Skip to main content
Back to blog

Building with AI Without Vibe Coding: The Engineering Architecture of SecuAAS

Olivier Lange
Building with AI Without Vibe Coding: The Engineering Architecture of SecuAAS

Author: Olivier Lange, President & Founder — SecuAAS Inc.
Date: April 2026  |  Reading time: 12 minutes

Introduction

18 months ago, I coded alone. Today, 10 AI agents work in parallel on our cybersecurity products, push code to production on Kubernetes clusters, and operate across 79 repositories.

When I shared this on LinkedIn, the conversations that followed — privately, with partners, potential investors, colleagues in cybersecurity — kept surfacing the same question: « Isn't that just vibe coding? »

It's a legitimate question. And rather than answering it case by case, I decided to address it in depth, publicly, to put the doubt to rest once and for all. Not an emotional defense, but a factual demonstration of our engineering architecture. Because the question isn't "do you use AI to code?" — everyone will soon. The question is: how do you govern the AI that codes?

The Problem with Vibe Coding

Vibe coding means using an LLM as a code generator with no context, no constraints, and no validation. You type a vague prompt, paste the result, and hope it works.

That is precisely what we do not do.

At SecuAAS, every AI agent operates inside an engineering system I designed and govern. The AI is a controlled execution actor — not an autonomous developer. That distinction is fundamental and it manifests at every layer of our stack.

Layer 1 — Human Specification as Contract

Every development task begins with a .md file written by a human. This file is a technical contract containing the context of the change, the precise objective, measurable acceptance criteria, technical constraints (repositories involved, APIs to use, patterns to follow), and blocking conditions.

The agent doesn't interpret vague intent. It executes a specification. The difference is between asking "build me a form" and providing a 50-line document describing fields, validations, API endpoints, error cases, and expected tests.

What I've learned: a poorly briefed agent costs more than a poorly briefed developer. The real work is designing the tasks, not executing them. It's a complete shift in posture for the technical founder: from "the one who codes" to "the architect who specifies and governs."

Layer 2 — The Dispatcher: Deterministic Orchestration

The dispatcher is the system's conductor. It's a bash process running on cron that scans task inboxes and distributes work to agents via dedicated tmux sessions.

Its operation is deliberately deterministic, not creative:

GPU Triage — Before assigning a task, our own sovereign GPU (Qwen 3.5, hosted on OVH Beauharnois) analyzes complexity, selects the appropriate LLM model (trivial tasks don't require the same model as an architectural refactor), and evaluates the risk level.

Quota Management — The dispatcher automatically handles API account rotation, detects quota limits, and switches without human intervention. An anti-loop mechanism (retry counters per task, per-project cooldown) prevents agents from spinning indefinitely on a blocked task.

Controlled Parallelism — Up to 10 agents work simultaneously across different repositories (sessions ccl-auto-11 to ccl-auto-20). Each session is isolated within its project, with its own git context.

Result: tasks execute in parallel, across different products, without conflicts, without human intervention during execution — but with complete traceability.

Layer 3 — The Production Gate: Zero Deploy Without Approval

This is where governance hardens. No code touches the production environment without passing through our gate system.

The flow is as follows. The agent completes a task and pushes to the main branch (which deploys to k8s-dev). A validate-e2e.sh script runs automated tests. A GPU review analyzes the produced code (quality, patterns, risks). The task enters an awaiting-prod state visible in our orchestrator. The human (me) approves or rejects, with a documented reason. Only then is the production deploy triggered.

Every gate decision (approve/reject) is recorded with a timestamp and a reason. It's a complete audit trail. An investor or auditor can trace exactly which code went to production, when, why, and who approved it.

The deploy_risk tool performs a risk analysis before every production rollout: detection of breaking changes, data migration requirements, and rollback plan.

Layer 4 — Integrated Security: Scanning What AI Produces

Having AI write code without scanning what it produces would be negligence. We've integrated security at three levels.

Scanyze EASM — Scanning Our Own Attack Surface

Scanyze, our EASM (External Attack Surface Management) platform, is our flagship product. But we also run it on ourselves. More than 22 network scanning tools continuously monitor our infrastructure: Nmap, Nuclei, Subfinder, TestSSL, DNS Audit, and others. Every subdomain, every exposed port, every certificate is monitored continuously.

The idea is simple: if an AI agent creates a service with an unplanned exposed port or a weak TLS configuration, the EASM scan detects it before an attacker does.

Code Scanning — 19 Static Analysis Engines

Code produced by our agents passes through 19 analysis engines. SAST (Static Application Security Testing) with Semgrep and gosec. SCA (Software Composition Analysis) with Trivy for vulnerable dependencies. Secret detection with Gitleaks and TruffleHog. IaC (Infrastructure as Code) analysis for Kubernetes manifests.

Each finding is then analyzed by our sovereign AI (Qwen 3.5 on our GPU) to triage true positives from false positives and generate contextualized remediation suggestions. It's not a simple report — it's intelligent analysis that understands the code's context.

Harbor — Container Image Scanning

Every Docker image built passes through our private Harbor registry, hosted on OVH Beauharnois (BHS5). Harbor performs an automatic vulnerability scan on every pushed image. An image with critical CVEs should not be deployed.

The registry is private, images are tagged with semantic versioning (no latest in production for critical services), and credentials are managed via imperative Kubernetes secrets (never in plaintext in code).

This triple scan — external surface, source code, container images — creates a complete security feedback loop around everything AI produces.

Layer 5 — Observability: Watchdog, BetaWatch and Monitoring

Infrastructure Watchdog

A watchdog runs 24/7 and monitors the state of agents, the GPU, Kubernetes services, and the database. On anomaly detection, it first attempts an automatic repair. If the repair fails, it escalates via Telegram (9 notification topics in our infrastructure group).

The watchdog is designed to detect situations the AI cannot see: an agent looping without producing results, a pod in CrashLoopBackOff, an unresponsive GPU, a saturated database connection pool.

BetaWatch — Automated Feedback Loop

BetaWatch is our bug capture and telemetry system, integrated as a JavaScript widget in every application. In passive mode, it captures JavaScript errors, network errors, and Web Vitals. In active mode, it offers a reporting form (bug, suggestion, question).

What makes BetaWatch unique in our context: every captured bug is automatically triaged, deduplicated by fingerprint, and can be routed to an agent for automatic correction. Fix commits are prefixed fix(betawatch): resolve event #XXXXX for traceability.

The loop is closed: bug detected → task created → agent fixes → deploy via gate → bug resolved. With a human in the loop at the approval step.

SecuDebug — The AI War Room for Complex Bugs

BetaWatch handles volume: passive detection, queue, automatic correction. But some bugs don't resolve with a queued task. An intermittent authentication issue, a race condition under load, a bug that only appears in production with real data — that requires real-time investigation.

That's the role of SecuDebug, our live debugging platform augmented by AI.

SecuDebug opens an interactive debugging session via a Chrome extension (Side Panel). From the moment it opens, three streams converge in real time: server logs (streamed from our SIEM via Loki), browser logs (captured by a content script injected in the page), and source code (cloned from Forgejo).

Two LLMs analyze simultaneously: Claude Opus for deep reasoning, and Gemini for a complementary perspective. If both models converge on a diagnosis, a single patch is proposed. If they diverge, each model sees the other's response for an additional round. In case of persistent disagreement, both options are presented to the human for a decision.

The validated patch is committed to a dedicated branch (secudebug/fix-{id}), tests run automatically, and if everything passes, deployment proceeds continuously — all without leaving the debug session. Every commit carries traceability metadata: who validated, which models analyzed, which files were modified.

This is not autonomous AI. It's a diagnostic tool where the human remains the decision-maker at every step, but where AI accelerates analysis by a factor of 10 by cross-referencing logs, code, and context in real time.

Automated QA — Real Browser, Real Tests

BetaWatch captures what users report. SecuDebug resolves what's complex. But neither replaces an automated test suite that actually navigates the application.

Our automated QA runs on a dedicated VM with Opera Neon (Chromium-based browser) driven by a Claude Opus agent. Unlike standard headless tests, the agent executes real functional scenarios in a real browser: multi-page navigation, forms, SSO authentication, file uploads, e-commerce flows. Each run generates a structured report (JSON + screenshots) with detected regressions, load times, and network errors.

Reports are automatically analyzed: if a regression is detected on a critical flow (login, checkout, upload), a task is created in the agent queue for correction. Like BetaWatch, the loop is closed — but at the functional level, not just at the JavaScript error level.

Monitoring Stack

Prometheus, Grafana, Loki, Fluent Bit, Alertmanager with SMS notifications (Telnyx), Wazuh for SIEM. Observability isn't optional when AI is pushing code — it's mandatory.

Layer 6 — Data Sovereignty: Why It Matters for an Investor

Everything described above runs on infrastructure 100% hosted in Canada, at OVH Beauharnois (Quebec). Not AWS. Not Azure. Not GCP.

Why? Quebec's Law 25 imposes strict obligations on the protection of personal information. The US CLOUD Act allows American authorities to access data held by US providers, even if the servers are physically located in Canada.

By hosting exclusively on OVH (a French company with datacenters in Quebec), we eliminate this legal exposure. It's a concrete commercial differentiator for our clients, and a regulatory compliance guarantee for our investors.

Our sovereign GPU (NVIDIA V100S 32GB, Qwen 3.5) means that even the AI analyzing code and triaging bugs never sends data outside the country. Sovereignty applies to orchestration too.

The Infrastructure in Numbers

For those who want specifics, here is the state of our production infrastructure as of April 2026:

Kubernetes — 2 OVH Managed clusters (dev + prod), 5 compute nodes + 1 GPU node (V100S). More than 100 pods in production, 25+ deployed applications, 0 unplanned restarts on critical services.

Repositories — 79 repos on Forgejo (self-hosted, migrated from GitHub). Each repo has its CI/CD workflow via Forgejo Actions. Builds are pushed to the Harbor OVH BHS5 registry.

Database — OVH Managed PostgreSQL (BHS), shared across all products with schema-level isolation. Managed Valkey (Redis-compatible) for caching.

GPU — V100S 32GB running Qwen 3.5-35B in permanent inference via vLLM (~84 tokens/second). Used for Scanyze AI analysis, task triage, code review, and SIEM correlation.

Dedicated Server — Proxmox VE9 (Xeon E-2288G, 64GB RAM, 2×960GB NVMe, 10 Gbps) hosting Forgejo, the MCP server, the development orchestrator, and the WireGuard VPN.

What This Means for an Investor

If you're a venture capital investor evaluating SecuAAS, here are the key points.

Velocity without technical debt — We deliver at the speed of 10 developers, with the rigor of a structured engineering team. Every line of code is traced, tested, scanned, and approved.

Optimized development cost — AI drastically reduces cost per feature. Our burn rate is that of a 3-person team; our output is that of a team of 15.

Verifiable security — Triple scanning layer (EASM, code, images), deployment audit trail, production gate with human approval. This isn't a promise — it's an architecture.

Regulatory sovereignty — 100% Canadian infrastructure, Law 25 compliant, zero CLOUD Act exposure. A strategic asset in the Quebec and Canadian market.

Proven scalability — The architecture already supports 25+ applications in production. Adding a new SaaS product doesn't require hiring 5 developers — it requires specifying the tasks and letting the agent system execute them.

Conclusion

Vibe coding is the software equivalent of building a high-rise without plans, without an inspector, and without a permit. It can produce an impressive prototype, but no serious person is going to invest in it.

What we've built at SecuAAS is the opposite: an engineering system where AI is a powerful but controlled tool, operating within strict constraints of specification, validation, security, and governance.

This isn't magic. It's architecture.

What AI Will Never Replace: The Expertise That Governs It

Let's be direct here.

Any developer can wire up an LLM to a repository and generate code. The tools are accessible, the APIs are documented, the tutorials are everywhere. In 2026, having AI write code has become trivial.

What isn't trivial is knowing why you need to scan every container image before pushing it to the registry. It's understanding that a missing SecurityContext on a Kubernetes pod is a privilege escalation waiting to happen. That secrets in plaintext in a CI pipeline are an incident that hasn't occurred yet. That a poorly sized connection pool will saturate under load and cascade across all dependent services. That the CLOUD Act makes legally vulnerable any client whose data passes through an American hyperscaler.

These reflexes don't come from a prompt. They come from 25 years of deploying infrastructure, responding to security incidents at 3am, auditing enterprise architectures, understanding what breaks in production and why.

When I designed the gate system with human approval, it wasn't because it's "best practice" — it's because I've seen automated deployments destroy production environments. When I required the triple scan (EASM, source code, container images), it wasn't out of excessive caution — it's because I've audited companies with critical unpatched CVEs in their Docker images for months without knowing it. When I built the watchdog with retry counters and Telegram escalation, it's because an AI agent in an infinite loop can burn an API budget in hours — and nobody talks about that in demos.

The difference between a project "powered by AI" and an engineering company that uses AI is exactly that: the depth of expertise that defines the system's constraints.

A junior developer with ChatGPT can produce a prototype in a weekend. A cybersecurity professional with a computer science master's degree, 25 years of infrastructure and development experience, will produce a production-ready commercial solution — with the governance, security, and observability systems that make it deployable, auditable, and investable. Not a prototype. Not an MVP. A complete product, with an evolution roadmap, paying beta customers, and infrastructure that holds under load.

That is SecuAAS's real barrier to entry. Not AI — everyone has access to that. The competence to govern it.

Olivier Lange is the founder of SecuAAS, a Quebec-based sovereign cybersecurity company. 25 years of experience in IT and cybersecurity. Master's degree in Computer Science.

SecuAAS develops Scanyze (EASM), ConformVault (secure file transfer), and a complete suite of cybersecurity tools for SMBs — all hosted 100% in Canada.