Anyone getting worried about vibe coding?
Posted by Pristine-Piano-2802@reddit | sysadmin | View on Reddit | 76 comments
Hey all!
We are an MSP and getting more and more request to host custom applications on either cloud servers or on-premises servers. These apps are so obviously built by someone using AI and even have some customers seemingly ditching their entire software stack to go custom AI built.
Who maintains and tests this stuff?!
We are trying to push away as hard as we can but getting bosses involved which is making it difficult, we are trying to implement IP restriction for cloud apps and the likes to lock it down as much as possible but seems like a ticking time bomb.
rms141@reddit
Why do you care? Your customers want to run an app, you got a ticket to spin up a server, do it according to the standards outlined in your support contract and move on. What happens when it blows up shouldn't be your concern.
mitchricker@reddit
I do not think most MSPs have the luxury of saying "what happens when it blows up is not our concern" because in the real world it absolutely becomes our concern.
Customers do not separate the app from the infrastructure. If the system gets breached, falls over constantly, leaks data or becomes a ransomware foothold: the MSP is still the first contact because we hosted it, networked it, backed it up or exposed it to the internet.
Even if the contract says the application itself is unsupported, there are still operational, security, insurance and reputational risks attached to hosting obviously fragile software.
You can absolutely define boundaries and limit responsibility contractually, but assuming there will be no blast radius for the MSP whatsoever is likely unrealistic.
rms141@reddit
Wait, are you imaging a scenario where a vibe coded app somehow takes out the entire infrastructure? Not only is this extremely unlikely, but if it does happen, the customer is probably correct to be upset that the infrastructure they paid for doesn't properly hold up when a single VM gets fucked because of a memory leak in ClaudesProjectDoNotDelete.exe.
Snowmobile2004@reddit
I don’t think anyone here is talking about a memory leak… more like a poorly secured app that’s pwned then used for arbitrary code execution within your network, which could propagate quickly depending on the malware
BlackV@reddit
Why are the customers networks not segregated/isolated from each other?
Snowmobile2004@reddit
I’ve seen plenty of MSPs do things very poorly lol
InformedTriangle@reddit
Yup, everything should be segregated in its own kubernetes pod for untrusted apps. Shouldn't be able to take down anything unless whoever set it up had no idea wtf they were doing.
1cec0ld@reddit
More likely: "my app lets me manage my AD from a website. What do you mean it signs in with a Domain Admin account, that's what it says it needed. Wait why can't I log in anymore"
Replace AD with SQL Server, Cloud account, etc etc.
xenolon@reddit
This is terrible advice. Any sysadmin should always have not only domain expertise, but be able to foresee and warn against any potential issues in the future. Sysadmins are not task monkeys; do not act like one.
rms141@reddit
You're talking about a very different scenario.
I have to keep reminding myself that this sub is comprised mainly of IT generalists at SMBs.
xenolon@reddit
No. You have to keep reminding yourself that your job is to, first, provide unparalleled support and reliability. You are not special. You undermine the profession with your arrogance.
Loudergood@reddit
Yeah, fuck my on call guys. Fuck DR planning. Get out of your silo and look at the big picture.
Pristine-Piano-2802@reddit (OP)
Because I care about my customer, at the end of the day they hire me to be knowledgable on IT. At the end of the day if they disregard all my warning etc then I take this opinion but on a day to day I care for my customers business as if it was my own business.
Denver80211@reddit
AI will manage and test it.
I have software I wrote myself. 10's of thousands of lines. I fed it to claude to look for bugs, improvements. It did great. I couldn't hand MY code to another person and expect them to do that. But AI fully understood what I was doing just reading the code.
Anyway, AI will read code generated by AI. It's going to manage it for us.
Slottr@reddit
Whats your actual concern? On face value it seems like you're turning away customers because you don't like the idea of it rather than the business of it
kombiwombi@reddit
The concern would be that the app causes such an issue as it sends the customer broke. So you end up holding the costs of assisting them, but with no chance of payment.
This need not be security related. "All our orders no longer exist". "ChatGPT bought 5 years of inventory." "We were using Claude to do our accounting and now the tax collector wants a word".
EmmaRoidz@reddit
An uncomfortable thing is that vibe coding internal apps, dashboards, workflow tools are going to explode over the coming years.
There's a huge amount of unmet need for internal tooling that works better for that orgs workflow. If it's not available off the shelf, affordably and easy to configure then that gets deprioritised to the absolute bottom.
Now people can just make it themselves in a few weeks with Claude and meet that need. It needs to work just well enough and that's an overall win.
Obviously it wouldn't be on an MSP to maintain that, but you'll be asked to spin up infra to host it.
Just highlight the risks and ensure the customers are accountable.
slitz4life@reddit
A few weeks?
I was board and got to try Claude enterprise out for my dept I built an internal web app we have been needing for years in 2 days! I was floored at how easy it was. And it works so well.
I like it but I’m worried about things like this https://www.forbes.com/sites/the-wiretap/2026/04/22/anthropics-claude-is-pumping-out-vulnerable-code-cyber-experts-warn/ where it starts hallucinating and creating bad code but non coders don’t know what to look for. I’ll admit I know nothing about web app dev and so I wouldn’t know how to make it secure or not hence why my app is internal only and airgapped
Pristine-Piano-2802@reddit (OP)
Great response thanks! Gives me good insight.
I wonder if in the future it will become part of MSPs jobs to manage rubbish apps! Hope not 😁
dotnetmonke@reddit
The real flaw in your post is the implied assumption that human generated code is inherently better or is better maintained than AI generated.
Claude may hallucinate sometimes, but the human code I’ve had to deal with actively creates 10.0 vulnerabilities - like products getting shipped with debug tools to access all user passwords.
EmmaRoidz@reddit
Claude takes me from a 0.1x engineer to a 0.11x engineer.
Pristine-Piano-2802@reddit (OP)
Yes very good point actually, if the customer got the code built manually by a developer why should I automatically trust it?
Very good point I’ll take into consideration that I didn’t think of!
VexingRaven@reddit
Plenty of MSPs already do app support and have for years. Managed services doesn't just mean AD and exchange. All depends on the contract.
Ferretau@reddit
How the insurers react will also be of interest, as businesses invest in these string and sticky tape solutions they may decide to either exclude them or increase premiums due to the risk.
Pristine-Piano-2802@reddit (OP)
Yes very good point actually I imagine this will slowly come in if it hasn’t already.
EmmaRoidz@reddit
No worries. I doubt anyone sane would ask the msp to maintain these tools. But certainly expect to see 5 APIs in a webserver/electron app/vscode extension trenchcoat.
ohyeahwell@reddit
100% now the only limitations are your imagination and tokens.
LaDev@reddit
We all need to get more comfortable saying "no". It's very powerful.
pueblokc@reddit
I love it for my tasks but all the stuff people are making with no clue how it works is definitely gonna be interesting.
Isolation, backups, security.. Thats the plan for now
IamHydrogenMike@reddit
Spitting out code is easy and not really all that hard. Architecture and maintenance are most of the work and that’s the point of failure all of these vibed apps will have. I write stuff everyday that I know has a very short lifespan or is already part of a decently architected framework.
Pristine-Piano-2802@reddit (OP)
This is it, use it as a tool but don’t implement some app into full production that is heavily used, I’m worried for the day I get the call to say someone has been hosting one of these apps without us knowing and has been heavily used and gone down or broke or caused some security incident or whatever.
pueblokc@reddit
That's no doubt going to be a common issue.
Also have the people who aren't calling for help and use Ai to fix computers and networks with no clue what it's actually doing.
Both scenarios will lead to some epic security issues.
Loudergood@reddit
Yes but Microsoft has chosen this for us.
non-descript_com@reddit
I asked Chat GPT and it said not to worry
Pristine-Piano-2802@reddit (OP)
Haha love that 😁👍
Doctorphate@reddit
We have every server isolated from eachother with only the required ports open between them with all the routing at the firewall level. And we have an exclusion in the contract for breaches that are caused by vulnerabilities in software we don’t explicitly support. And I’m not adding his buddy Jeff’s vibe coded dumpster fire to our approved software list right beside Debian, OpnSense, Nginx, etc. it’s offensive to myself but also to real developers.
If they want that vibe coded bullshit, by all means but when it breaks, it’s billable work, and when there’s a breach, it’s billable too. So, have at it if you want.
So far, 3 clients have barked up that tree but nobody has taken a bite for fear of the costs.
Speeddymon@reddit
Yep. I had claude write up a kubernetes operator to handle a need we have internally and I put it on a throw away cluster to confirm it worked but honestly the need isn't super great so I'm probably never going to actually deploy it. But having the ability to code it out and show to my boss that the concept I had would work if someone writes the code, was super useful.
Pristine-Piano-2802@reddit (OP)
Great comment and this has been the exact same approach we’ve taken so far, on their own VPS isolated to them as much as possible.
Great advice
axonxorz@reddit
Does it truly matter? Or rather, what is your MSPs responsibility for managing the overall security surface of these apps, and why/how is it any different than something more COTS?
This seems like something that should be covered in your client agreements, AI or not.
Pristine-Piano-2802@reddit (OP)
I think it does, I maybe have a bit of a bad habit you could say that sometimes I probably care about my customers more than the business owners do, I could easily let them crack on and relinquish responsibility if something happens but I’d rather be clear with them and try divert them away before something happens, that ultimately I’m going to be responsible for cleaning up.
aerostorageguy@reddit
Yup. One of our SD fuckwits is making shit up like he’s some kind of idiot savant. Couldn’t explain how it worked if his life depended on it.
Pristine-Piano-2802@reddit (OP)
I think this is it for me, had a chat with a gent the other week who wanted me to “host an application” I asked him, how do you want me to host it? And he had no idea, realistically this guy has no clue about what he’s built, how to run it just his LLM has told him to “host it”.
CluelessFlunky@reddit
Imo thing are gonna get worse as companies switch over to their half baked AI crap. Then when shit hits the fan it will be back to status quo.
_Do_The_Needful_@reddit
For applications that were simplistic before, I definitely see a trend with companies vibe coding and replacing them to cut costs. What they don't see is the cost of maintaining them long-term.
You won't see anyone vibe code a Veeam replacement any time soon, though. Large apos would cost a fortune in tokens. Its mostly things like kanban boards, survey apps, and small central dashboards that pull data from multiple locations.
Pristine-Piano-2802@reddit (OP)
I’m in no way against the AI way of things I appreciate it’s the future but I’m speaking to fairly sizable companies who are actively replacing massive and trusted systems with random applications one of the employees who got a CS degree 20 years ago are building. It seems like a disaster waiting to happen.
I agree for the odd bit and bat it does work
livinitup0@reddit
Like what? What exactly are they making?
Pristine-Piano-2802@reddit (OP)
I was talking to someone the other day who is trying to replace an ERP system which has been in place since the birth of the company and ultimately runs their entire business with a claude code app
andywarhorla@reddit
haha that’s the most insane I’ve ever seen on reddit. reminds of the controller who asked me why we couldn’t replace our ERP system with excel. vibecoded ERP, can’t wait for them to try to get through a month-end close of their financials.
ohyeahwell@reddit
Does it work? Is it a front end for a DB? Back in the day all SMB LOB apps were random handbuilt DBs, FileMaker, access, excel etc.
_Do_The_Needful_@reddit
Oh god, FileMaker. A word I hoped I'd never see again. Too many critical apps built on a glorified flat file database with no high availability or failover. I despise FileMaker with a passion.
ohyeahwell@reddit
Used to be big money in the 90's, then it was big money replacing filemaker in the 00's. AI is just the new hotness. AI, SaaS, lowcode, containers, VMs, internet, WAN, email, LAN, PCs, thin clients, mainframes. There's always a new thing.
Pristine-Piano-2802@reddit (OP)
I’ve got no idea yet I’ve just heard that they’re making good progress, I’ll find out!
ohyeahwell@reddit
I got the bill for one of our ERP today, $76K for 18 licenses. I’d love to replace it. It’s just a wonky 90’s thick app front end for SQL.
Pristine-Piano-2802@reddit (OP)
Yeh I see this side also, had a customer recently who had their ERP bill increased nearly 20k because of hosting fees and AI implementation. They’d swap in a heartbeat but because it plays such a huge role in their business they’re tied a bit.
Spoke with a developer to see how much to build something similar we could own and it was north of 250k so I do see this side and why it’s attractive
Pristine-Piano-2802@reddit (OP)
I think where my fear comes from is by trade I’m a web designer, not for a long time now but I watched the web design trade slowly move from a premium service into £1 a month tools to make your own website which people decided to go down.
Obviously these £1 websites were total rubbish and didn’t perform anywhere near the well built ones but at the moment it feels exactly like watching those people select the £1 website many years ago but on a bigger scale.
general-noob@reddit
Na, I watched Idiocracy recently, so I know we will be ok
YOLO4JESUS420SWAG@reddit
I'm worried because Claude's latest models were so good they had to open them up to closed groups in the industry. And likely is the reason why the Linux kernel has been interrogated so much lately with vulns.
I don't worry about the script kiddie's, or my job, I just worry about the future of compute as we know it. This advance took all of 4 years at most. Where will we be in 10 years.
I assume data integrity is about to become isolated. Network isolated.
_millsy@reddit
Nope, literally nobody, this is actually the first post on reddit and there’s literally no other posts you could look at, none at all
InformedTriangle@reddit
As long as it's segregated in its own kubernetes pod away from everything else, I don't care. I'll warn them it's not a good idea, get it in writing they were informed and chose to ignore it and throw up whatever they want.
theEvilQuesadilla@reddit
What do you mean getting worried? We've all been worried for months (years?) now.
ZealousidealFudge851@reddit
Years
hankhalfhead@reddit
Set them up with docker infra and let them at it. Give a shit about dr, backup, infra security
ohyeahwell@reddit
I’m having it poop out so much helpful python and work. Serious force multiplier to automate silly clerical work. I don’t give a shit how it runs if the output is correct.
Ingest a folder of PDF post-bid event, extract company, contact, phase/work. Put on a pretty excel sheet for humans, prepare a diff csv to import to our ITB software to add/update new/changed vendors. That’s like a week of work for a human, and moments for AI.
Review 10k emails post-purview to put together a timeline of event X, show your work. This one processed local then exported things to Claude via API. Fantastic.
Research this list of half baked leads and give go/no-go fit based on this historical csv dump from our erp. Highlight any with a GC attached, cross ref with known OAC we’ve worked with.
Review this .eml/.msg and explain why it was high confidence phish/spam and export a text block I can send to a vendor so they can get their dkim/dmarc/spf/whatever else fixed within the mta they use.
Take our proposal data and make it pretty. Prettier, replace that logo, use KPI boxes. Thanks Claude design.
All of it showing its work. All of this agentified. Honestly if you’re not maxing out your Claude usage you’re not working hard enough.
Downvote me if you want, or get with the times.
Altruistic-Map5605@reddit
We will spin up the server and maintain is OS patches and security but it’s on the client to manage the application. Your client environments should be completely segregated so it doesn’t touch anyone else’s server stuff so I don’t see the big deal.
jrobertson50@reddit
Depends on what it's for. A small thing for my team to use. Ship it. A mcp that a couple teams use and it's not mission critical send it. Something someone is paying for or has real implications if it has issues ,NOPE
Pristine-Piano-2802@reddit (OP)
I think this is where my issue lies like mentioned in this thread, the odd small tool that helps teams, fantastic. But when companies talk about replacing a massively used, supported and relied on system with a vibe coded app it makes me sweat.
MedicatedDeveloper@reddit
If it's static GH actions pushes it to a s3 bucket folder (iam role per repo), cloud front and dns magic does the rest. If it requires a back end GH actions pushes a container then terraforms an ECS express service and adds a target group to a shared alb using ACM certs as the front end.
thefpspower@reddit
As long as its not an app open to the public internet I don't care, I've built a lot of custom automations way faster thanks to AI and it has made people work more efficiently which is all that matters.
A decade ago any custom automation required tons of planning, coding and compiling, then the programmer left and you're left with a baby on your hands that nobody wants to maintain.
Now its just quick scripts, quick apps and very readable stuff, no compiling which is WAY easier to maintain.
zippopwnage@reddit
Why would I be? Is not my company. If this is the company policy and we accept all this, then who am I to lose sleep over?
digitaltransmutation@reddit
wait til these guys find out that the vibe coding applications can also stand up a webserver on its own
Grouchy-Western-5757@reddit
have the client spin up a server on a laptop and put it under the desk.
ReptilianLaserbeam@reddit
Honestly at this point I'm just doing the bare minimum and making 100 different plans to move out of the city and leave off the grid
justaguyonthebus@reddit
A free service you can provide is have another AI review the apps and give them the analysis. Every time you find something you don't like, add it to the prompt as something to check for.
But other than that, isolate them like you would any app that you don't really trust.
Pristine-Piano-2802@reddit (OP)
Ah very interesting thank you.
But yes this is very much our strategy at the moment, give the best advice we can and move them into an isolated VPS somewhere as locked down as possible.
slackmaster2k@reddit
Sounds like a great opportunity to offer a vibe code stack to your customers.
Brraaap@reddit
That's a conversation you need to have with your client and get spelled out in writing.