AI: The Sharpened Spear. Vibe Coding: The Cracked Shield.

You've probably heard it ad nauseam, but the startup ecosystem is currently being swept up by vibe coding—a development method where AI handles everything from writing to deploying code. This allows a small team to launch a service at the speed of a large corporation, which is why the once-unrealistic idea of a "one-person unicorn" continues to be a topic of conversation.

However, while this trend is a tremendous innovation, if you think a little deeper and look beneath the surface, you'll see a time bomb that is growing and will soon explode.

The Shield Gets Thinner, The Spear Gets Sharper.

The Shield Gets Thinner Because of AI

As mentioned, the currently popular vibe coding has a fatal flaw: many who engage in it don't even know the basics of coding and security. By relying solely on vibe coding, they are bound to create products with poor security.

• In 2021, a research team from MIT and NYU discovered security vulnerabilities in over 40% of the code automatically generated by GitHub Copilot. Even with GitHub's new security tools, an analysis presented at the 2025 Silicon Valley Cybersecurity Conference (SVCC) revealed that over 30% of the code still had at least one vulnerability.

• In March 2025, GitGuardian noted that the rate of secret exposure in repositories using Copilot was 6.4%, much higher than the 4.6% in typical open-source projects.

• According to the Veracode 2025 GenAI Code Security Report in August 2025, an analysis of over 100 code generation tools that use large language models showed that 45% of all tests included code with security vulnerabilities. The ratio of vulnerabilities was particularly high in Java code, with serious security weaknesses like XSS (13.5%) and log injection (12%) appearing frequently.

• An Apiiro analysis in September 2025 pointed out that since the introduction of AI code, the number of new security flaws has skyrocketed by over tenfold from the end of 2024 to mid-2025, with more than 10,000 new vulnerabilities reported every month. Privilege escalation paths increased by 322% and architectural design flaws by 153%, confirming that structural security issues are rapidly proliferating within the code produced by AI.

In short, AI code assistants are increasing productivity while at the same time exponentially magnifying corporate security risks. The flashy facade of vibe coding, which "AI founders" promote as a way to enhance productivity and democratize coding, is simultaneously creating the shadow of a cybersecurity catastrophe that is spreading uncontrollably throughout our product ecosystem.

The Spear Gets Stronger Because of AI

But the bigger problem is that while our shields are weakening, hackers have been handed a more powerful weapon. Generative AI has given developers and startups speed and productivity, but it has given the exact same benefits to hackers. In the past, hackers who lacked the technical skills to properly plan an attack can now easily create sophisticated code and automated attack scenarios with large language models like ChatGPT. For attackers, AI is no longer just a "support tool"; it has become a core weapon that is changing hacking itself.

• In a real-world phishing experiment, an IBM research team revealed a shocking result. The click-through rate for AI-written phishing emails was 11%, which was virtually no different from the 14% for phishing emails written by a human. The difference was starkest in production speed: AI completed an attack email in just 5 minutes, which would have taken a human an average of 16 hours. This has enabled hackers to carry out more attacks in less time.

• Even more shocking data came from the Unit 42 research team at Palo Alto Networks in 2025. They developed an Autonomous Attack AI (Agentic AI) and conducted a simulation, with results that were beyond imagination. The AI agent completed the entire process—from infiltration and privilege escalation to data exfiltration—all by itself in just 25 minutes. The data breach cycle, which used to take an average of 9 days, now takes just a few hours. According to the report, the average time to detect and respond to a breach in 2021 was over 200 hours, but by 2024, the time it took for an attacker to steal the data they wanted was shortened to just a few hours. This ability to execute various attacks at high speed has created a gap that defenders currently cannot close.

And The Cost of the Spear Has Gotten Cheaper

AI doesn't just improve the quality of attacks; it has also broken down the economic barriers that hackers faced. In the past, with limited labor and time, hackers could only target "big fish" like large corporations or financial institutions. They would only move if the potential monetary gain was high enough, a positive ROI.

But the situation has changed. Thanks to AI, attacks can be replicated at almost zero cost and executed in parallel. Automated phishing campaigns, indiscriminate malware distribution, and even tailored social engineering attacks are no longer driven by human labor but by replicable AI resources. The ROI equation has been flipped, and cheap, fast attacks now target not only large corporations but all companies, including small and medium-sized businesses.

The bigger problem here is that small companies, including startups, are often poorly prepared for cybersecurity. Since hackers didn't target them in the past due to low ROI, these small companies didn't particularly focus on security. Startups, for a similar reason, have thin security, and now, by rapidly building code with vibe coding, they have become perfect prey for hackers. It's no longer a matter of "if" they will get hacked, but a matter of "when."

Recent real-world examples clearly show that startups relying on vibe coding are highly vulnerable to hacking. For instance, WIRED reported that an AI attack agent called RunSybil hacked a Claude Code-based website in just 10 minutes. Lovable, once hailed as Europe's fastest-growing vibe coding startup, was noted for its innovation in allowing customers to create apps with natural language, but it was later revealed to have neglected severe security vulnerabilities for several months until a competitor reported it. Furthermore, the popular "one-person startup" AI platform Base44 was found to have an authentication bypass vulnerability that allowed malicious users to access corporate apps, which was only patched after the Wiz research team pointed it out.

When startups blindly pursue speed and productivity by adopting vibe coding, security often takes a back seat. As a result, the ingredients for a cybersecurity "perfect storm" are steadily accumulating.

What Should the Shields Do?

So, how can we strengthen our shields again? First, we need a new infrastructure. It's not just about creating code quickly, but about having tools—like a hypothetical "VibeCheck Cyber"—that can check in real-time where the code came from, if it was AI-generated, and what vulnerabilities are hidden within it. Speed alone is not enough; a verification system must support productivity.

Second, we must not blindly trust vibe coding. Code automation is a powerful tool, but it's not the complete solution. What's ultimately important is working with people who understand the overall principles of a program and the fundamentals of security. The moment a startup trusts AI code without a deep understanding of code quality, design principles, and security architecture, it becomes a perfect target for hackers. A single security incident, such as the photo and personal information leak at the startup "tea" in August 2025, can end a startup in an instant.

And finally, the last line of defense is cyber insurance. In the U.S., cybercrime losses hit a record high of $16.6 billion in 2024, a 33% increase from the previous year. 60% of small and medium-sized businesses without insurance went out of business within six months of being hacked, while those with insurance were able to survive by recovering significant portions of ransom payments, legal settlement fees, and business losses. Now, cyber insurance is no longer an option; it is essential infrastructure for survival.

So, What Now?

Disease and treatment are an eternal battle of spear and shield. We have conquered many diseases, but others remain unconquered, and new diseases like COVID continue to emerge. That's why we have medical insurance.

Cars and accidents are slightly different but a similar battle of spear and shield. While we try to reduce the accident rate with various safety features, we can't completely eliminate car accidents. That's why we have car insurance.

Cybersecurity is no different. AI continues to sharpen the hacker's spear, and vibe coding thins our shield, but cybersecurity solutions continue to thicken our shield. Ultimately, cybersecurity is also an endless battle of spear and shield.

Therefore, given the recent advancements in AI-related hacking methods and the emergence of new problems like vibe coding, I believe the time is not far off when cyber insurance, like car and medical insurance, will become essential infrastructure for a company's survival. I wanted to share my thoughts in this newsletter because I think it's important for smart entrepreneurs and investors to remember this trend.

In fact, I had this thesis as soon as ChatGPT appeared (hacking becomes easier and cheaper = a cybersecurity nightmare). In 2023, I was interested in an American company called Resilience, which received joint investment from Peter Thiel's Founders Fund, Lightspeed, General Catalyst, CRV, and the large Canadian insurance company Intact. Now that two years have passed and it's 2025, I don't know the company's specific situation, but I feel that this company is even more perfectly aligned with the market trend now than it was then.

I usually do my deal sourcing outbound rather than inbound. I look at overall tech trends, get inspiration for my theses, and then focus on finding the companies needed for the future I imagine based on those theses. For example, the idea of a Personal CRM that came to mind after seeing a note-taking app is in a similar context. I plan to continue incorporating these emerging startup ideas into my newsletters.

If you are an entrepreneur building a startup that fits the future I imagine, please feel free to email me at ian@ianpark.vc. Thank you for reading today.

Sincerely,

Ian