield.

Vibecode responsibly, and have fun!

Leave a comment

Any questions? Ask me below or by replying to this email (it’s private, only I can see anything). I’m happy to help <3

Thank you to