Digitalisation · AI · May 2026 · Reading ~18 min
In February 2025 Andrej Karpathy popularised on X the term vibe coding: letting the model write the code and guiding it through conversation, intuition and quick reviews rather than typing every line. A year later, the concept has moved from provocative tweet to professional category. Claude Code, Cursor, Windsurf, Codeium, Codex and n8n agents allow an SME (small and medium-sized enterprise) to build internal tools, automations and prototypes in hours, not weeks. This guide explains what vibe coding is, how AI agents fit into the daily workflow, real cases at Spanish SMEs, and where the serious risks lie — technical debt, quality, security — that no vendor is going to tell you about.
What vibe coding is according to Karpathy
The term was born from a tweet by Andrej Karpathy dated 2 February 2025: "There's a new kind of coding I call 'vibe coding', where you fully give in to the vibes, embrace exponentials, and forget that the code even exists". Karpathy describes the specific pattern: talking to the model in natural language, seeing what it generates, running it, asking it to fix errors without necessarily reading them oneself, and building small tools in minutes.
The phrase resonated because it named a change already under way. GitHub published in its Octoverse 2024 that 92% of professional developers used some type of AI assistant in their workflow. Anthropic, OpenAI, Google and Cursor reported in 2025 that most of their usage came from professionals who did not identify as software engineers but wrote code daily: data analysts, marketers, lawyers, consultants. Vibe coding channels that phenomenon.
Three levels of vibe coding
It is worth distinguishing three operational levels to avoid confusion in the conversation:
| Level | Description | Who | Risk |
|---|---|---|---|
| L1 · Assisted | Advanced autocomplete like Copilot. The human writes and the model suggests. | Any developer | Low |
| L2 · Conversational | The human describes what they want and the model generates complete blocks that the human reviews. | Developer and technical professional | Medium |
| L3 · Pure vibe | The human describes the objective, the model writes, executes, debugs and delivers. The human evaluates the result, not the code. | Prototypes, scripts, internal tools | High if going to production |
Karpathy describes L3. It is the most exciting and the most misunderstood: it is only safe when the scope is small, the data is non-sensitive, there are automated tests validating behaviour, and there is the possibility of throwing it away and rewriting if it goes wrong. For critical production at an SME with client data, L3 without supervision is dangerous.
The 2026 stack: Claude Code, Cursor, Windsurf, Codeium
Four tools concentrate most of the professional market in 2026. Each with its own philosophy.
Claude Code (Anthropic)
Agentic CLI published by Anthropic in May 2025 and consolidated during 2025-2026 as the reference for vibe coding in terminal. Philosophy: agent that lives in your shell, reads project files, executes commands, edits files with explicit permissions, integrates MCPs (Model Context Protocol) to connect external sources (GitHub, Notion, databases, internal APIs). Advantages: fine control, transparency (you see every command), instruction persistence via CLAUDE.md in the repository. Good for senior devs who want a serious co-pilot on long projects.
Cursor
VS Code-based editor with integrated AI. Launched by Anysphere in 2023, in 2024-2025 it became the preferred editor in the startup-tech segment. Philosophy: everyday editor with a model (Claude, GPT, Gemini, proprietary models) that indexes your codebase, answers questions, completes blocks and executes agentic actions with "Composer" mode. Advantages: polished UX, powerful shortcuts, semantic indexing of the repo. The easiest option for someone coming from VS Code who wants to move up a level.
Windsurf (Codeium)
VS Code fork created by Codeium, launched in November 2024 and very popular in 2025-2026 for its "Cascade" agent that combines file editing and command execution in a single flow. Philosophy: editor + agent without separation. Advantages: aggressive pricing on pro plans, fluid agent for multi-hour tasks, good integrations with web stack (Vercel, Next.js, Astro).
Codeium · classic plugin
Before Windsurf, Codeium was the free multi-IDE autocomplete. It remains active as a plugin for JetBrains, Eclipse, Sublime, Vim, Emacs. For profiles who do not want to change editor, it remains the option with the best IDE coverage.
Other key players
- GitHub Copilot with its "agent mode" launched in 2025. Good integration with the rest of the GitHub ecosystem.
- OpenAI Codex CLI, OpenAI's terminal agent launched in 2025.
- Cline, open-source VS Code agent that allows using your own API key.
- Aider, open-source CLI focused on git: each agent change is a commit. Excellent for auditing.
- Replit Agent, agent integrated in Replit that builds full-stack apps from a prompt.
- Vercel v0 for generating React/Next.js components from prompts.
Which to choose based on context
| Context | 2026 recommendation |
|---|---|
| Marketing / consultant wanting to automate tasks | Claude Code with MCPs (Notion, Google Workspace) or Cursor |
| Senior dev team in SaaS | Cursor + Claude Code in parallel, depending on task |
| Team needing granular auditing | Aider (each change is a signed commit) |
| UX designer prototyping | Vercel v0 + Cursor |
| Company with JetBrains stack | Codeium classic or JetBrains AI Assistant |
| Improved no-code | Replit Agent or Cursor locally without prior codebase |
n8n agents and visual orchestration
While Cursor and Claude Code occupy the dev side of the workflow, on the operations side the main actor is n8n. The open-source automation platform published its "AI Agent" nodes in 2024 and during 2025-2026 made them the standard pattern for composing agents without writing code:
- AI Agent node supporting Anthropic, OpenAI, Google, Mistral, Groq, local models via Ollama.
- Tools the agent can invoke: JavaScript/Python code execution, HTTP calls, SQL queries, read/write for Notion, Sheets, Airtable, Slack, Telegram.
- Persistent memory (Postgres, Redis, vector store).
- Workflow tools: one agent can invoke another n8n workflow as a tool, chaining specialised agents.
The typical pattern in an SME: a workflow that listens to an incoming email, analyses it with an AI agent, decides whether it is an invoice, lead, complaint or support ticket, and routes automatically — all without a developer maintaining code. The learning curve is hours, not weeks.
Alternatives to n8n for SMEs
- Make (formerly Integromat). Visual, commercial, with AI support. Even gentler curve than n8n but less control.
- Zapier AI. Integrates AI agents into its zaps. Good SaaS coverage, high price at scale.
- Pipedream. Code-first with AI, for more technical profiles.
- Vercel Workflow / Workflow DevKit. If your stack already lives in Vercel, look at the durable-execution option with TypeScript.
- LangFlow / LangGraph. If you need complex graphs with branches and human review in the loop.
Real SME cases
Three cases illustrating the ROI when vibe coding is applied well — and two where it was better to stop.
Case 1 · Law firm (8 people)
Problem: 6-8 hours per week for the paralegal reviewing standard contracts and extracting clauses for a tracking sheet. Solution vibe-coded in Claude Code (2 sessions of 3 hours): Python pipeline that downloads PDFs from DocuSign, passes them to a Claude agent that returns a JSON with extracted fields, then dumps to Notion. Result: paralegal recovered 5 hours/week, transcription error dropped from ~3% to ~0.4% measured over 200 contracts.
Case 2 · Niche e-commerce (4 people)
Problem: product descriptions manually written for 600 SKUs, lagging behind the supplier's real catalogue. Solution vibe-coded in Cursor (1 day): script that reads the supplier's CSV feed, uses Claude to generate a description following the brand style guide, uploads to WooCommerce via API, marks for human review. Result: catalogue updated in 48 hours, 580 entries ready, 20 flagged for manual review.
Case 3 · Marketing agency (12 people)
Problem: monthly generation of 30 client reports with data from GA4, Search Console, SEMrush. Previous time: ~40 hours/month between two analysts. Solution vibe-coded in n8n (3 sessions): workflow with scheduled triggers, agent that queries APIs, generates narrative in client format, uploads PDF to client's Drive, notifies via Slack. Result: 40 hours → 4 hours/month (review and sign-off only). Clear ROI but required intense initial review to avoid hallucinations in figures (cross-validation of numbers was added).
Anti-case 1 · Startup that tried to vibe-code its core SaaS
Team of 3 non-technical founders wanted to build their B2B SaaS product from scratch with Replit Agent and Cursor in 6 weeks. They reached a functional MVP but with three problems that exploded when onboarding the first 20 clients: (1) SQL injections not detected because the model-generated tests did not cover them, (2) inconsistent authorisation logic between modules (the agent did not maintain the security invariant), (3) massive technical debt — 18,000 lines that no team member had ever read. Refactoring required hiring a senior CTO for 3 months. Lesson: pure vibe works for self-contained internal tools, not for multi-tenant SaaS with client data in production.
Anti-case 2 · ERP migration by junior consultant
A junior consultant agreed to migrate a legacy ERP using Claude Code-generated scripts for a B2B client. Without reviews, without functional tests, with real data in pre-production. After two weeks they discovered that a "deactivation date" field had been mapped incorrectly and had marked 1,200 active clients as inactive in the new ERP. Six days of rollback work. Lesson: vibe coding does NOT replace migration design by someone with experience in the business domain.
A realistic daily workflow for 2026
For an SME starting with vibe coding, the productive workflow in the first quarter has a repeatable pattern. The typical morning development session looks like this:
- 10-minute daily stand-up where the team decides which tasks are suitable for vibe coding (self-contained, not touching payment or authentication) and which require manual coding with review.
- 90-minute block with Cursor or Claude Code for a specific objective: refactoring a module, automating a report, building a new endpoint. The agent works, the human evaluates and guides.
- Adversarial test run: the human asks the agent to write 8-10 tests that try to break the generated code. If any fail, they are fixed before moving on.
- Two-person code review: any merge to main passes through human review, even if the code is agent-generated. If the reviewer does not understand something, the author must be able to explain it (anti-pure-vibe rule).
- Merge + preview deploy with manual verification of real behaviour in the browser.
- End-of-day close: update
CLAUDE.md/.cursorruleswith any convention learned during the session, so the next one starts with more context.
This pattern maintains the speed of vibe coding without neglecting quality. Teams that skip steps 3, 4 and 6 are the ones that accumulate technical debt within months.
Risks: technical debt, quality, security
Vendors will not tell you about these risks. It is worth listing them to make decisions with clarity:
1. Invisible technical debt
Code generated by an agent can work on the first test and yet be difficult to maintain. Poorly named variables, structures that do not follow the repository style, duplicated logic, unnecessary dependencies. If no one reviews, the debt grows. The healthy practice: in each session, after the initial vibe prompt, a "guided cleanup" pass where the agent refactors following a specific style guide.
2. Deceptive test quality
Agents tend to generate tests that verify the happy path and omit edge cases. Result: apparent 90% coverage but bugs in production. The healthy practice: manually review critical tests or ask the agent to write explicit adversarial tests ("write 10 tests that try to break this function").
3. Weak security by default
Models tend to generate functional but not secure code by default. Concatenated SQL strings, lax input validation, secrets in code or logs, permissive CORS. The healthy practice: integrate a security linter (Semgrep, CodeQL, Snyk) that runs on every PR, and explicitly state in the prompt "this code goes to multitenant production, apply defence in depth".
4. Code hallucinations
The agent can invent library functions that do not exist, incorrect parameters, non-existent versions. Although in 2026 it is much less frequent than in 2023, it still happens in niche libraries. The healthy practice: always run generated code in an isolated environment before accepting it, and distrust any little-known dependency.
5. Unpredictable cost
A long Claude Code or Cursor session with very generous tokens can cost €5–20. At team volume, it scales. The healthy practice: monthly budget per person, spend monitoring, cheaper models (Haiku, Mini) for repetitive tasks and premium models only for complex reasoning.
6. Loss of the team's operational knowledge
If seniors delegate to agents and juniors never see the code, the team loses its own capacity. The healthy practice: dedicate 1-2 hours weekly to human review of generated code, in a reverse-mentoring format (juniors explain to seniors what the agent did).
7. Legal compliance and intellectual property
Code generated by an LLM trained on licensed repositories may carry licence restrictions. The main providers (Anthropic, OpenAI, GitHub Copilot Enterprise) offer conditional indemnification — read it. If your product is going to be sold to the Spanish Public Administration, validate that the licences are compatible with the open-source clause of the national scheme where applicable.
The "vibe engineer" profile in 2026
The developer market is creating a new professional category: the vibe engineer. This is not a junior who uses Cursor to code faster; it is a senior with judgement who orchestrates agents and reviews output. The competencies the market values:
- Complex prompt design (system prompts, few-shot examples, context management, MCPs).
- Critical reading of generated code in any language (polyglot by necessity).
- Adversarial test design that detects what the model will omit.
- Traditional software architecture: still decisive. The agent programmes functions; the human designs systems.
- Compliance and security by design: GDPR, AI Act, OWASP, secrets management.
- Agent pipeline orchestration in n8n, LangGraph or equivalents.
For a Spanish SME the implication is that the developer profile does not disappear: it changes. A team of 4 can stop needing 8 (productivity multiplied by the agent) but the 4 who remain must be senior with experience in architecture, security and business domain. The SME that bets on replacing seniors with juniors using vibe will pay the invoice in technical debt and incidents 12-18 months later.
Frequently asked questions about vibe coding
What is the difference between vibe coding and programming with Copilot?
Traditional Copilot assists line by line: the human writes and the model suggests completion. Vibe coding goes further: the human describes the objective in natural language and the model (Claude Code, Cursor Composer, Windsurf Cascade) writes complete blocks, executes commands, edits multiple files in parallel and debugs. The key difference is the level of delegation: with Copilot the human pilots, with vibe coding the human directs the agent pilot. For small, self-contained tasks, vibe coding is much faster; for critical production, supervision must be maintained.
Can I build an entire SaaS solely with vibe coding?
Technically you can reach a functional MVP in weeks, as many founders demonstrated in 2024-2025 with Replit Agent or Cursor. In practice, taking that MVP to multitenant production with real clients almost always requires refactoring by senior developers. The typical problems are authorisation inconsistencies between modules, duplicated business logic, lack of adversarial tests, poor error handling and unnecessary dependencies. Vibe coding is excellent for validating ideas and acquiring first users; to scale and sell to corporate clients you need to invest in human architecture.
Which vibe coding tool should I choose in 2026 if I am not a professional developer?
For a non-dev professional (marketer, lawyer, analyst, consultant) who wants to automate internal tasks, the most productive combination in 2026 is Cursor (AI editor) to create scripts and local tools plus Claude Code for terminal and system operations, complemented by n8n for recurring visual automations. If the use case is full-stack web, Vercel v0 and Replit Agent allow starting from scratch with prompts. The key is to choose one tool and go deep for 4-6 weeks before switching: the switching cost is the curve of prompts and configurations.
Is it safe to pass client data to Claude Code or Cursor?
It depends on the plan contracted. The enterprise plans of Anthropic (Claude for Work / Enterprise) and Cursor Business / Enterprise include clauses that prevent your data from being used for future model training, data residency in specific regions (EU available in 2026) and DPAs aligned with GDPR. Free or consumer plans do not offer the same guarantees. For a Spanish SME handling client data subject to GDPR, the prudent approach is to contract the enterprise plan and maintain a clear list of what data the agents can and cannot access.
How do I avoid technical debt from agent-generated code?
Four concrete practices: (1) define the repository style guide (CLAUDE.md, .cursorrules) that the agent follows in every session; (2) after each productive session, a refactor pass where the agent cleans following the guide; (3) regression tests that run in CI before every merge; (4) periodic human review of generated code, in pair-review format between senior and junior or between two seniors. These four practices reduce debt to the level of code written by an experienced human team, without losing vibe coding speed.
Does vibe coding replace developers in my SME?
It does not replace, it recomposes. A team of 4 senior developers with well-applied vibe coding can maintain the output of a previous team of 7-8 without vibe. But that team of 4 must be senior: with experience in architecture, business domain, security and critical review. Replacing seniors with juniors using vibe coding is a mistake paid in technical debt and incidents 12-18 months later. The market will pay more for seniors who orchestrate agents than for juniors who only prompt — and will pay even more for seniors with experience in GDPR and the AI Act.
Are vibe coding and the AI Act compatible?
Yes, with three precautions. (1) If your SME develops an Annex III AI system (high risk) and builds it with agent assistance, the AI Act obligations of governance, technical documentation and human supervision do not relax: you remain the responsible party as provider. (2) If the agents access personal data, GDPR applies fully (legal basis, DPA with the agent provider, data subject rights). (3) Article 4 of the AI Act requires AI literacy for staff: if your team uses Claude Code or Cursor daily, you must document the training and internal usage policy. It is advisable to create that documentation now, before August 2026.