May 15, 2025

Replit could win the vibe coding market

Security vulnerabilities are proliferating because of vibe coding, and it's important to vibe code responsibly. Turns out, companies are working on this problem.

Replit recently announced a set of features meant to help their users generate applications that don't have common security vulnerabilities:

The two things they added that will probably help are Auth and "Security."

Auth is pretty straightforward: in addition to various built-in cloud services like hosting, databases, and analytics, Replit now offers authentication. This not only saves users time (auth can be surprisingly tricky), but also reduces the likelihood of an insecure authentication implementation.

"Security" is a bundle of things:

  • The agent now won't modify any important config files.
  • There will be security warnings around things like pasting API keys into the agent chat.
  • A new feature called Security Scan will look through the codebase and surface any common security issues.

Security Scan is the key thing. Vibe coders aren't cybersecurity experts, and they shouldn't have to be. Replit stands in as their security expert.

Replit is in an interesting position with respect to their competitors in code generation such as Lovable and Cursor. Actually there's a kind of spectrum between Lovable and Cursor on which Replit falls in the middle:

  • Lovable: No IDE, just a text-to-code agent. The developer experience is almost fully abstracted.
  • Replit: Web-based IDE with text-to-code and embedded cloud services.
  • Cursor: Traditional IDE with agent and autocomplete capabilities.

While Cursor's revenue growth has been remarkable, I have some questions about Lovable's durability.

Replit, though, could end up being the winner. With their foundation of a web-based IDE and embedded cloud services, they could end up combining the best of both ends of this spectrum. That is, an abstracted developer experience for vibe coders that offers all the things you need to power a great app – including, now, automated security review.

Reportedly, Replit's revenue has accelerated significantly since they introduced the agent feature:

I could see this trend continuing for the foreseeable future. The only thing is Replit doesn't seem to have as much virality and word of mouth as its competitors. Not sure why that is. If I were running Replit I would prioritize cracking that. (Creating drama with Lovable's CEO helps but it isn't the solution.)