When to Hire a Developer vs When to Keep Vibe Coding

The question founders ask is almost always framed wrong. It is not whether vibe coding is good enough or whether AI will replace developers. It is whether your product, today, has hit a specific event that requires artifacts a prompt cannot produce. Most founders who prompt their way to revenue can keep prompting for a long time. But there are seven very specific signals that collapse the decision. When any of them hit, the answer stops being philosophical and starts being operational. You either produce the artifact or you lose the customer, the deal, the audit, or the region.

This article names all seven signals. Not vague maturity curves, not lifecycle charts. The precise trigger event, the concrete thing a buyer or regulator or investor is demanding, and the thing you need to hire for in response. If you can read through and say none of these apply yet, keep shipping with Lovable, Bolt, Cursor, or Claude Code. If two of them have hit in the last ninety days, the decision is already made and you are just negotiating with yourself about how long you can delay it.

Signal One: Regulated Data Is About To Enter The Product

The moment a user is going to type PHI, card data, EU personal data under strict lawful basis, or SOC 2 scoped financial data into your product, your stack needs contracts and configurations that vibe coding does not produce. HIPAA is the sharpest example. If you are going anywhere near patient data, every subprocessor in the stack has to sign a Business Associate Agreement. Supabase offers a BAA only on the Team plan with a specific add-on enabled. Vercel requires the Enterprise tier for a BAA. OpenAI requires Zero Data Retention and a signed BAA, not just a checkbox in settings. Stripe handles its own compliance scope but only if you use their elements properly. A vibe coder who wires these together with default free-tier configurations has already broken compliance before the first patient signs up.

PCI is just as specific. If your checkout touches card data directly, even for one second, you are in scope for SAQ D, which is a multi-month internal project. If your stack uses Stripe Elements, Stripe Checkout, or a hosted payment page and the card number never hits your servers or your client bundle in raw form, you qualify for SAQ A, which is tractable. The line is narrow and AI tooling will happily generate a custom card form that puts you on the wrong side of it.

The concrete trigger here is the first customer request that requires regulated data, or the first time you realize your current users are already entering it. The hire is someone who can map subprocessors, get BAAs signed, enforce Zero Data Retention on LLM calls, and stand up audit logging. You cannot prompt your way through a BAA negotiation with a Fortune 500 vendor legal team.

Signal Two: A Customer Asks For An Uptime SLA

The second signal is the clause in the master service agreement. A mid-market buyer sends a redline and inside the operational addendum there is a line requiring 99.9% monthly uptime, with service credits for missed targets. That number means forty-three minutes of allowed downtime per month. It is a real commitment with real money on the other side, and the infrastructure to back it up is not something you ship from a prompt.

A credible 99.9% SLA requires, at minimum, independent uptime monitoring from outside your hosting provider, because your provider will not catch a DNS failure. It requires a public status page where incidents are posted with timestamps, because without one the customer cannot verify credits. It requires an on-call rotation with a pager that actually wakes someone up, because an incident that starts at 2am Pacific does not wait until you open your laptop. And it requires a post-incident review process that produces an RCA document the customer can audit. Tools like Better Stack or Checkly handle the monitoring. Statuspage or Instatus handle the communication. PagerDuty or Incident.io handle the rotation. None of that wires itself together, and none of it is free.

The trigger is the first redlined SLA clause you cannot honestly accept. The response is either to negotiate down to 99.5% with no credits, which some enterprise buyers accept for early-stage vendors, or to hire someone to stand up the SLA primitives and own the pager. If you sign the clause and miss the number, you will pay credits out of revenue you cannot afford to rebate.

Signal Three: Your Second Person Needs Production Access

The third signal is the least dramatic and the most commonly ignored. You hire a contractor, a second engineer, or a customer success lead who needs real access to production to do their job. Suddenly the entire stack, which has been running on the tacit memory in your head, has to become legible to another human in the room.

Vibe-coded products run on founder memory in a way founders rarely notice until they try to transfer it. Which Lovable project owns the marketing site. Where the production env vars live and why three of them have the same name with different prefixes. Why there is a row-level security policy on the users table with a special exception for staff emails ending in your domain. How you deploy to staging versus prod and which branch triggers which build. The runbook that exists in your head is not a runbook. It is a habit.

A real runbook is a written document with an architecture diagram, a service inventory listing every third-party account and who owns the billing, an env-var catalogue documenting what each variable does and where its source of truth lives, a deploy procedure that anyone on the team could follow alone at midnight, an incident playbook with the first three steps of any outage response, and a credentials rotation schedule. Producing one takes roughly two focused weeks. Most founders do not have two focused weeks. The hire is either the engineer who writes it as their onboarding project, or a contractor who produces it as a deliverable.

The trigger is the day your second person says they cannot do their job without access to something only you understand. Ignoring this signal is how small teams lose a week to a deploy bug that took the founder thirty seconds to diagnose last Tuesday and now nobody else can touch.

Signal Four: A New Region Starts Costing You Latency Or Compliance

The fourth signal fires when a meaningful percentage of your users lives in a region your stack does not serve well. Vibe-coded stacks almost always ship from a single region by default. Supabase projects create in us-east-1 unless you pick otherwise. Vercel functions run in iad1 unless you configure regions explicitly. If your users are in Sydney, Singapore, or Frankfurt, page loads that feel fine from your San Francisco home office feel broken from theirs. When ad spend starts converting worse in a specific region, the cause is often latency rather than targeting.

There is also a compliance form of this signal. A European customer requires that their data stay in the EU. An Indian enterprise customer, after the 2023 data protection law, requires local storage. These requirements cannot be met by adding a CDN. They require a region-aware architecture, either a separate database project per region with routing at the edge, or read replicas with write-region pinning, or a full tenant isolation model.

Multi-region is architectural work that compounds. Building it at fifty customers is an ordinary project. Building it at five thousand customers after you have made every wrong assumption is a six-month migration. The trigger is the first piece of evidence that region matters, whether that is a latency graph or a procurement document. The hire is someone who designs the topology before you are forced into it by scale.

Signal Five: An Investor Asks For The Diligence Pack

The fifth signal comes wrapped in good news. You signed a term sheet. Now the legal and technical diligence checklist lands in your inbox and it is six pages long. Investors at seed and beyond expect a standard set of artifacts, and the list has expanded in the last two years specifically because of AI-generated code.

Expect to produce an architecture diagram, a data flow diagram showing PII movement, a software bill of materials listing every dependency and its license, a complete subprocessor list, your security policies, any pen test results, IP assignment confirmations for every line of code in the repo, and sometimes a code escrow agreement. The IP piece has gotten sharper. AI-generated code has ambiguous copyright status in US and EU jurisdictions, and investor counsel is now asking founders to warrant that the code is original or licensed. You need a clear story about which tools you used, what licenses they came under, and why your ownership claim holds.

Founders try to produce this pack themselves while negotiating the round and it goes badly. Diligence takes attention you do not have and produces documents that need to be precise. The hire is a fractional CTO, a specialized diligence consultancy, or an agency that has done this work before. A thorough one-off diligence pack for a small AI-built product runs somewhere between five thousand and fifteen thousand dollars. It is a rounding error against the round and it is one of the highest-leverage hires a closing founder can make.

The trigger is the arrival of the diligence list. The response is to triage immediately, because nothing on that list can be generated in a weekend.

Signal Six: A Customer Sends A Security Questionnaire

The sixth signal looks like an email from procurement with an attached spreadsheet. It is a vendor security questionnaire, sometimes a SIG Lite, sometimes a CAIQ, sometimes a custom internal form with two hundred questions. It is the enterprise buyer's way of deciding whether you are a supply chain risk.

The questions are specific and most vibe-coded products cannot answer half of them truthfully. Encryption at rest and in transit. SSO support, which usually means SAML or OIDC and has not been added to your stack. Role-based access control that distinguishes admin, member, and read-only. Audit logging with retention windows. Data retention and deletion policies that match your privacy notice. Backup and recovery with measurable RTO and RPO. Incident notification SLA, often twenty-four hours or less. Penetration test date and remediation status. SOC 2 or ISO 27001 status.

The temptation is to answer generously and hope nobody checks. This is the worst possible choice. If the answers do not hold up during the follow-up call, you lose the deal and the relationship. Enterprise security teams talk to each other, and a vendor flagged for misrepresenting controls gets deprioritized across portfolios.

The trigger is the first questionnaire you cannot answer with full confidence. The hire is someone who gap-analyzes the questionnaire, produces a remediation plan with real timelines, and either executes it or negotiates a conditional approval with the customer based on the committed plan. This work is usually a project rather than a long-term engagement, but it is not work the founder can do alone in the week before the answers are due.

Signal Seven: You Commit To A Compliance Audit

The seventh and heaviest signal is the moment you sign the engagement letter for a SOC 2 Type I or Type II, an ISO 27001 certification, or a HIPAA audit. Each of these is a multi-month project that makes the other six signals look small.

SOC 2 Type II is the modal enterprise ask. It requires documented policies covering change management, access control, incident response, vendor management, business continuity, and around fifteen more topics. It requires continuous evidence collection, which is what tools like Vanta, Drata, and Secureframe were built for. It requires mapped controls from your policies to every service in your stack, quarterly access reviews, vulnerability scans, an annual third-party penetration test, and employee security training. The audit itself observes a three- to twelve-month window. HIPAA and ISO 27001 have overlapping but distinct requirements.

A solo founder cannot run a compliance audit while also being the only engineer shipping features. The math does not work. The hire before the engagement letter is signed is either your first full-time engineer with compliance experience, or an agency with a compliance practice that runs the program while you continue to ship product. Founders who try to do both end up delaying the audit by six months, which then delays the enterprise deal that drove the audit in the first place.

The trigger is the commitment, not the completion. Hire before you sign.

How To Use The Seven Signals

If none of these signals has fired, keep prompting. Vibe coding is the correct answer for a product that has not yet run into the operational edges where artifacts matter more than code. Most products, most of the time, live in that zone and should stay there as long as they can.

If one signal has fired, you have time. Treat it as a focused project with a clear end state. Produce the artifact, close the gap, and return to shipping. Most single signals do not require a permanent hire. A specialist or an agency on a defined engagement is usually the right shape.

If two or more signals have fired in the last ninety days, the question has already been answered. You are no longer early, your product has real obligations, and continuing to operate as a solo vibe coder will cost you a deal, an audit, an outage, or a customer within the next ninety days. The hire is not a philosophical question about the future of development. It is a response to a present-tense operational fact.

The last mile of a vibe-coded product is not the code. It is the contracts, the configurations, the documents, and the humans who answer pagers. If you have hit two signals and you are reading this to confirm you still have time, you do not. The work that comes next is the work WitsCode exists to do, and the move is to start the conversation now, while the signal is fresh and the deal is still on the table.