.webp)
Cutover CEO Ky Nichol and CTO Kieran Gutteridge sit down for an in-depth conversation about AI speed vs enterprise security, the gap between vibe coding and engineering, and why the “important stuff” is still slow.
Vibe coding closes the gap between “idea” and “artefact”
Ky: With agentic coding tools, the distance between an idea in my head and a working version of it has collapsed to something close to a prompt. A CEO, a PM, a designer, an engineer — any of us — can sit down with a coding agent and be looking at a running artefact of our own vision by the end of the afternoon. If you're not shipping, it's a failure of imagination.
Kieran: Agreed, with a footnote I'll cash my chips in with later: which rung of the ladder you're shipping on matters enormously, and "a running artefact" and "a thing that should exist in the world" are not the same sentence.
AI enables faster delivery but creates instability
Ky: The 2025 DORA report is blunt: AI adoption is, for the first time, linked to higher throughput and to lower delivery stability. Common vulnerabilities and exposures (CVEs) attributable to AI-generated code jumped roughly sixfold in the first quarter of the year. Amazon reportedly froze deployment controls for 90 days after incidents tied to its own AI coding assistant.
Then there's the thing that really shifted my thinking. Last November Anthropic disclosed that a state-sponsored actor had used Claude Code to run a cyber-espionage campaign against roughly thirty global targets. The AI handled 80–90% of the work autonomously and at peak was making thousands of requests per second. This week they previewed a new model, Claude Mythos, which has already identified thousands of zero-days across every major OS and browser, and they're deliberately throttling release so defenders get a head start.
Kieran: Most of what we've historically called "hacking" is, honestly, "script-kiddie" type work. I don't mean that as an insult — it's descriptive. It's walking through a multi-storey car park trying every door handle to see which one's unlocked. It isn't difficult. It's patient and tireless, which is exactly what you automate first.
A British example is the News of the World phone-hacking scandal. For all the drama and the Leveson Inquiry and the careers that ended over it, the actual "hack" was embarrassingly mundane: mobile networks shipped voicemail with a default PIN i.e 0000, and you could dial into someone's voicemail from a landline if you knew their phone number and just…type it in. That's the hack. No zero-day, no clever exploit — just the digital equivalent of trying a car’s door handle and finding the door unlocked, at scale, against celebrities and, infamously, crime victims. We've had bots doing the software equivalent for twenty years. Agentic AI makes those bots cheaper and slightly better at reading the response, but it's not a new category.
What is new and makes me even more paranoid is the combinatorics at pace enabled by the most powerful LLMs . A human red-teamer chains three or four weird behaviours together to find a novel exploit, and it takes them a week. An agent runs thousands of chains overnight and surfaces combos no one was looking for, because no human had the patience to try the eleventh weird thing after the first ten did nothing interesting. That's a scary new class of vulnerability — not "known bug, found faster" but "bug that only exists because something was willing to keep going." That's the bit our defensive posture should be built around. The door-rattling — even the News-of-the-World-grade door-rattling — is a solved-ish problem.
Ky: Which gives me two lanes. If you're a developer hacking on a side project, vibe away, the blast radius is your laptop. If you're shipping into an enterprise context, you're not just shipping into a quality environment, you're shipping into a threat environment where the attackers have the same agentic tools and are running them at machine speed against exactly the kind of confident-looking slop AI code generation tends to produce.
The enterprise approach to AI delivery
Inside that enterprise lane, I've started thinking in concentric rings. Outer ring: website, marketing, truly internal tools. Small blast radius, tight feedback loops, go genuinely fast. Middle ring: prototype to learn, not to pre-build — the old roadmap process wasn't only gatekeeping, it was a forced encounter with reality. Inner ring: the unglamorous moat. Evals, QA, supply-chain hygiene, observability, rollback, a security posture that assumes your adversary has agents, too.
Kieran: I love the framing and want to name the thing it is: this is just a formalized software development lifecycle (SDLC). Outer, middle, inner, could even be reframed to simple environments of [Dev, UAT, Prod]. The shock a lot of people are about to have with agentic workflows is the same shock every junior engineer has in their first year — things get slower the more important they are, and that is not a bug, it is the entire point. The outer ring is fast because it's allowed to be wrong. The inner ring is slow because it isn't. Vibe-coding didn't repeal that rule, it just made the outer ring more fun and the contrast with the inner ring more jarring.
Ky: Feature velocity is not the differentiator. Innovation in QA is. The question is not "how many features can we ship this quarter?" but "how confident are we that what we shipped is still doing what we thought it was at 3am on a Sunday, while something on the other end of an API is probing it a thousand times a second?" That confidence is a product in its own right.
Kieran: And this was always true. It just wasn't visible to people who didn't work on the infrastructure/platform side. AWS didn't invent WAF, Shield, GuardDuty, Lightsail, and the rest because they were bored. They invented them because every generation of standard software ships with something that’s enabled by default that you probably don't want and someone has to catch it. An old example here is when we had to set up an FTP server and used vsftpd — (Very Secure FTP Daemon), “secure” is literally in the name, so it must be safe, right? Bu tfor a stretch of its early life, vsftp shipped with anonymous access on by default. This was the very secure one.
The lesson isn't that vsftpd was badly written. It's that you have to actually understand what you're shipping, what it assumes, and what it exposes. Otherwise, to borrow a quote from the film Rounders, because nothing else captures it as well, “if you sit down at the poker table and you can't spot the fish, you're the fish.” Agentic coding doesn't change that rule, it just deals the hands faster and seats more players.
In the AI-enabled world, judgement and taste are key differentiators
Ky: If implementation is close to free, the binding constraint isn't imagination, it's judgment, taste, and the willingness to decide which ideas deserve to exist in the world and which should quietly die on the prototype.
Kieran: So, let’s cash in those earlier chips
Engineers have an old, slightly snobby hierarchy that I would bring out at the pub:
Scripting → Hacking → Developing → Engineering → Business
It's not about prestige, it's about the scope of consequence. Each step to the right has to hold more of the world in its head — more users, more failure modes, more time, more money, that depend on you not being wrong. And the rule of thumb is that you can always understand the rungs to your left, but you struggle to understand the rungs to your right until you've lived there and probably made a mistake or two along the way. A scripter thinks developers are slow. A developer thinks engineers are bureaucrats. An engineer thinks the business people are irrational and want to live risk free. They're all wrong in the same direction — missing context that only exists one rung to the right.
What Agentic AI has definitely done is add a new leftmost rung:
Vibing → Scripting → Hacking → Developing → Engineering → Business
Vibing is real. It's legitimately valuable. I use it every day and it's magic for Ky’s outer ring. But it inherits the same rule: you can see everything to your left (nothing) and you struggle to see everything to your right. The failure mode I'm watching for is people vibing something and believing they've engineered it. Or worse, vibing something and believing they've built a business app, when what they've actually built is a wrapper around an assumption that will hold until the first weird Tuesday and a user uploading DSV rather than CSV.
So why is this a fair rule from Ky? You can vibe a prototype, a marketing site, an internal tool, a proof-of-concept. You cannot vibe a business-critical system that isn't essentially a wrapper. The moment real money, real customers, real regulators or real adversaries are on the other side of the API, you need someone on the team who lives at least one rung to the right of where the code was generated. Because that's the person who can see the assumptions the vibe didn't know it was making.
Ky: So yes, we are a bit more naked than we used to be. What we're left standing in is not our imagination. It's our judgment.
Kieran: So back to my ladder, the view from the bottom rung looks a lot like the view from the top if you squint and that's a new hazard. The angst isn't that we're naked. It's knowing which rung you're actually standing on, and being ruthlessly honest about it and having the controls to make sure we can prove which rung we are on
Join our upcoming webinar on April 30th where Ky will be discussing how to implement agentic AI into operational resilience and disaster recovery frameworks with experts from Comerica Bank, Truist, and MassMutual,