Britain’s National Cyber Security Centre warned Tuesday that a rise in so-called “vibe coding” could reshape the software-as-a-service industry while introducing new cybersecurity risks if organizations fail to adapt.

The warning coincides with remarks by NCSC chief executive Richard Horne at the RSA Conference in San Francisco, where he urged security professionals to ensure AI coding tools become “a net positive for security.”

Highlighting, again, how digital societies are facing a surge in cyberattacks exploiting classes of software vulnerabilities that are known about and can be fixed, Horne said there was a risk AI tools would simply propagate the production of insecure software.

His comments follow a sharp market sell-off in shares in software and cloud companies in February driven by investor concerns that “vibe coding” — a term used to describe software developed using AI tools and minimal human input — could reduce demand for subscription-based SaaS platforms.

“The attractions of vibe coding are clear,” Horne told RSA. “Disrupting the status quo of manually produced software that is consistently vulnerable is a huge opportunity, but not without risk of its own. The AI tools we use to develop code must be designed and trained from the outset so that they do not introduce or propagate unintended vulnerabilities.”

In a blog post published alongside the speech, the NCSC said advances in AI-assisted software development are already changing how organizations approach writing code, potentially setting the stage for a significant disruption of the SaaS model over the next few years.

Describing the February sell-off as “a billion-dollar wobble” — and referencing the term “SaaSpocalypse”  — the agency cited anecdotal examples of developers using AI tools to build replacements for SaaS products in a matter of hours, particularly in response to rising subscription costs or feature restrictions.

The SaaS industry has dominated enterprise IT by offering subscription-based access to software while offloading infrastructure, maintenance and security to vendors.

In its blog post on Tuesday, the NCSC said this dynamic could shift as AI tools make it faster and cheaper to build “bespoke enough” software in-house — driven by the same business incentives that triggered the rise of SaaS companies themselves and the early uptake of cloud computing.

But it warned that AI-generated code can be unreliable, difficult to maintain and prone to security flaws, increasing the chance that vulnerable systems could be deployed if those behind the vibe-coded systems were too tolerant of the risks.

The NCSC urged organizations to prioritize security as the technology develops, including ensuring AI systems generate secure code by default, verifying the integrity of models and expanding the use of automated code review and testing.

“If security professionals don’t lean in from the start, the landscape will evolve without this crucial input, as was arguably the case in the early years of cloud adoption,” the blog post stated.

“A challenge the security community will face is that no one yet knows exactly what we need to introduce to ensure the ‘vibe coded future’ is a safer one... if we face this challenge head on from the start, we have a chance to introduce some strong security fundamentals.”

The NCSC said any disruption to SaaS is likely to take place over several years, with adoption varying depending on system complexity and organizations’ risk tolerance.

But the agency said it could “easily imagine” that the only companies in the sector that will survive will be those “that can’t be easily replaced with a vibe-coded alternative, perhaps because their services have themselves become critical to a business, or there are regulatory requirements they meet, or they simply have a critical mass of data across customers.”