Vibe coding as security architect - by Rakkhi Joy
Identity Revive
SubscribeSign in
Vibe coding as security architect<br>Rediscovering the ability to create
Rakkhi Joy<br>May 27, 2026
Share
From architect to builder: redefining security tooling with Claude Code<br>For most of my twenty-year career as a security architect, my primary tools have been frameworks, whiteboards, and the occasional complex spreadsheet. Like many in our field, my hands-on coding days, tinkering with C# and Java, are nearly two decades in the rear view mirror. I’ve long accepted my role as the designer of the house, not the one swinging the hammer.<br>However, the emergence of Claude Code, and other frontier models with a development harness, has fundamentally shifted that dynamic. It has allowed me to step into a Product Owner mindset where my two decades of domain expertise aren’t just used to critique a design, but to actively build the automated and productivity enabling tooling that my team needs.
The rise of the vibe-coding architect<br>In modern, agile environments, security is often seen as obstructionist. We want to be Architecture in Agile, but the manual nature of risk assessments often creates a bottleneck.<br>By using AI as a development partner, I was able to translate high-level security patterns directly into functional software. I didn’t need to remember the syntax of a modern API call; I needed to know why that API needed a specific security header. I focused on the what and the why, the core of security strategy, while Claude handled the how.<br>Building the ISRA-Agent<br>The result was a bespoke security tooling suite that previously took days of manual labour each week or was not as effective:<br>Chain of Thought (CoT) Analysis: The tool doesn’t just give a pass/fail. It walks through the logical steps of a risk assessment, mimicking the internal dialogue of a senior architect.
External Threat Intelligence: By integrating live threat feeds, the tool evaluates risks against the current geopolitical and technical landscape, rather than just static baselines.
Strategic Distillation: It takes raw technical findings and distils them into reusable security patterns and strategic recommendations that stakeholders actually understand.
API Security Injection: It goes beyond assessment by suggesting and into drafting security features to be embedded directly into API definitions.
Is This the Future of the Role?<br>We often ask: Is there value in traditional threat modelling? When we empower architects to build their own automated tooling, we move from being a gatekeeper to being a force-multiplier.<br>This process has been incredibly empowering. It has proven that a deep understanding of security architecture, paired with generative AI, allows us to build a smarter way to secure our organisations, one where the architect’s vision is immediately translated into code
Share
Previous
Discussion about this post<br>CommentsRestacks
TopLatestDiscussions
No posts
Ready for more?
Subscribe
© 2026 Identity Revive · Privacy ∙ Terms ∙ Collection notice<br>Start your SubstackGet the app<br>Substack is the home for great culture
This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts