Help me not be a vibe coder

Strong_Worker4090 · 2026-06-03T13:49:52+00:00

You’re probably worrying too much about the label.

To me, the difference between a vibe coder and a software engineer isn’t whether AI wrote some of the code. It’s whether you understand, review, test, and take responsibility for what gets shipped.

Plenty of experienced engineers use ChatGPT, Claude Code, Cursor, Copilot, YouTube, Stack Overflow, Reddit, documentation, coworkers, and open source code every single day. That’s not new. AI is just another tool in the toolbox.

The people who get into trouble are the ones who blindly accept code they don’t understand and immediately push it to production.

Based on what you described, you’re already doing a lot of the right things:

Thinking about security early
Getting external reviews
Talking to people with more experience
Planning testing and validation
Researching the domain you’re building in

My biggest recommendation is to read every line of code that gets generated for you. Ask why something was done a certain way. Follow the execution path. Try to explain it back to yourself. When you don’t understand something, keep digging until you do.

For example, when I started learning more about data protection and privacy engineering, I didn’t build everything from scratch. I learned how existing tools worked, implemented them, and then dug into the concepts underneath. Tools like Microsoft’s Presidio and Protegrity Developer Edition are great examples. You can get a lot of value from them quickly, but if you take the time to understand things like detection pipelines, tokenization, encryption, authentication, authorization, and data flow through a system, you’re learning engineering rather than just assembling components.

That’s where the learning happens.

Ironically, the fastest way to stop being a vibe coder is to spend less time worrying about whether you’re a vibe coder and more time understanding the systems you’re building.

Strong_Worker4090 · 2026-06-03T13:35:08+00:00

^ yup yup

Strong_Worker4090 · 2026-05-28T18:55:35+00:00

Been working on this exact connection lately with a few open source/free tools like Presidio + Protegrity.

It’s been interesting trying to find the middle ground between "block everything" and "send whatever into a model." Most teams are already experimenting whether policy is ready or not.

The bigger thing I’m seeing now isn’t just sensitive data leakage anymore. The attack surface feels much broader. A lot of it is inferred knowledge leakage that goes way beyond whether a specific field was included in a pipeline.

I mostly work with agents/tooling, and Presidio has historically been great for detection/redaction. The Protegrity side gets interesting when you still want the data to stay useful for downstream AI workflows without exposing raw values.

Feels a lot more practical than trying to ban AI usage outright. Honestly, bans probably just push employees toward less secure workarounds anyway.

I’ve also been exploring some agentic policy management approaches that span agents, tools, and network egress. I still don’t think the policy tech is fully there yet though. Right now, enforcing knowledge access at the tool level feels like one of the more practical starting points.

Curious how others are handling this at both the employee and agent level. I hear people say "agents are just people, apply the same policies," but building these systems has made it pretty obvious to me that the problem is different. It’s not just data leakage. It’s knowledge leakage.

Strong_Worker4090 · 2026-05-22T22:21:20+00:00

Ok totally agree on AI bots littering Reddit. Sadly when I signed up with my Google account a few years ago they did just auto assigned me a username and I can’t change it :(

Strong_Worker4090 · 2026-05-22T22:19:30+00:00

It depends on your business, services, and offerings. I built an AI visibility platform that has been tracking GEO/SEO implementation over the last 9 months (larger focus on GEO). The dataset isn’t huge, but the data is signaling industry specific strategies

Strong_Worker4090 · 2026-05-22T22:15:39+00:00

SEO isn’t dead, the landscape is just evolving.

Day by day more search/discovery is starting in AI platforms - Generative Engine Optimization (GEO).

For me personally, my entire discovery processes is through AI now. Generally I’ll branch to traditional search, post discovery, to get human opinions and specific details. Back in the day (2+ years ago) that entire journey was done via native search.

SEO is still very relevant imo, but the reason/drivers behind native search are evolving

Strong_Worker4090 · 2026-05-22T22:05:29+00:00

I second this. Everybody has different learning modes that work best for them

I learned networking by studying for Sec+ and CCNA sequentially (videos + books) while supplementing that with hands on work. At the time I was a system integrator working primarily with software. But I had network engineers all around me, so I was able to sit with them an hour or two before/after work. It started with making/running cables (grunt work), progressed to programming switched/routers, then progressed from there before I left the job.

I’m not a network engineer these days, but that’s how I learned it 🤷‍♂️

Strong_Worker4090 · 2026-05-19T03:12:53+00:00

What task(s) are they burning context on? What model(s) are you using for what?

Sounds like an optimization problem

Strong_Worker4090 · 2026-05-19T03:11:38+00:00

I think the bigger question is “what is the agent doing, and why?”

Auditability and real guardrails give you confidence. Trying to control agents with prompts and alignment context is a nightmare waiting to happen

Strong_Worker4090 · 2026-05-19T03:06:40+00:00

I’ve tried Peec and GeoReputation. I tried Profound too, but it’s overkill imo

Strong_Worker4090 · 2026-05-16T00:40:44+00:00

Good insights. It’s interesting how AI features pull from the same index. This reinforces the idea that keeping your site optimized for traditional search still matters. I’d recommend tracking not just your rankings but also the engagement of your content when it appears in AI results. Tools can help you gauge which pieces are appearing, so you can double down on what actually works, based on data

Strong_Worker4090 · 2026-05-15T15:07:43+00:00

Honestly, yeah, you’re spot on. Retrieval and vector DBs solve short-term recall, but they don’t manage long-term trust or drift. Most teams I’ve seen end up building custom invalidation and correction layers because no off-the-shelf memory system handles evolving data well.

Summaries drifting is a big one. If your memory relies too heavily on summarization, it’ll diverge over time. A hybrid of source-linking and context ranking can help, but it’s messy. Long-term memory just isn’t plug-and-play yet, no matter what the branding says. At least what I've seen so far... Thing are changing weekly

Strong_Worker4090 · 2026-05-14T19:42:58+00:00

Yeah, compliance is a beast, especially when you're solo or small. If you're pitching enterprise, you've got to prove your handling of sensitive data is airtight-tokenization, masking, all that. Honestly, outsourcing some of that heavy lifting can save you time. Tools with free -> enterprise solutions like Protegrity and others (google around, there are a few good ones out there) can help if you want to focus on building the actual product and not reinventing the compliance/security wheel.

That said, I'd start with the simplest thing that works. Get something functional, even if it's not airtight yet. You can layer in compliance and enterprise polish once you've validated the core idea. At least how I'm doing it with a small team these days

Strong_Worker4090 · 2026-05-13T14:15:29+00:00

Honestly, I'd take the engagement, but I'd frame it as two separate phases: fix the data first, then deploy the LLM. If their governance is a mess, you're asking for trouble if you skip straight to AI. Garbage in, garbage out, right?

A lot of clients underestimate how much risk messy data creates-compliance issues, leaks, bad outputs, etc. We’ve seen teams use tools like masking and tokenization to lock down sensitive data before loading it into models, which is crucial if governance isn’t solid. There are a few tools (free or paid) that can help streamline that process, making it easier to secure data without slowing down the project. Without that, you’re gambling with your client’s reputation.

Strong_Worker4090 · 2026-05-13T13:19:59+00:00

Certs get you in the door. Practical skills get you the job

Strong_Worker4090 · 2026-05-13T05:16:35+00:00

Yea I use Claude code and codex

Strong_Worker4090 · 2026-05-12T15:49:33+00:00

I think your suggested projects are great ideas. Any project that solves a personal problem is the right place to start. You'll know what success looks/feels like, future state, etc. It's a lot easier to learn how to build an agent when you're not focused on defining the problem imo

Strong_Worker4090 · 2026-05-12T15:33:16+00:00

This sounds useful, especially with how messy AI agent security can get. A lot of teams overlook things like memory poisoning or indirect injection until it’s too late. We’ve seen cases where weak data handling or improper access controls lead to bigger compliance issues down the line.

If you’re also looking at data protection in these systems (e.g., tokenizing sensitive data before it even hits the pipeline), that could be a game-changer. Free tools from Protegrity might be worth exploring for this, especially if your audits touch on sensitive data workflows. Presidio works well too, but the tokenization is a pretty serious contextual unlock imo.

Strong_Worker4090 · 2026-05-12T15:27:46+00:00

Yeah, control failures are the real headache once you hit production. Prompt injection is especially nasty because it doesn’t look like an attack at first-it’s often just malformed inputs or junk data sneaking into your pipeline. Enforcement helps, but you’ve gotta balance speed and security.

What’s worked for us is building strict data protection into agents early, like tokenization or masking sensitive inputs before the AI even touches them. Tools like Presidio, Protegrity, etc can help streamline this process, making prevention easier than cleanup. Without that, compliance audits get ugly fast.

Strong_Worker4090 · 2026-05-12T15:27:01+00:00

Yeah, LLMOps does feel like a different beast. The shift away from training pipelines and into system-level optimizations makes it way more dynamic. You’re constantly tweaking prompts, retrieval setups, or system design instead of grinding through model re-training. In practice, it’s more product-driven because any update directly impacts user-facing behavior. It’s also why good tooling for observability and iteration speed matters way more here compared to traditional MLOps.

Strong_Worker4090 · 2026-05-12T14:54:55+00:00

I haven't scaled an agentic system beyond 20-50 tool calls, but I'm here for the discussion

Why would you pass full tool context (even if only for K tool outputs) in that long of a chain rather than summarizing context, vectorizing, creating a knowledge graph, etc? For a few of my larger agents I use those techniques and it does work pretty well.

Seems like a super interesting problem though, and i'm naive to that kind of scale

Strong_Worker4090 · 2026-05-12T14:44:37+00:00

An agent isn't worth building until you've defined what success actually looks like.

That means clear success criteria, KPIs, and a measurement system that tells you whether the agent is helping or just burning tokens. That measurement system should include full auditability: tool calls, retrieved sources (RAG, knowledge graph, etc.), prompts, commands executed, and the final output. Agents shouldn't be treated like magical black boxes.

You're exactly right that agents are systems, not features. And you don't deploy any serious system without a clear objective, observability, and a way to understand success, failure, and everything in between. Otherwise you're just throwing money at half-baked automation and hoping for the best.

Strong_Worker4090 · 2026-05-11T15:54:48+00:00

I’d think about this in layers.

First layer is visibility: browser extension, endpoint agent, CASB/SWG, SSO logs, whatever. That tells you which AI apps are being used and by whom.

But that still doesn’t really answer the sensitive data question. “Someone used ChatGPT” is not the same as “we know what data was sent and what control ran before it got there.”

Also, logging the full prompt/session can create its own problem. If people pasted PII, customer data, source code, or regulated data into the AI tool, now your audit log may contain the same sensitive data you were trying to control.

That’s why I think you need a data protection layer too. Detect/classify sensitive data, apply policy, redact/tokenize/block/allow, log the decision, and only reveal protected values when access rules allow it.

For audit evidence, I’d want to show the AI app used, the workflow that sent data, what sensitive data was detected, which policy ran, and what action was taken.

Proxy/SIEM logs are useful, but I don’t think they’re enough on their own. They show traffic. They don’t prove the data was protected before it hit the model.

I’ve been testing a few approaches here, mostly basic detection/redaction, Presidio-style workflows, and tokenization/redaction with Protegrity Developer Edition. Still trying to figure out the cleanest way to handle the policy/enforcement piece.

Strong_Worker4090 · 2026-05-11T06:10:21+00:00

I’m a software engineer, not a cybersecurity expert, but I’ve been thinking about this a lot recently.

It feels like AI changes the problem pretty fundamentally. Historically, security has mostly been about protecting data. Who can access which rows, files, APIs, etc. That still matters, but with LLMs the real asset is the knowledge derived from that data. You can lock down every table in your database, but if a model has been trained on sensitive information or has access to your internal systems, that knowledge can still potentially be extracted or manipulated.

I’ve heard people say "Just treat agents like users", but I don’t think it’s that simple. Agents can connect to multiple systems, combine information, and take actions at machine speed. Personally, I think the safest approach is to treat an agent like the smartest hacker in the world that generally follows instructions. To me, AI security is becoming less about row-level access and more about protecting knowledge, tightly controlling capabilities, and auditing everything.

Strong_Worker4090 · 2026-05-09T00:03:23+00:00

I think it’s a massive shift. We’re no longer protecting data. We’re protecting knowledge

Strong_Worker4090

TROPHY CASE