In November 2025, a reliability threshold was crossed that permanently changed how software gets built. Simon Willison, appearing on Lenny Rachitsky’s podcast, called it the moment AI coding agents went from “mostly works” to “actually works” — and the downstream implications for every software team are still unfolding. This guide unpacks what agentic engineering actually is, how the Dark Factory pattern works in practice, how to defend against the Lethal Trifecta of security vulnerabilities, and how to implement a multi-agent development workflow your team can use starting today.
What Is Agentic Engineering?
Agentic engineering is the professional, production-grade application of autonomous AI coding agents inside a structured development pipeline. It is not “vibe coding.” That distinction matters enormously if you’re building anything intended for public use.
According to the NotebookLM research report synthesizing Willison’s podcast appearance, vibe coding is the casual, exploratory use of AI to prototype ideas quickly — great for UI mockups, personal projects, and proof-of-concepts where correctness is optional. Agentic engineering, by contrast, uses structured multi-agent patterns, systematic validation, and rigorous automated testing to ensure code is safe for production deployment.
The trigger for this transition was what the research report calls the November Inflection Point. With the release of models including GPT-5.1 and Claude Opus 4.5, AI coding tools crossed from producing “mostly working” code that required constant human intervention to producing autonomous, production-grade output with high reliability. Before November 2025, AI-assisted coding still demanded that developers catch and fix “buggy piles of rubbish.” After, coding agents could independently spin up applications, manage refactoring, and handle the repetitive, low-value “crufty coding” work that previously consumed weeks of developer time.
The result: code generation cycles that once took three weeks now take three hours. Tasks estimated at two weeks may now complete in 20 minutes because AI absorbs the boilerplate work. Willison describes writing 95% of his code from a smartphone — an indicator of just how much cognitive overhead has shifted from typing to directing.
This shift also changed what “developer workflow” looks like day-to-day. Traditional coding required 2-to-4-hour uninterrupted blocks to reach productive flow state. Agent-assisted work requires only 2-minute check-ins — because you’re supervising, not building. The bottleneck in software development has consequently moved from generation to testing and verification. Because an agent can produce 10,000 lines of code per day, the human role is now primarily to define specifications and prove that the generated output is correct and safe.
The discipline that has emerged to manage this new reality is what Willison and the broader practitioner community are calling agentic engineering: a set of patterns, roles, and safeguards designed to harness the raw output of AI coding agents while containing the risks that come with that speed.
Why It Matters for Developers, Teams, and the Entire Career Ladder
The economic implications of the November Inflection Point are blunt. Per the research report, running a coding agent like Claude Code on a loop costs approximately $10.42 per hour — effectively dropping the cost of code generation below minimum wage in most regions. This is not a future projection; it is the current market rate.
Thomas Dohmke, CEO of GitHub, noted that developers rarely cite “time saved” as the core benefit. Instead, they describe “increased ambition” — the ability to take on projects that were previously too expensive, too boilerplate-heavy, or simply out of scope. The ceiling on what a small team can build has risen dramatically. A solo developer with a multi-agent setup can now tackle projects that previously required a team of five.
But this comes with a specific career-risk profile that Willison addresses directly. The disruption is not distributed evenly across experience levels:
- Junior engineers receive massive onboarding acceleration. Agents handle the scaffolding and boilerplate that used to be the training wheels of early careers.
- Senior engineers see their architectural instincts amplified. Their ability to identify the right problems to solve becomes more valuable, not less.
- Mid-career engineers — those no longer juniors but not yet at senior architectural levels — are in the most precarious position. Their primary output, standard code production, is now handled by agents. The research report describes this as the career “middle” risk: a professional “wasteland” where the traditional path of progression has been disrupted.
There is also a cognitive overhead cost that practitioners consistently report. Willison himself describes being “wiped out” by 11 AM after managing four different agents working on four different problems simultaneously. Operating parallel agents is genuinely exhausting — it demands a different type of mental engagement than writing code, and teams that don’t account for this will burn out their best engineers quickly.
The irreplaceable human skill in this environment is agency: the motivation to identify the right problems, the judgment to evaluate AI output critically, and the grit to ensure “vibe coding” meets production-grade safety standards. AI, Willison argues, lacks human motivation by definition — and that gap is where engineering careers survive.
The Data: Agentic Engineering Roles and Frameworks
The most concrete implementation of agentic engineering principles is the Dark Factory pattern. Named after fully automated manufacturing facilities where “the lights can be turned off” because no humans are present, the Dark Factory software pipeline routes work through specialized agent roles so completely that humans manage the Spec and the Test — not the code itself.
The following table shows the agent roles defined in the dark-factory framework, as documented in the research report:
| Agent Role | Parallel Instances | Function |
|---|---|---|
| Onboard | 1 | Maps project architecture and conventions before any work begins |
| Spec | 3 | Three parallel agents research scope from user, architecture, and reliability perspectives |
| Architect | 1 | Reviews all specs for security and performance before implementation |
| Code | 1–4 | Implements features in isolated git worktrees to prevent conflicts |
| Test | 1 | Validates code using “holdout scenarios” the code-agent never saw |
The critical innovation in this table is the Information Barrier between the Code agent and the Test agent. By ensuring the code-implementing agent never sees the final validation tests, the system prevents the AI from effectively “teaching to the test” — a failure mode where an AI optimizes for passing the test rather than solving the underlying problem. This produces a more honest and robust implementation.
Compare the old and new development paradigms:
| Dimension | Traditional Development | Agentic Engineering |
|---|---|---|
| Primary bottleneck | Code generation speed | Testing and verification quality |
| Time per feature cycle | Days to weeks | Hours to minutes |
| Cost of code generation | $50–$150/hr (human labor) | ~$10.42/hr (agent runtime) |
| Interruption tolerance | Requires 2–4 hr blocks | 2-minute check-ins viable |
| Human role | Writing code | Defining specs, reviewing output |
| Test strategy | Post-implementation | Holdout scenarios before code runs |
| Primary risk | Slow delivery | Security and non-determinism |
Step-by-Step Tutorial: Implementing an Agentic Engineering Workflow
This walkthrough takes you from zero to a functioning multi-agent development pipeline. The approach is framework-agnostic — the patterns apply whether you’re using Claude Code, Cursor, or a custom orchestrator.
Prerequisites
- Familiarity with git branching and worktrees
- Access to at least one coding agent (Claude Code, Cursor, or equivalent)
- A project with a defined test suite (or willingness to build one)
- Basic understanding of prompt engineering
Phase 1: Architecture Mapping (The Onboard Agent)
Before any agent writes a line of code, you need an agent whose only job is to understand your codebase. Do not skip this step. Agents that write code without context produce code that ignores existing conventions, duplicates utilities, and introduces dependency conflicts.
Step 1: Run your Onboard agent prompt.
Create a prompt that instructs the agent to:
– Read the directory structure and identify all major modules
– Catalog existing naming conventions, import patterns, and style rules
– Document the test framework and test file locations
– Output a structured CONVENTIONS.md file
## Onboard Prompt Template
You are a codebase analyst. Your only output is a CONVENTIONS.md file.
Read the full directory structure of this project.
Document:
1. Folder structure and module boundaries
2. Naming conventions (files, functions, variables)
3. Import/export patterns
4. Test file locations and test runner command
5. Any existing linting or formatting rules
Do not write any production code. Only produce CONVENTIONS.md.
Step 2: Validate the CONVENTIONS.md output manually. This is a 5-minute human task. Check that the agent correctly identified your test runner and that the conventions match what your team actually uses. This file becomes the system prompt context for all downstream agents.
Phase 2: Parallel Spec Generation (The Three-Spec Pattern)
Per the research report, the Dark Factory runs three Spec agents in parallel, each approaching the feature request from a different perspective. This surfaces conflicts and edge cases before a single line of production code is written.
Step 3: Define your feature request clearly. Write a single-sentence problem statement. Ambiguity here propagates through every downstream agent. Example: “Users need to reset their password via email verification.”
Step 4: Launch three parallel Spec agents with distinct viewpoints.
- User Spec Agent: “You are a product analyst. Write a detailed specification for [feature] from the end-user’s perspective. List all user flows, edge cases, and failure states.”
- Architecture Spec Agent: “You are a system architect. Write a technical specification for [feature]. Identify affected modules, required data schema changes, API contracts, and integration points.”
- Reliability Spec Agent: “You are a reliability engineer. Write a specification for [feature] focused on failure modes, error handling, retry logic, and monitoring requirements.”
Step 5: Have your Architect agent merge the three specs into a single SPEC.md. The merge prompt should instruct the Architect to flag any conflicts between the three specs as [CONFLICT] items requiring human resolution before implementation proceeds.
Step 6: Resolve all [CONFLICT] items manually. This is the most important human checkpoint in the pipeline. Do not move to coding until conflicts are resolved.
Phase 3: Holdout Test Creation (Before Any Code)
This is the step most teams skip — and it’s the one that separates agentic engineering from vibe coding.
Step 7: Write your holdout tests before the Code agent runs.
Instruct a dedicated Test agent (or write these manually) to produce tests that:
– Verify the feature behaves as the User Spec describes
– Confirm the architecture contracts from the Architecture Spec
– Exercise all failure modes from the Reliability Spec
# Store holdout tests in a location the Code agent cannot access
mkdir -p tests/holdout
# Your Test agent writes to tests/holdout/
# Your Code agent only sees tests/unit/ and tests/integration/
The information barrier is implemented at the filesystem level. Give your Code agent a system prompt that explicitly states: “You do not have access to the tests/holdout/ directory. Do not attempt to read or write files in that path.”
Step 8: Confirm tests fail before implementation begins. Run npm test or equivalent. Every holdout test should fail with a meaningful error (not a syntax error — a semantic failure like “function not found” or “returns undefined”). This is your Red state in Red/Green TDD.
Phase 4: Isolated Code Implementation (Git Worktrees)
Step 9: Create a git worktree for the feature branch.
git worktree add ../feature-password-reset feature/password-reset
This gives your Code agent a physically isolated copy of the repository. Multiple Code agents working on different features simultaneously cannot cause merge conflicts during implementation because they’re in separate worktrees.
Step 10: Run your Code agent with the SPEC.md and CONVENTIONS.md as context.
## Code Agent System Prompt
You are a senior software engineer implementing a feature.
Context:
- Read CONVENTIONS.md to understand project patterns before writing any code
- Read SPEC.md to understand the full feature requirement
- You have access to tests/unit/ and tests/integration/ only
- You do NOT have access to tests/holdout/
Your task: Implement the feature described in SPEC.md.
When you believe the implementation is complete, run the test suite and report results.
Do not mark yourself as done until all accessible tests pass.
Step 11: Monitor the Code agent at 2-minute intervals. Check that it’s making forward progress, not stuck in a loop. If it fails the same test three times without a different approach, interrupt and redirect.
Phase 5: Holdout Validation
Step 12: After the Code agent reports completion, run holdout tests.
# Merge worktree changes back
git checkout main
git merge feature/password-reset
# Now run holdout tests the Code agent never saw
npm run test:holdout
If holdout tests fail, the Code agent’s implementation has gaps. Return to Phase 4 with the specific failure output. If holdout tests pass, you have high-confidence validation that the implementation is correct — not just that the AI gamed its own tests.
Phase 6: Trifecta Security Audit
Before deploying any agent-generated code, run a Lethal Trifecta audit (detailed in Common Pitfalls). Document the audit result in your PR description.
Expected Outcomes
After running this full pipeline on a mid-complexity feature:
– Feature implementation time: 2–4 hours (down from 2–5 days)
– Human time required: ~45 minutes (Onboard review, conflict resolution, monitoring)
– Test confidence: Higher than manual development because holdout scenarios are written before bias from implementation enters the process
– Security posture: Explicitly documented against the Lethal Trifecta framework
Real-World Use Cases
Use Case 1: SaaS Startup — Feature Velocity Without Headcount
Scenario: A 3-person SaaS startup needs to ship a full authentication system, billing integration, and user dashboard in 6 weeks. Previously this would require at least two more full-time engineers.
Implementation: Using the Dark Factory pattern, the CTO runs one Onboard agent to map the codebase, three parallel Spec agents per feature, and 2–3 Code agents in separate worktrees working simultaneously on non-conflicting modules. The CTO’s job is spec review and holdout test writing.
Expected Outcome: Per Willison’s documented experience, what previously took a 3-week sprint can complete in a single day. The startup ships all three features within the 6-week window with 2 engineers instead of 5.
Use Case 2: Enterprise Security Team — Trifecta Audit of Existing Agents
Scenario: A financial services firm has deployed 12 internal AI agents over the past year. A new CISO has been asked to audit them for the Lethal Trifecta security profile.
Implementation: The security team builds a simple audit matrix for all 12 agents, classifying each along three dimensions: (1) does it have access to private data? (2) does it process content from untrusted external sources? (3) can it communicate externally? Any agent that scores “yes” on all three is immediately flagged for architectural remediation.
Expected Outcome: Typically 2–3 of 12 agents will have all three legs of the Trifecta active. As Willison recommends, architectural remediation means disabling one leg — usually by adding a human-in-the-loop checkpoint before any external communication — rather than trying to patch with better prompts.
Use Case 3: Digital Agency — Parallel Client Deliverables
Scenario: A marketing technology agency runs 8 client projects concurrently. Each project requires regular code updates to landing pages, tracking scripts, and CRM integrations.
Implementation: The agency builds a templated agentic pipeline — CONVENTIONS.md is client-specific and pre-populated, Spec agents reference a client brief document, Code agents work in per-client worktrees. A single senior engineer oversees all 8 pipelines with 2-minute check-in intervals rather than actively coding.
Expected Outcome: The agency increases throughput without increasing headcount. Per the cost benchmarks in the research report, agent runtime at ~$10.42/hour vs. developer rates of $75–$150/hour produces substantial margin expansion on delivery work.
Use Case 4: Mid-Career Engineer — Skill Repositioning
Scenario: A mid-level developer (5 years experience, primarily feature coding) recognizes they’re in the career “middle” risk zone identified by Willison. Their primary output — standard feature development — is being commoditized.
Implementation: They spend 60 days deliberately practicing specification writing, holdout test design, and multi-agent orchestration. They stop measuring their contribution in “tickets closed” and start measuring in “architectural decisions made” and “agent pipelines designed.”
Expected Outcome: Repositioning from code producer to pipeline architect. Willison argues the key differentiator is “agency” — the ability to identify the right problems. Developing this muscle by deliberately taking ownership of spec quality is a concrete, trackable path out of the middle.
Use Case 5: Open Source Maintainer — Context Graph Memory
Scenario: A maintainer of a large open source project wants to build an AI agent that answers contributor questions and triages issues — but needs the agent to remember past decisions and their reasoning.
Implementation: Using a graph database like Neo4j as the memory layer, the maintainer stores three types of memory as documented in the research report: short-term (conversation history), long-term (entity knowledge and relationships), and reasoning memory (decision traces, tool usage audits, and provenance chains). Contributors can query “why did we decide X?” and receive an actual audit trail.
Expected Outcome: An agent that doesn’t just answer questions but provides citable reasoning trails. Per the research report, reasoning memory is “the missing piece” — it’s what separates a useful agent from one that gives post-hoc hallucinations when asked to explain its behavior.
Common Pitfalls
Pitfall 1: Deploying the Lethal Trifecta
The single highest-severity mistake in agentic deployments is building an agent that simultaneously has access to private data, processes untrusted external content, and can communicate externally. Per Willison’s documented security research, this combination creates a prompt injection attack surface: a malicious actor embeds instructions in untrusted content (a Jira ticket, a support email, a scraped webpage), the agent processes it, and uses its external communication capability to exfiltrate private data.
How to avoid it: Run the Trifecta audit before deployment. If an agent has all three legs, disable one architecturally — add a human approval checkpoint before external communication, or sandbox private data access to read-only operations with no write/exfiltrate path.
Pitfall 2: Skipping Information Barriers
Teams that let the Code agent see the holdout tests invalidate the entire validation process. The agent will optimize for passing those specific tests rather than implementing the feature correctly.
How to avoid it: Store holdout tests in a directory explicitly excluded from the Code agent’s system prompt. Enforce this at the filesystem permission level if your orchestration environment allows it.
Pitfall 3: Ignoring Cognitive Overhead
Running four simultaneous agents feels more productive than it often is. Willison reports being “wiped out” by 11 AM when operating at full multi-agent capacity. Teams that don’t budget for this cognitive cost will schedule too much, make poor review decisions in the afternoon, and degrade their spec quality over time.
How to avoid it: Treat multi-agent supervision as cognitively intensive work. Schedule deep spec-writing and holdout test authoring in morning hours. Limit active parallel agents to what you can genuinely supervise at 2-minute intervals.
Pitfall 4: Measuring the Wrong Metrics
Teams that continue to measure “story points completed” or “lines of code merged” will optimize for the wrong outputs. GitHub CEO Thomas Dohmke noted that the real measure of agentic engineering success is “increased ambition” — tackling problems that were previously out of scope.
How to avoid it: Shift your team metrics to architecture quality, holdout test coverage of edge cases, and system reliability over time. Measure whether your team is taking on more ambitious work, not just faster work.
Pitfall 5: Treating Security as a Prompt Problem
Prompt injection cannot be reliably prevented by writing better prompts. Willison explicitly states that after a documented attack in which a Jira ticket used a base64-encoded payload to steal tokens via the Cursor/MCP ecosystem, the lesson was clear: you cannot prompt-engineer your way out of a structural vulnerability.
How to avoid it: Address security architecturally. Use Meta’s “Rule of 2” — when agents handle untrusted inputs, ensure they do not simultaneously use unsafe implementation languages and high-privilege access. Consider cryptographic prompt signing (PKI-based) to verify that instructions came from a trusted human administrator.
Expert Tips
1. Build reasoning memory from day one. Every agent you deploy should log its decision traces — what it considered, what tools it called, and why it chose a given approach. Per the research report, reasoning memory is the only way to debug an autonomous system that fails in production. Post-hoc explanations from the agent are unreliable; the trace log is the truth.
2. Use Red/Green TDD as your forcing function. Before any Code agent runs, require a failing test that proves the bug or feature requirement exists. This pattern, documented by Willison, prevents agents from drifting into “solution space” before the problem is precisely defined. No red test, no code run.
3. Maintain your own skill baseline intentionally. Passive reliance on AI output causes skill atrophy. Willison recommends actively pushing back on AI outputs, asking it to explain its choices, and occasionally implementing features manually to stay sharp on what “correct” looks like at the implementation level.
4. Treat spec quality as your primary leverage point. Because agents amplify the quality of your inputs, a poorly written spec produces poorly implemented code at 10x speed. Invest disproportionately in spec clarity. The three-spec parallel pattern — user, architecture, reliability — is your best hedge against specification gaps.
5. Design for “one leg off” security from the start. When designing a new agentic workflow, identify the Trifecta profile before writing any code. If your intended design requires all three legs, redesign the architecture to remove one before you build it. Retrofitting security into a deployed agentic system is significantly harder than designing it in.
FAQ
Q: Is agentic engineering only practical for large teams with dedicated infrastructure?
No. Simon Willison implements this workflow as a solo practitioner — writing 95% of his code from a smartphone using multi-agent patterns. The Dark Factory pipeline scales down to a single developer running sequential agents just as effectively as it scales up to a team running them in parallel. The key requirement is discipline around spec quality and holdout test separation, not headcount.
Q: How do I handle the fact that AI-generated code is hard to trust for public deployment?
Willison identifies “months of author usage” as the primary trust signal for code. Even well-documented, tested agent-generated code lacks credibility until it has been run extensively in real conditions. The holdout test pattern and the information barrier are structural mitigations, but they do not fully replace production runtime as a trust signal. Ship to staging environments first, monitor aggressively, and don’t conflate “tests pass” with “production-ready.”
Q: What is the actual cost difference between agent runtime and human developer time?
Per the research report, running a coding agent like Claude Code on a loop costs approximately $10.42 per hour. Developer rates in most markets range from $50 to $150 per hour for equivalent output tasks. The gap means code generation has been effectively decoupled from human labor costs — though the human time required for spec writing, review, and security audit is not zero.
Q: What should mid-career engineers do right now to avoid the “middle” risk?
Stop measuring your contribution in code volume and start building competency in three areas: (1) specification writing — the ability to define requirements precisely enough that an agent can implement them correctly; (2) test design — the ability to write holdout tests that prove correctness independent of implementation; and (3) security architecture — understanding the Lethal Trifecta and how to audit and remediate it. Per the research report, “agency” — the motivation to identify the right problems and the judgment to evaluate outputs — is the irreplaceable human skill.
Q: Is prompt injection solvable with better AI models?
Not reliably. Willison is explicit that prompt injection is an unsolved problem at the model level and cannot be remediated through improved prompts or model updates alone. The only reliable defenses are architectural: cut off one leg of the Lethal Trifecta, use cryptographic prompt signing to authenticate instructions, or implement human-in-the-loop checkpoints before any sensitive action. Better models reduce the attack surface but do not eliminate it.
Bottom Line
The November 2025 inflection point made agentic engineering a real, deployable discipline — not a future projection. Simon Willison’s documented experience, synthesized from his Lenny’s Podcast appearance, makes the core architecture clear: structure your pipeline around the Dark Factory pattern with strict information barriers, design every new agentic workflow against the Lethal Trifecta before you build it, and invest in specification quality and holdout test design as your highest-leverage human activities. The cost of code generation has dropped below minimum wage; the cost of poor architecture, security failures, and untestable systems has not. Teams that treat agentic engineering as a discipline — not a shortcut — will consistently outperform those that treat it as a faster way to do what they were already doing.
0 Comments