Vibe Coding
Security guardrails for AI-assisted and AI-generated code, built on Aikido.
Vibe coding lets developers (and others) ship solutions at very high tempo. That strength comes with some obvious security challenges, because even though it shares a lot with ordinary application security, certain security issues are over-represented in vibe coding.
- Supply chain attacks. AI assistants invent package names that don’t exist (slopsquatting), suggest abandoned libraries, or typo-squats — meaning the program fetches and loads a misspelled library with the same description as the original but containing malicious code.
- Developers paste production data, keys, and customer information into prompts, while assistants embed secrets in the generated code. At vibe coding speed with minimal review, it ends up in production before anyone catches it.
- Logical errors, for example in access control. Did the AI understand that the Caseworker role should not see the same cases as the Manager role?
- Authentication errors. The login screen looks right, but is trivial to bypass. A test user is hardcoded in source code that ships to production.
- Modern applications use AI to perform tasks themselves. Is the prompt adequately protected? See also Prompt Protection.
At the development tempo vibe coding produces, it is irresponsible not to use tooling that watches the full lifecycle, from the first line of code to production.
What we deliver
- Aikido in the SDLC
Aikido wired into your repos, with policy and thresholds matched to how your teams ship code today.
- AI pentest on each release
Aikido AI Pentest runs against every release and reports findings with context developers can act on.
- Secrets and leak detection
Aikido detects and surfaces secrets, keys, and tokens in commits and catches leaks before they reach production.
- AI-suggested dependencies
A policy for packages AI assistants suggest, so typo-squats and abandoned libraries get blocked on the way into the codebase.
- Security feedback at PR time
Aikido findings surface in the pull request where the developer already is, with short reasoning and a suggested fix.
- Policy for AI-generated code
A readable policy for what AI-assisted code must pass before merge, anchored in how your teams ship.
How we deliver this service
- In a project
Aikido rolled into the SDLC, with policy, thresholds, and a first triage round in four to six weeks.
- In a role at the customer
An AppSec advisor inside your team, owning the Aikido programme and the AI code policy.
- As part of a service
Included in Secured by FM CyberSecurity, where Aikido coverage and AI pentest on each release ship with the bundle.
The platform we offer
Recent insights on Vibe Coding
- Which regulations require recurring pentests, and how to deliver them without manual work
Five frameworks tell Norwegian SMBs to test security regularly. Only one mandates a human red team, and most teams overpay for the rest.
- How we pentest apps as part of ISO 27001 work
How FM CyberSecurity produces ISO 27001-defensible app pentest evidence through Aikido AI Pentest, without a manual pentest engagement, mapped to Annex A 8.29.
- Why Aikido is our only pentest provider
We deliver every pentest through Aikido AI Pentest because the annual manual report lands in a drawer and the application ships again the next week.