The Blind Spot in Every Build-vs-Buy Spreadsheet

I've sat through a lot of build-vs-buy conversations this year. The case for vibe-coding a SaaS replacement is real. Frontier models are good. Tooling is good. A non-engineer can ship something that does roughly what a $20k/year SaaS app does in an afternoon.

What's missing from those conversations is what happens after the app ships.

Almost every build-vs-buy spreadsheet I've seen has a line called "maintenance." Almost every one of them treats it like a synonym for fixing bugs.

That's not what maintenance is.

At Masset, bug fixes are about 10% of the time I spend keeping the app running. The other 90% is everything else. And the everything else is what decides whether a vibe-coded replacement actually holds up.

At Masset, bug fixes are about 10% of the time I spend maintaining the app. The other 90% is everything else. And the everything else is what decides whether a vibe-coded replacement actually holds up.

Tyler Russell, CTO of Masset

The 11 Things You Actually Have to Do

Here's the rough breakdown of what I spend my time on every month keeping Masset running.

These are categories of work, not specific tickets. The hours are honest monthly averages. Some months are quiet. Some months are on fire.

Maintenance taskHours / month
Bug fixes (customer-reported)3
"Functionality-breaker" feature requests4
Questions & documentation1
Alert remediation1
Dependency upgrades (language, libraries, cloud, 3rd-party APIs, LLM models)9
Infrastructure patching1
SOC 2 controls & evidence2
Pen testing & remediation2
Secrets rotation & management2
Security incident response2
Vendor reviews, DR tests, access reviews2
Total29

A few things to notice in that table.

Dependency upgrades are the biggest line by far. We're seeing about 25 library vulnerability reports a month. The npm side eats roughly 75% of that work. The package graph is so interconnected that you can rarely update one package without updating three others to keep them compatible.

Add language version bumps. AWS major-version upgrades. Third-party API deprecation emails. LLM model deprecations (Gemini and Bedrock both rotate aggressively now). You're looking at most of a full work day every month. Every month. Forever.

Security work shows up four different times. SOC 2 evidence, pen testing, secrets rotation, and incident response are all separate categories. None of them is optional once you have real customers. None of them is a "bug fix."

The "bursty" categories are still in there. You don't run a disaster recovery test or get pen-tested every month. But you have to amortize them somewhere or the spreadsheet lies.

The Math: Roughly Seven Apps Per Engineer

Twenty-nine hours a month is about 18% of a notional 160-hour work month. That number probably feels both high and low depending on the week.

Be generous. Assume someone else is 25% more efficient than I am. Call it a "better-than-Tyler tax." The number drops to about 22 hours a month.

That gives you a rough ratio. One engineer doing nothing but maintenance can keep about seven apps alive. 160 ÷ 22 ≈ 7.

That's the real build-vs-buy math. If you've vibe-coded replacements for ten SaaS apps, you need at least 1.5 engineers whose only job is keeping them running. If you want those engineers to also build new things, you need more headcount or fewer apps.

For some companies that math works. For most, it doesn't. Especially when the engineers you'd hire to maintain vibe apps would much rather be building something new.

What Actually Happens to Most Vibe Apps

Here's the honest prediction. Companies aren't going to hire seven-app maintainers. Most of the maintenance just won't get done.

Most vibe-coded apps will be left with insecure libraries and out-of-date frameworks. Most will skip pen tests. Most won't rotate secrets. Most will be running unpatched cloud infrastructure on whatever managed service the model picked at scaffold time. A lot of them will be running on publicly accessible networks while doing all of that.

That's not a knock on vibe-coding. Vibe-coding is a genuine industry-shifting unlock. The people using it are mostly right that the SaaS market has overcharged for years.

But "I built it in an afternoon" and "I'm responsible for it forever" are different sentences. A lot of build-vs-buy decisions in 2026 are pretending they're the same.

There's another prediction worth saying out loud. A vibe-app governance shoe is going to drop. IT and security teams are not going to let shadow-coded apps sit untracked in the enterprise forever. When that hammer falls, the work in the table above stops being optional and starts being audit-required. That's the moment the maintenance bill becomes visible.

Where the SaaS Pricing Floor Actually Lands

None of this means SaaS pricing stays where it is. Vibe-coding has lowered the floor on what a small SaaS can charge. The spread between "build it yourself" and "pay a vendor" used to be enormous. Now it isn't.

But the floor isn't zero. Every line in that table is a real cost. Somebody pays it. An employee, a consultant, or a SaaS vendor amortizing across a customer base. The question is just who pays and how it's priced.

Here's my bet. SaaS doesn't die. The part that dies is the $40k+ ACV multi-year contract with lock-in pricing. The middle of the market wins: flat, fair, monthly, easy-out.

SaaS doesn't die. But $40k+ ACV SaaS contracts with multi-year lock-ins will be a thing of the past.

Tyler Russell, CTO of Masset

Go Deeper

This post is a summary. The full essay walks through every line in the table with examples. npm CVE rates. AWS RDS major-version pain. The specific LLM model providers that quietly throttle availability before they deprecate. What a SOC 2 audit week actually looks like.

If you're weighing a vibe-coded replacement, it's worth your time.

Read the original: Maintenance is more than bugs on tylerrussell.dev.

A follow-up is coming that puts dollar amounts on each of these categories. We left the math out here because the labor and vendor costs deserve their own breakdown.

Key Takeaways

  • At Masset, bug fixes are roughly 10% of total monthly maintenance time. The other 90% is dependency upgrades, security work, infrastructure patching, audits, and incident response.
  • Honest monthly average: 29 hours of maintenance per app, or about 18% of a 160-hour work month for one engineer.
  • One engineer doing only maintenance can keep about seven apps alive (160 ÷ 22 ≈ 7).
  • Most vibe-coded SaaS replacements will skip most of this work. The bill comes due later, usually as a security incident or an IT audit.
  • A vibe-app governance crackdown is coming. When it lands, the maintenance work in this list stops being optional and starts being required.
  • SaaS pricing has a real floor that isn't zero. The most likely casualty isn't SaaS itself. It's user-hostile multi-year $40k+ ACV contracts with lock-in pricing.

Frequently Asked Questions

For a small B2B SaaS app, yes. The author's monthly breakdown puts customer-reported bug fixes at about 3 hours out of roughly 29 total maintenance hours. The bigger buckets are dependency upgrades (about 9 hours), security work spread across SOC 2 controls, pen testing, secrets rotation, and incident response (about 8 hours combined), and a long tail of alerts, audits, patching, and documentation.
Not on day one. Most vibe-coded internal apps can skip most of this work and stay functional for a while. The problem is that the skipped work doesn't go away. It accumulates as vulnerability backlog, expired secrets, deprecated APIs, and unpatched dependencies. When IT or security teams formalize governance over shadow-coded apps (which is coming), that skipped work becomes required.
Using a monthly estimate of about 22 hours per app (after a fairness adjustment for someone faster than the author), a single engineer doing nothing but maintenance can keep about seven apps alive. 160 work hours ÷ 22 hours per app. If you also want that engineer to build new things, the realistic number drops to two or three.
No. Vibe-coding has lowered the SaaS pricing floor, but it hasn't eliminated it. Every line of maintenance work in this breakdown has to be paid by someone. An employee, a consultant, or a SaaS vendor amortizing across a customer base. The most likely casualty is the user-hostile $40k+ ACV multi-year contract with lock-in pricing, not SaaS itself.
Topics:software maintenancevibe codingbuild vs buySaaSengineeringfoundertechnical debt
Share:
Tyler Russell

About Tyler Russell

Tyler Russell is the Co-Founder and CTO of Masset. He spends most of his day juggling five wonderful kids and building a company he loves. When he gets a moment to himself, he's running, mountain biking, or crashing RC planes with over-confidence. His career has been built around data and technology, and helping the two play nice together. He writes about engineering and SaaS at tylerrussell.dev.