Shift Right in the Vibe Coding era
Jacob Henricson
Co-founder and CEO
The security world, for as long as I’ve been in it, has hoped for the “shift left” philosophy to save security. The idea, originally coined by Larry Smith in 2001, is a simple philosophy: the sooner you catch vulnerabilities and other security problems in software development or deployment, the better and less costly it will be.
It makes perfect sense. It plays into our instinct of old maxims such as “if a job's worth doing, it’s worth doing well” and other truths from the farmers almanac. The problem is that it goes against human nature. At least against the creative part of human nature.
Humans, in general, can be categorized in two groups: the creators and the caretakers. The caretakers invented “shift left” because they were the ones who had to take care of all the sloppy solutions generated by the creators. Shift left makes perfect sense to them.
But the creators don’t like to think in advance. They like to tinker. They like the “what if i….” approach to life that results in fantastic innovation, but also introduces risks. And they are generally the ones making money for the corporations they work for, so they win: shift left will never be the only answer.
The recent AI revolution has made the challenge much, much greater. Vibe coding is everything the “shift left” movement hates. But it is changing the world and it will not be stopped by some well intentioned defenders.
The last few days’ commotion around Clawdbot proves my case in point: a scrappy “agent-in-your-DMs” bot went viral because it lets anyone wire a general-purpose LLM straight into real messaging channels and tooling—exactly the kind of frictionless power creators love and caretakers fear. It shipped fast, drew immediate security warnings about untrusted inputs and prompt-injection, and even got forced into a rename (now “Moltbot”) after brand pressure.
Moltbot didn’t "Shift Left." It shipped first and dealt with the guardrails later. That is the new reality of software. Progress will not wait for a security audit.
In a vibe-coded world, where the attackers also have access to LLMs, the threat isn't just a problem with your code - it’s the way your infrastructure, your perimeter, and your internal identities suddenly get exposed to the world. Doing a pentest once a year is not enough.
This is why we are building Hedgehog. It gives creators the freedom to tinker, test, and experiment in the wild, while providing an intelligent safety net that catches critical failures before they go over the edge of the waterfall.
Progress will not be stopped. It is time to boost the Shift Right movement. Using AI tools for coding will continue whether we like it or not, but using AI for security allows us to keep up with the speed of change around us.
Good news for the creative people out there. Good news for mankind. Less boring.