
There are three ways to get value out of digital tools right now: buy a SaaS product, vibecode something yourself, or have a tool custom built. And almost everyone offering advice on which one to pick is selling one of the three. The SaaS company says custom is a money pit. The AI platforms say you can build it yourself in a weekend. The agency says you are never going to get what actually works for you off the shelf.
We run an agency. So we have a horse in this race too (a beautiful horse, very fast, great teeth). Which is exactly why we wanted to write the version of this advice we would actually want to receive: when each option is probably the right call, and how to tell which situation you're in.
Most of the creators we work with are building product businesses. But this decision is the same shape whether you're launching a membership app or replacing a creaky internal tool at a 9,000-person company (which we've also done, for what it's worth).
Think of it like where you're going to live
SaaS is renting a condo. You move in fast, someone else handles the plumbing, but you don't get to move the walls. Vibecoding is assembling a prefab: quick, cheap, great for a guest house, questionable for the place you'll raise your kids. Custom is hiring an architect: slower and more expensive, but the building gets shaped around your life instead of the other way around.
Nobody tells you the condo is fine. Their whole business depends on you wanting the house.
When should you just buy the SaaS?
Here's the rule, and we'll say it even though it costs us work: if an off-the-shelf tool covers 80 percent or more of what you need, and the missing 20 percent isn't your competitive differentiator, buy the tool. Don't let anyone (including people who do what we do for a living) talk you into custom-building what Stripe or Notion already solved.
SaaS also wins when the vendor carries the scary stuff for you. Payments, email delivery, analytics, CRM: these are solved problems with compliance and security baked in. Stripe has spent hundreds of millions of dollars on fraud prevention. You are not going to recreate that with a weekend and a prompt, and you shouldn't try.
The practical test is whether the tool bends to you or you bend to the tool. Standard workflows, no integration weirdness, and a gap that doesn't touch your secret sauce? That's condo life. Enjoy the pool. 🏖️
When is vibecoding completely fine?
We'll keep saying this until it sticks: vibecoding is not the enemy. It's a legitimate tool, and the question was never whether it's "real" development. Vibecoding is about choosing where to spend your attention.
Internal tools. Prototypes. Proof of concepts. The landing page for the thing you're not even sure you're launching yet. If nobody's building a business on top of it, ship it fast and feel zero guilt. (One of our engineers, Santiago, vibecoded an offside detector to double-check some of FIFA's calls. It is fun, it is useful, and if it breaks nobody gets hurt.)
The rule: vibecode anything you'd be comfortable throwing away. If the honest answer to "what happens if this breaks in six weeks?" is "we'd shrug and rebuild it in an afternoon," you've found a perfect candidate.
Where do SaaS and vibecoding break down?
SaaS breaks when your workflows are your competitive advantage and you're contorting them to fit the tool. Every workaround becomes the new normal. Every "good enough for now" lowers the bar for next time, until the exception is the rule. It breaks when the trust story has to be yours: when a customer asks "where does my data live?" and your honest answer is "wherever our vendor decided," that's a real problem in regulated industries or enterprise procurement. And it breaks on resilience. The vendor's roadmap drifts from yours, or they get acquired, or they sunset the exact feature your whole process leans on. You inherit their priorities whether they match yours or not.
Vibecoded tools break the moment the thing needs to last, scale, or earn trust. A recent study analyzed over 1,500 vibecoded websites and found the same tells over and over: the signature purple gradient nobody asked for, the same icon-card grids, the same glassmorphism and default fonts. And you know the rest of the genre when you see it: the fake testimonial from "Sarah P." and her AI-generated headshot, the social icons linking to pages that don't exist. The look is recognizable because the process is recognizable: skip the thinking, ship the output, deal with it later. Fine for something internal. Tough look for your customers.
The security version of that story is worse. Researchers who audited 5,600 vibecoded apps this year found more than 2,000 vulnerabilities across them, plus 400-plus exposed secrets: API keys, database credentials, and access tokens sitting in public. One vibecoded social app got breached within three days of launch because the database had no access controls at all: over a million user tokens walked out the door. 😬
That's the kind of thing that gets an agency like ours fired, or someone like you sued into a billion pieces. These tools are genuinely useful and they're making our own work faster. But the gap that never closes on its own is whether someone with judgment is directing them. Even the most AI-pilled engineers we know will tell you the same thing: run real end-to-end tests, add monitoring, never skip review.
Five questions to ask before you build custom software
So say you've concluded you actually need something custom. Don't evaluate partners on whether they use AI. Everyone uses AI now, or they should be. Evaluate them on judgment. Ask these:
- Who with real experience and taste is shaping what goes in, and what comes out?
Prompts are cheap. The person deciding which output is good enough to ship is not. - Is the architecture designed for what comes after launch, or just for launch day?
Launch day is the easy part. What happens on day 400 is the expensive part. - Do they know when NOT to use AI?
A partner who reaches for AI on everything is telling you they haven't thought about where it fails. - Are security, compliance, and resilience designed in from the start, or bolted on after the first audit?
Bolted-on security is how you end up as one of those apps leaking secrets in public. - Can the system absorb the next thing (a new regulation, a new integration, 10x the traffic) without a rebuild?
If the answer is "we'd have to start over," you're renting a house you paid to own.
The answers tell you what's getting real thought versus what's getting skipped in a single prompt.
The bottom line
Most of you don't need custom software. We mean that. If an off-the-shelf tool covers your needs, buy the tool. If the thing is disposable, vibecode it and go touch grass with the time you saved.
But when you do need custom, you'll know, because the other two options stopped working and you can say exactly why. That's the tell. Not a sales deck, not a weekend prompt, not a vendor's roadmap: your own workflows outgrowing the box you tried to fit them in.
And yes, we'd love to be the ones who build it for you. 😉


















