> 80% of Compliance has always been a performative box checking exercise.
You're making the same mistake as most people do: it's 80% box checking but that doesn't make it performative, the box checking is here so that the dude who checked the box become legally responsible for what's happening if they haven't done what they said they did.
If you didn't check that box you could always claim you didn't know you weren't supposed to do what you did. As soon as you've checked “yes, I'm doing things in the approved way”, this excuse disappears.
Not really, and I kinda envy you that you haven't really worked up close with compliance-related people.
A lot of compliance is basically corruption - while in country A, you might fall out of a window if you don't buy from the right people at 10x prices, but in 'civilized' country B, you have to buy from vendor X (who has the necessary paperwork), at 10x prices, or you wont be able to sell the product - and there are a million ways that they can turn the levers to kick you out of their markets, or at least make you pay protection money to these compliance organizations.
The systems of grift are very sophisticated, and very obvious to anyone but the people perpetuating and participating in them. As they say,iyt is difficult to get a man to understand something, when his salary depends upon his not understanding it.
A lot of compliance software is griftware - Sonarqube is a prime example - most engineers don't think it adds value, and the 'analysis' it produces is incredibly shoddy, but like a lot of cybersecurity products, it relies on a authoritarian company culture, certification TP conditional on using the software and achieving a good score etc and alarmist language with nice dashboards. A classic example, is it tags public fields in Java as a security issue. And then the management see that you are writing 'insecure code'.
And literal mouthbreathing idiots in upper management eat this shit up, or use it as a punitive measure against the devs who by their very nature do all the meaningful work.
I'm not saying all compliance is worthless, but if you approach quality from first principles, a 'compliant' product usually has to clear a very low bar of quality. And compliance usually keeps the quality low, and prices high, by forcing potential competitors out of the market.
And compliance can keep quality low in other ways, I've seen firsthand - by making devs work on BS tasks, or preventing improvements and fixes to codebases, because they're not tracked appropriately by whatever change management system.
I was incredibly wary of doing hacky solutions in these places, not out of a sense of commitment to quality, but the fact that once management sees your hacks WORK (kinda), all requests to clean up the garbage will be stonewalled.
Thankfully LLMs make this busywork very easy, through making this papermill garbage, and nitpicking busywork very easy, which I feel will bring at least some positive change in the world (at least to those who do meaningful work)
> the box checking is here so that the dude who checked the box become legally responsible for what's happening if they haven't done what they said they did.
Maybe so, but how often are small companies actually sued for compliance survey misrepresentations? My most positive look at such surveys, after filtering out all the nonsense, is sometimes they flag something we've missed in our self-directed efforts.
Okay, so who are we supposed to go to for SOC 2 compliance now if any number of the compliance automation companies might be charging 5 figures to do it fradulently?
Pay to play and keep selling. Understand the liabilities and cover your ass, address the biggest risks.
The point of SOC2 is really demonstrate that you have controls. The other fake compliance areas are scarier for sure. You used to see really blatant issues — I recall early SaaS companies pitching to my enterprise with sales engineers showing me customer data.
Microsoft refused to provide diagrams to the Feds detailing how Azure works. They got the FedRAMP High stamp anyway, because they already sold it to half the Fed. That’s more real… as a situation where a Chinese hacker could compromise data in a dedicated “government cloud” by compromising a certificate in an onprem dev environment should be impossible… yet it happened.
If you want to do it right, hire a CPA who takes it seriously and spend the time to complete it in-house and fully understand it. Then engage one of the big 4 to sign off on it. The big 4 don’t offer much for SOC2 above what Delve does, it’s all smoke and mirrors unless you personally take it seriously.
Last time I went through SOC 2 we talked to our auditor about this. His view was that there are and basically always have been auditors/companies that will sign off on anything without verifying it if you're paying them. The rest of the industry knows who they are though. If you are taking things seriously and hire an auditor who does, that's one of the things that they look at when you're reviewing the reports from the services/subprocessors that you use. Ie, you can get a SOC 2 that doesn't mean anything but then any of your customers who know/care will flag it and it won't be worth anything.
I had a client in the compliance space - they handle detailed product information for Apple, Boeing, BAE systems, Philips, Siemens - you know, nothing important, just literally classified material and incredibly sensitive corporate material.
Anyway. We did ISO27001. We did it well, audited by Lloyds register, reputable stuff all the way down. Built actual meaningful processes.
Anyway, a massive PE entity bought them in a hostile takeover, fired everybody, binned the ISMS, moved to some “compliance” goons.
I saw the box ticking chicanery as it happened - as after firing everyone they of course didn’t follow the off boarding process, so I retained full access to their JIRA. I only lost access a year later when atlassian terminated the account for non-payment.
In practice the only liability you might wind up with is whether you technically met the conditions for checking the box (instead of just checking falsely). But the liability for the overall consequences of not doing the actual job the checklist sets out to do tends to stay where it is.
These days, nobody cares about legal liability, which is the likelihood of losing a lawsuit if there's a lawsuit, either. They only care about actual lawsuits against their company. They have noticed they're pretty rare and if the company's going to go under it's going to go under anyway, so might as well take the extra profits from not worrying about it
I was asked to work for my employer as an responsible electrical engineer — a specific legal role that needs to be filled if your bosses don't want the liability buck to stop with them.
They fell in the same trap as you did now. You can try to make the libility tree complicated, but in the end the buck will stop with the person in charge unless they put things in place they have to legally put in place. Liability is like water, you can shift it around, but it always has to go somewhere. And if you don't know where it is as a boss, it is likely eating away at your foundation.
In my case they hoped I could just be the responsible electrical engineer on paper and a solve them of their liability. Then I explained them that I could do that, but that legally they would still liable until they provide that role with the time/resources/personal needed to do the job. In my case that would have meant dropping everything I did in my existing roles and reallocating 80% of my work time to that role.
In the end they decided to use an external company that covers that role for real. To them it was just a checkbox in the beginning, but only because they had no expertise in the legal dimension of the whole thing. And sure they could potentially have gone for years without problems, but one wrong electrical fire and they are in jail.
Under GDPR the potential liability we are talking about is 10 Million Euros or 2% of global annual turnover, whichever is higher. But yeah, go ahead, check your boxes.
Trust me, you can lie and get away with it if you go through YC and dropped out of a top university. Garry Tan blocked me on X for pointing this out. It's a big club, and you ain't in it!
Fortunately, some of the old-YC spirit seems to be alive here on HN still.
They likely barely had a product when they applied to YC. It's more interesting as to why this wasn't discovered (if it is even true) when they were raising their Series A.
Like no one characterizes it like that, but this is the same business where you can tell a story about hiring a bunch of college friends to pretend to be your employees so a client comes to your "office" and thinks you're a legitimate business. And instead of looking in horror at how casually you'll lie to get business it's seen as scrappy and whimsical.
They probably saw good results with this back when everyone could take a piece of Craiglist's business and make a billion bucks. Now you're just left with the ethos of cheating your way to the top without a real business to attach it to.
The article states that, "Even though we knew we’d technically be lying about our security to anyone we sent these policies to for review ... we decided to adopt these policies because we simply didn’t have the bandwidth to rewrite them all manually."
FWIW I think the 30u30 to fraud pipeline is overstated. There are 600 people on the American Forbes 30u30 list every year (it's "30 under 30 each year in each of 20 categories"), with 20ish notable instances of fraud, so maybe a quarter percent of the people on the 30u30 list will later become famous for fraud.
I think the pipeline is not really about the 30u30 list as a whole, but about the cover of the magazine, which I feel has had a very high rate of fraud.
I think it may be getting (intentionally?) suppressed from the homepage. Given this is a YCombinator website, I wouldn't rule that out.
Regardless, it's been an ongoing issue. I know a few involved companies — it takes basically 5 days to get a SOC 2 Type 2 report through Delve. And, of course, they market this way too: "SOC 2 in days". Unbelievable.
In case anyone hasn't seen my other posts about this:
(1) I had no idea this story existed and woke up to claims that I was obviously* suppressing it.
(2) I looked into it and found that no moderator had touched either of the two submissions of the story, but that both submissions had set off HN's voting ring detector. (Whether there was a voting ring or not, I don't know - that software isn't perfect. It has held up well over the years though.)
(3) We merged the two discussions and placed the merged thread on the front page.
> These are starting points only: customers are responsible for reviewing, modifying, and finalizing their own materials. Draft templates are not the same as “pre-filled evidence.”
Yeah, ok. BRB to start a bank where I template everyone a billion dollars, its up to you to be honest with how much money you have.
To me this is the money shot (but it takes a couple of passes to understand):
> No small amount of criticism of LLMs is downstream of past decisions to reify form over function, resulting in the substance having been optimized out. Now the LLM threatens to make the form available in seconds
None of their ISO 27001 certificates, aside from the premium one-offs with the vCISO, are accredited by any reputable ISO accreditation body. I would even argue that IAS, who accredited Prescient Security (mentioned as a reputable body in the article), has a questionable reputation and certainly gives off a pay-to-play impression.
You can look up the names of their partners below. The one body I found that is on the register (Accorp) is accredited by UAF, a known cert-mill accreditation body, and I’m not even sure it’s the same Accorp that Delve has partnered with.
For reference, you want a ISO certificate issued by a body accredited by UKAS (UK gov. adjacent non-profit), ANAB (ANSI), or equivalent, all government-recognised. This is normally the first thing I check whenever someone claims ISO 27001 certification and it is a great heuristic to validate certification rigour.
wow! they confirmed it in the last paragraph. "we are investigating possible leaks", not "we have filed a libel suit". A leak means an insider spilled the beans
"Below are just some of the many inaccuracies in the story and then the truth."
"[G]iven how competitive this industry is, attacks like this sadly come with the territory."
"We are actively investigating any leaks and are still reviewing the Substack. If there are more attacks to respond to we will do so."
When you have a PR problem, you don't hire your marketing intern to write the response. You hire a PR consultant. Their funders' Rolodexes are probably full of them. If the Board approved the response, I'd be frankly shocked.
There's a deep lack of accountability here for their marketing statements. For example, "get SOC 2 compliant in days," which I would consider to be false advertising.
That, plus their willingness to arrange an essentially fraudulent auditor network (try to find who the real CPA is behind Accorp, for example), and also massively upcharge the prices of the SOC reports that they offered as a bundled service within the platform. There was no separation here. Del is the transfer agent. Del was always the intermediary and the transfer agent. There is no independence in their default auditor relationships.
At very best, this is a massive AICPA transgression.
At worst, blatant fraud.
I would wager that discovery would show the latter.
This basically boils down to, "Sure, we recommended you work with scammy low-quality auditors, but if you actually use them it's your own fault... we're just an automation tool!"
In other words, I'm reading this as effectively a full admission that the claims are true but the company is saying not their responsibility.
Where does it say we recommend you work with scammy low-quality auditors? They say that they use third party audit firms that are used by other compliance companies.
I've gone through this process and is this not a failure from the institute that are giving away these certifications for a fee without any due diligence?
intermediaries like delve have only amplified this failure.
it was obvious to anyone who was involved in this industry that, all of this is just security theatre with nothing really to back it up.
For those looking for help with SOC2 compliance, I had a good experience with another YC company, Vanta. That was some years ago so not sure if anything has changed since then but I would recommend checking them out.
I had a pretty poor experience as a startup on Vanta. Maybe this is my own ignorance, but I told them when our contract was to renew that we do NOT want to renew. We were an early-stage startup soon to shut down and didn't need it. We never touched Vanta for 10 months before this, we never got SOC-2 (it was deprioritized). Not a single login in 10 months.
Nevertheless, they said it was: too late to opt out, that it can't be canceled or postponed, and then kept emailing us endlessly and sending to collections to pay them another $10K platform fee for the next year (more than we had in the company bank account).
I understand this with large corporations, but I don't think they're a good fit for startups.
Not every sales team can convince a big paying customer that SOC2 isn't important. Lots of B2B SaaS companies have to play the enterprise lawyer game to get big contracts.
YC has funded both Vanta and OneLeet. It's a shame they also funded a hype machine like Delve.
I would recommend both Vanta and OneLeet as good quality tools to work with, having used both. The founders of OneLeet are very accessible, and Vanta has all the integrations you would need as both a small startup and an enterprise-grade player.
Secureframe and Drata are other tools in a similar class that are also legitimate.
Vanta misses a lot of things to cover iso27001, and clearly misunderstand this norm at times.
The integrations are what makes it really useful, but elements are not correctly connected between them, or are too limited to be useful : for instance access review information tells you who is an "admin", but ignores the various permissions levels (e.g: on GitHub, you can be an admin of a repository) which exists on each platforms. So let's say you are using rbac access policies, then all vanta integrations are meaningless because you cannot check roles, and you have to build /buy another tool...
Their policy builder is a bad joke, slow, incomplete, and you lose all automations when you need to change even one word.
The default policies are quite bad anyway, very long and complex, pushing you to use forms which are not integrated into the platform, so again you have to maintain a duplicate system elsewhere.
Generally speaking, there's no help to keep in sync policies with processes and proofs, and let me tell you it goes out of sync very fast!
Question: how likely is it that a number of 20-year olds have the passion of solving the problem of compliance auditing? I can hardly imagine that I'd even be interested in taking a look at the domain. It's just... so mundane. Or maybe the alpha-type overachievers don't care about the domain but the opportunity?
Solving boring problems has been conventional startup wisdom for a long time. And a "mundane" startup might be more interesting than traditional high-paying jobs like finance/law/consulting. https://www.joelonsoftware.com/2007/12/06/where-theres-muck-...
I work for a firm that develops custom software in regulated industries, and we have brilliant software & data engineers in their 20's working on compliance auditing, and more specifically "Compliance Management System health monitoring."
We've be able to use a lot of AI-assisted engineering and AI in the software to solve longstanding business challenges in this space.
I won't make assumptions about where you're located, but on the East Coast US it is big business among banks, utilities, healthcare, etc.
I wonder if it's almost like a new version of management consulting. You hire/invest in a bunch of smart 20-somethings who seem generally intelligent with the idea that they'll "disrupt" an industry with their from-first principles approach. Do the 23 year old McKinsey consultants particularly care about their work? No, but the McKinsey name is a fast way to gain clout and access to executives. Ditto the YC name
> Question: how likely is it that a number of 20-year olds have the passion of solving the problem of compliance auditing?
It mentions that they had a medical scribe product and ran into HIPAA compliance issues with it, so it's not a leap to think someone might go "hey this stuff is what sunk us last time, I bet we're not the only people with that problem".
I also think this has to do a lot with storytelling and message in the company. Do you have someone that can motivate and etc. Many things are boring under the hood to someone and interesting to someone else, but a good story about why and how is what makes a difference.
The problem may not be "intellectually interesting" to them at all, but building B2B SaaS does appeal to them from a lifestyle/prestige/pedigree perspective and will probably get them an exit to become a Venture investor even if they fail.
I’m currently working on a KYC compliance startup. Loads of fun both technically and also KYC in it self. Most things can be fun and interesting to someone.
The only job of a test is to fail, so if you never see the page red it's not doing anything. It's refreshing to see this being called out instead of going with the flow because "everyone is doing so".
Lots of companies affected this, what blows my mind is when VC's were funding this how come no due-diligence was done on something as important as compliance. who even tries to scam on compliance like it's a known way to get caught.
They're "AI Native". This maps with how the entire "AI revolution" has felt to me - like no due diligence has been done to validate the output of anything, and instead just the "AI" stamp is enough to satisfy investors.
I get where you are coming from, but still claiming "AI native" shouldn't change anything when it comes to due diligence. I agree tho the 'AI stamp" is letting a lot of things through.
Yeah that's a wild billboard lmao. btw 99% of MIT people are no different then the rest they just worked hard or paid hefty amounts, I have lots of friends that went there. Nonetheless the 1% are geniuses. Also saying MIT dropouts instantly makes your story credible, it's a funny concept. I'm starting to feel like an MIT dropout these days.
Compliance isn't that hard once you stop looking for shortcuts and start spending time doing it correctly.
AWS is probably the best actual CaaS vendor out there. They have a product offering expressly designed to help their customers get through this jungle:
You are still responsible for everything on top of what AWS provides (software/configuration/policy), but their compliance package handles a massive portion of what you would otherwise have to do if you were on-prem. Physical security, hardware management, disaster recovery, et. al., you get essentially "for free".
Maybe they meant "Not hard != quickly done". I don't think many people think bureaucracy is especially difficult. It's just time consuming.
But frankly if they meant that, the statement doesn't really say anything at all. Because what in this world is hard if you stop taking shortcuts and spend time doing it correctly?
A lot of that comes down to the costs associated with not being compliant and/or the requirements of existing contracts/insurance policies, where having dedicated FTEs to compliance is a requirement. Compliance might not be hard for the person/people managing the program, however it might seem difficult or complex to the FTEs that have to build to those standards if they do not have a security or governance background.
I assume they mean "getting a SOC2 report", which is the part that Delve attempts to automate. The maintenance of controls, adoption of new policy as the company evolves, etc, is what someone will do in the full time role and that Delve et al would do nothing to assist with.
I think that goes for any major cloud provider, not only AWS. But nothing is free, you pay a hefty premium to get this (compared to plain infra providers like Hetzner for example).
You build something great and big corporation X wants to buy a subscription but you need to be certified.
Much of this is a good checklist but some of it is very european.
"Where is the risk register to track controls in your 7 person company?"
Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.
You are documenting things nobody will read, making up processes that don't exist and translating the operations of a lean company into bureaucratic language.
What's needed is a variant of these standards for small teams, which is proportionate and pragmatic.
SOC 2 is mostly about proving you do what your policies say, and there’s more flexibility than people think.
For small teams it doesn’t have to be heavyweight. A risk register can be a simple doc with a few real risks and mitigations.
That said, I agree there’s a lot of theater. For smaller companies and budgets, it often turns into rubber stamping. Auditors rely on the evidence you provide, so the report can look much cleaner than day to day reality.
Still, it has value. It forces you to formalize basic practices, and if you want those customers, you’re signing up for that level of scrutiny.
In reality the starting point itself is something absurd like "all vendors must be ISO certified no exceptions"
Nobody wants to be the person who says an exception is ok in this case, so you get lumped with having to certify.
Now your color palette generator startup is doing ISO certification. You are holding quarterly "information security governance meetings" and maintaining a risk register for... "blue vs slightly different blue".
Exactly this. But my question here is also: is there not a competitive advantage to a big enterprise that applies standards in a more intelligent way? You have a SaaS, I have a Fortune 500 company that could use your product but I cannot use it because my procurement process is as long and winding ad the Road to Hana. In the meantime my competitor has a smarter procurement process that takes into account the impact and risk involved in renting your software. Don’t they get a competitive advantage over me by having a better process and as a result getting better vendors?
Unfortunately in most cases the buyers have way more liability/risk using a small vendor than opportunity. Often this is coming from regulators in certain industries.
In scenarios where the company REALLY REALLY wants to buy the SaaS, they often will invest in the company, one of the reasons for which being to ensure they have the resources to go through all the red tape.
I’ve found CIS Controls v8.1 to be good and sane, with actual benefits to security. Level 1 is a solid base, and Level 2 is good for picking from depending on where risks exist in your business.
CIS Benchmarks are worth a look too: They’re best practices for securing typical cloud platforms, SaaS and OS.
The risk register is ISO 27001. The "I" in ISO doesn't stand for Internet, it stands for international. You shouldn't be doing business with international customers if you don't have a risk register, which is why they're requesting it.
What is it about customers in Ethiopia that necessitates this? What is it about American (non-international) customers that doesn't require a register?
What is the purpose of a business though? To make profits for its owners. If the profit lies in doing all this corporate theater then that's the business. A company that focuses only on providing a service and product but ignores how their customer needs to use said service and product is going to go out of business.
That is "a" purpose of a business, but not the primary purpose. The primary purpose of business is to provide a service or product people want. You can want profits all day long but if you don't have something people want you don't have a business.
If the purpose of every business were making profits every business would be a hedge fund (at which point there could be no hedge funds, but that's a separate issue). Profits are a necessary component of a businesses's activities, but not its purpose.
I would argue that profits are a result of what you do and not the purpose...
Obviously intertwined but that's why its important to pick something you like
Going through this with a medical startup... We have like 2 developer. But to get investment, put the app online etc. We need to fill out those paperwork... For things which just don't exist...
> Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.
Have you considered that the kind of companies that demand SOC2 compliance would be happy to pay extra for SOC2 compliance, if you offered it as an optional add-on costing $200k per year?
Translation: all your rules and regulations are crap, and we don't want to comply with any of them.
When in reality most rules and regulations are not crap, and you should care about them.
Especially when your startup advertises compliance with HIPAA (medical records), PCI-DSS (payments data) and a bunch of other data protection standards and regulations.
Data protection is a tiny component of what certifications like ISO and SOC2 involve. The data protection stuff is welcome and often pre-existing, the other stuff is what annoys people.
We were actually looking at it as well recently (we're using Drata). I was thinking "Cool, this looks like the next cool step forward". The claims didn't sound out of the world in my ears.
Every time an issue like this appears I wonder how many more undiscovered frauds are out there.
> The reason we felt the way we did was due to how little actual work any of us had to perform to become ‘compliant’, combined with a product practically devoid of any real AI
Guys guys, if only it had some of that real AI it would be all good!!
Delve did not even try to fake the reports well. They could have used AI tooling to write somewhat plausible Assertions of Management, but they just dropped in clear form submissions to the reports they provided. Here is an example from Cluely:
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
I mean, just re-read this sentence:
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful
It makes no sense at all.
Someone implemented the code to automate this report mill, and didn't think to even smooth it out with an LLM! There was clear intent here.
To imagine that an auditor reviewed and stamped this as a coherent body of work beggars belief.
Delve seems clearly scummy, but dear god the author's company was also engaging in fraud with their own customers and just hoping to skate by.
"The trouble starts when you look at the answers Delve’s AI provided. Based on what your Delve policies claim, the questionnaire AI answers questions stating you have an MDM, had a 200 hour pen-test performed, and do regular backup restoration simulations. Tens of questions are answered like that. Great, you just lied to your vendor but at least you have a good shot at landing the deal. So what did we do? We kept our mouths shut."
Pretty rotten stuff. I went from energy into the software startup world and as I've gotten further down that road and energy has become more and more of a hot field I've encountered a depressing increase in that "just do it to make a deal" ethos, but in critical infrastructure.
Like, no, former Apple PM who learned about an interconnection queue from ChatGPT last week, you are not going to fix the grid, and even moreso you can't "just do X and ask forgiveness later", not in electricity.
Per the piece, they only began to step away from Delve once they realized they couldn't close the deals they wanted and their hand was forced by outside asks.
And then also it took a rather large data leak later on to provide extra ammunition to decide and go forward with publishing this.
I'm glad they did, but there are a bunch of steps in between pure balls/altruism and what actually happened based on the blog.
> Like, no, former Apple PM who learned about an interconnection queue from ChatGPT last week, you are not going to fix the grid, and even moreso you can't "just do X and ask forgiveness later", not in electricity.
Major red flag with this should have been that their expensive marketing predicated heavily on them being MIT dropouts instead of any expertise in the space
Most people only care about compliance if it stops them from closing a deal. I was at a startup where some enterprise said we needed a SOC 2. The founder talked them out of it by giving them a discount if they'd waive the requirement.
My company is tiny (just me) and at one point a client sent over a questionnaire that I needed to fill out. Half the things I already did, about 1/4th I did right then so I could check the box (added features/reports/etc), and the last 1/4th I looked into (including SOC2) and decided I’d rather lose the deal than try to do those things. I was completely truthful in the questionnaire and for those sections I just put “We can provide this but it costs extra”.
I ended up getting the contract and they never asked for those extra things. I guess that’s kind of the same thing your founder did but in reverse. Discount to skip it vs it will cost more to add it.
To be clear, I think most of the questionnaire was just “we want these answers on file”, I’m not in an industry where most of what they asked for is reasonable/needed. Though it scared the hell out of me when I got it because SOC2 (and some other things they asked about) is not cheap. Literally 1-2x the cost of the service I was selling. All for something I consider a _very_ small step about snake oil.
In a way, this may be a good thing for the 'compliance' ecosystem because it will prompt people to actually read the report and check the evidence, as opposed to trusting a badge.
If you read through the report PDFs of affected companies, you'll find a lot of stock wording and phrases that don't even make sense.
Compliance is something that no one ever wants and everybody hates. Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!"
Thus providing compliance is really just paying someone to shift responsibility.
The regulator can ask whether you are compliant. You can present certificate from Delve or someone else and that's the end of it.
I don't want to work wherever you do your thing. Software as a service means you provide a service, and you should take your responsibility to protect your customer's data super seriously. Compliance frameworks are one useful tool among many to support this effort. It helps us identify gaps, identify risks, make improvements. It also give us a way to communicate what we do to our partners. The behavior described in the medium post is fraud, pure and simple.
I am a founder, and my ambition includes meeting the highest possible standards for my customers.
I've done a mix of SOC2, ISO27001 and PCI L1 for 3 different startups. 2 of them b2b. All certified 100% and fully compliant.
The problem with the current frameworks is that the "controls" are so asinine and auditors so hard headed, that getting certified becomes a matter of "checking the box" .
Particularly most of those frameworks REQUIRE maintaining so much paper red tape that make a 10 person startup want to kill themselves. And in addition the costs are stupid high for startups that are just "starting up".
On the flip side, how many large companies have we seen that have all the SOCs, ISOS and whatnot certifications, and they get pwn3d and their data stolen or exposed.
It tells you that a place being certified doesn't guarantee shit.
The reality is that large companies ask for certs as a CYA mechanism: the "security" department of LargeCo, asks for the compliance cert so that when shit hits the fan, they can say "not my fault, they told me they were compliant"
The good thing is that with the new Bullshit generators (llm) this certifification/compliance process will collapse.
I think the thing we are confusing here is "compliance" vs the "highest possible standards".
In theory these two terms mean the same thing.
In practice compliance can be detrimental to the cause and values that you and I both share seemingly.
> I am a founder, and my ambition includes meeting the highest possible standards for my customers.
Same here. This is why I don't care about "compliance" - because I take the privacy of my customers sacred. For example, that means no KYC on my customers. And compliance requires KYC.
Not a single person wakes up in the morning thinking they wish to pay taxes and rent and do the laundry the other stuff that has to be done. I would be nice to smoke weed and play video games all day and order the deliveries.
Wellll this is not always the case. I have moved from a shithole country to a nice one and oh boy I am crying in gratitude every month that I pay taxes. Because it is every day that I can see my money working for me in the environment.
When I worked in cybersecurity I had a similar realization. No one cared about security posture. They cared about insurance policies. People hired us to shift blame instead of improve security posture. this is not terribly different
This is why I've said for years: If you want to drive best practices and policy with companies you can only do it with liability. Particularly non-insurable and non-tax deductible liability. If a company can't offload civil or criminal penalties to their insurance company and take the tax write down, they suddenly start caring about it.
That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later.
One of my FAANG security projects incidentally helped with some compliance efforts (I made very sure it was incidental, constantly said things like "I am thrilled that I can help you guys achieve your goals but I wanna be clear that I don't give a shit about compliance and I won't be allowing it to influence the direction of my product" in meetings, it must have been extremely annoying to work with me).
At some point I was asked to look over the documents for the compliance definition and it was really hilarious. I had to give my engineering perspective on which aspects of the requirements we were and weren't meeting.
But they were stuff like "you must have logs". "You must authenticate users". "You must log failed authentication attempts".
Did we fulfill these requirements? It's a meaningless question. Unless you were literally running an open door telnet service or something you could interpret the questions so as to support any answer you wanted to give.
So I just had to be like "do you want me to say yes?" and they did, so I said yes. Nothing productive was ever achieved during that engagement.
Companies do want to be secure. They try, and they often fail because it's hard.
They hire auditors to find problems and to shift blame. But since they only have 30 days to fix the problems that are found, it's going to see a lot like they only care about shifting the blame. Because at that point, they only care about passing that audit.
Right after that, though, they start caring about security again.
How do I know? 19 years experience going through those audits on the company side. For 11 months of the year, it was clear the boss cared about security. For that 1 month during the 'free retest' period, they only cared about passing that audit.
> Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!"
Somehow I doubt that you are in the B2B/Enterprise space. When you're pitching demos and you hear from people "we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123", and you hear that over and over again because that is the real-world industry that you live in, then you better believe that there are founders who wake up in the morning wishing that.
You clearly have no understanding of what compliance does. Compliance does not "shift responsibility". Compliance is you demonstrating to your customers that you give enough of a shit that you're willing to pay the table stakes to sit at the table. You can complain that the game has table stakes, but all worthwhile games have them.
> we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123
So you are not dreaming about XYZ-123 compliance, you are dreaming about being able to make sales to corporate entities.
This is a subtle semantic difference.
> there are founders who wake up in the morning wishing
Wishing juicy corporate customers. Not the XYZ-123 compliance per se.
> Compliance is you demonstrating to your customers that you give enough
money and time to emulate the asinine requirements of detrimental standards to pursue corporate sales instead of directing said resources to make your product better.
Maybe no one wakes up wanting to deal with compliance, but it you found a company that has legal or moral obligations to be compliant with these standards, you sure have signed yourself up for it. Passing the responsibility off to some other company is, quite simply, irresponsible.
> Passing the responsibility off to some other company is, quite simply, irresponsible.
Then do not pass the responsibility. But here's the trick: the regulator would like to see an audit done by a firm and purchasing audit services is exactly that: passing responsibility. So legally you can't be compliant unless you passed responsibility.
Problem is, compliance is often detrimental to the cause. You want to encrypt users' data at rest? Illegal. You must store users data in a way prescribed by the law and it is extremely cumbersome, outdated and insecure.
Here's me founding a company and thinking "Shit I really need to be on ITIL 4 and ISO9000 before I even consider taking this to market", but I guess we move in different circles.
SOC2 is quite a racket on its own so I'm not surprised to read this industry creates players like this.
I hope that with LLMs, answering security questionnaires will be much less time consuming for companies and less would opt out to get a full blown SOC2 cert. But it will probably play the other way.
It feels like I'm screaming into the void, but compliance work is bad is because people make it so.
Willfully paying for a service that offers SOC 2 reports at 1/5th the usual rate and delivers them in days instead of months and deluding themselves (and others) that it's a proper audit.
Taking cookie cutter policies/controls jamming it into your org without any awareness whatsoever. Acting surprised when employees complain about draconian rules and the audit process is a pain because you wanted to take the shortcut.
Why can't people just do it the proper way the first time? Pay for a reputable auditing firm, write your own policies and implement controls that map to the actual organization, do a gap assessment with the auditing firm so that both parties is aligned on expectations, and spend the necessary time to undergo the audit. Getting it should be a milestone if you actually take it seriously and have a modicum of professionalism.
In my eyes, audits should be a trust exercise. You trust that your organization is organized in a way that meets standards (by doing the work) and the auditors trust that you aren't faking your evidence. As someone who has to regularly vet countless new software purchases, SOC 2 actually serves a role. Does anyone have a better idea of getting third party validation of how another company operates? Like sending them tons of questionnaires is the solution?
All this just breaks that trust by facilitating certification mills. Another example of fraud stemming from a country that churns out fake degrees, fake papers, fake conferences, and fake references.
Notice how none of Delve's affiliates on X are posting anything after that Substack post. Probably their lawyers told them not to say anything further.
What does that tell you about the scam that was unveiled?
The only thing it tells us is that they have received competent legal advice. Any counsel is going to tell you to shut up regardless of whether you are in the right or wrong.
What is it with the dropouts and unethical businesses? It is almost as if dropping out makes them do things, and without credentials, those things are the things others will not do.
Interesting that the author (and "the others in his network") seem to only be concerned about the complete illegitimacy of their certs when they were already exposed and now they want to stand up and say they are the good guys for "exposing" Delve.
There is a lot of serious allegations in here. But some of these complaints apply to most SOC 2 compliance services. For example: it points out that Delve provides pre-filled documents and encourages you to accept them as is. In my experience that is typical. I have seen companies just rubber stamp pre-created documents that describe IT processes that do not accurately reflect actual policy because the MBA[1] running the project didn't want to pull in IT and had no idea what any of it meant.
[1] No offense to MBA, just using it as a placeholder for: business stakeholder with no IT background.
Giving you template device management policies is one thing, it's a whole other thing to say you don't have to have board meetings and generating fake minutes.
100%, accepting pre-generated board meeting notes is egregious. This whole thing is awful and I am in no way defending it. The opposite, I think other compliance as a service companies also need to be scrutinized as well.
If you aren't either having the minimal meetings or written consents per the requirements for the delaware C, something outside Delve's hands has gone off the rails...
Doesn't seem like a problem with SOC 2 compliance, seems like a problem where a company appointed someone who is not suited to handle a SOC 2 project.
As for the pre-filled stuff, that's what other SOC 2 companies mean when they try to sell you "compliance in a box." Not that bad if the company is starting from scratch (<1 year), but not realistic for a company that has an existing IT footprint.
However, the allegations here is that it is fraud. An "AI" company acting as a front for certification mills.
> the price quickly dropped to just $6,000 when they realized we were serious about going elsewhere, and they would throw in ISO 27001 and a 200 hour penetration test as well.
I'm sorry, but... $6,000 / 200 == $30 / hour? Just assuming the value of the actual certifications is $zero?
$6000 for both SOC 2 and ISO 27001 with Pen tests ? lol. I paid over $8k just for ISO 27001 for our small company and have been quoted a lot more for SOC 2.
The value of SOC2 is that it does take some experience to be able to plausibly fake the evidence which weeds out people that truly have no idea what they're doing. It also provides a blueprint of the stuff you should be doing if you actually care.
I can understand two 20 year olds committing fraud. I can't understand a team of engineers PRE-PUBLISHING A TRUST REPORT before a single field has been filled out. This is worse than fraud, its poor craftsmanship.
Great write up. What makes this interesting...I thought it was cool what they were doing...but also seemed too good to be true. I went ahead a booked a demo call with them. Great personas. Very friendly. Can't say they had all the answers, but they did bring a CISO on the last meeting, which seemed a bit scripted. They also never disclosed any breaches, even after I asked them. Yikes. Good luck to the orgs that went through all that process.
All this evidence seems pretty legit. I found this on LinkedIn and came here to post, but noticed it had already been posted. Surprised I didn’t see it on HN front page.
People dont fully know it, but alot of capital in society gets accumulated by people with the right look, instead of with actual ability. In many cases, these startups start out as fraud, and hope to become real. VCs know this.
But the tragedy is that there is a fixed pie of capital to be allocated, and so when they allocate to people like this, it steals opportunity from someone else
> No custom tailoring, no AI guidance, no real automation. Just pre-populated forms that required you to click “save”.
I hate that I've become this cynical, but it's gotten to the point where reading the "no x, no y, just z" construct makes me assume that writing is AI generated (and then I immediately stop caring about reading it)
Cluely did the ChatGPT wrapper to cheat on interviews then sold the customer data to recruiters. The whole company promise is a scam, and useless since we have LLMs.
HockeyStack held contests for people to win cars etc and never delivered. They also lied about having revenues and a product when they had nothing built. Along with Greptile they were doing 7day weeks of unpaid labor from “trial periods”.
We just found out about this story and the submissions of it. It looks like it didn't make the front page because it set off HN's voting ring detector.
Mods didn't touch either thread except (1) we merged the duplicate discussions and (2) we rolled back the voting ring penalty so that the story would be on the frontpage.
This is in keeping with the principle that we moderate stories less, not more, when YC or a YC startup is part of the story. That's been the case since the beginning, and I've posted about it dozens of times: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu....
Respectfully, I think there may be an issue with your voting ring detection, which is that if multiple people try to submit the same article and are redirected to an existing post and they upvote it, that might be setting off the voting ring alert. Can you check that?
This seems like a hit job by a competitor. Really ruthless.
> Two months ago, an email went out to a few hundred Delve clients informing them that Delve had leaked their audit reports, alongside other confidential information, through a Google spreadsheet that was publicly accessible.
Who leaked the audit reports? Who sent this email? Who is taking the time to write this analysis and kill the company?
In my opinion, the majority of the points in the article are no news. A compliance saas that offers templates for policies, all of them do. The AI is a chatbot, well who thought.
I think the main point is the collusion between delve and the auditors. Is the evidence for that clear?
The key problem is the audits and the auditors. I have independently verified for our vendors that they have the same templated SOC2 as all of the leaked reports, which is concerning because that shows the auditors did not actually validate the controls.
SOC2 is supposed to give you an INDEPENDENT evaluation of the compliance of a company "are they doing what they say they are"
If the SOC2 report is just a pre-populated template, it is meaningless.
It doesn't really matter the motivation of the "DeepDelver" - this has implications across all companies that rely on these vendors that have been "assessed" by Delve.
Really curious what you're going to do, going forward. Will you be rejecting compliance certified with Delve? Will you be forcing your vendors to redo compliance?
Hit piece or not, the blatantly fraudulent behavior displayed by Delve is reprehensible.
And they didn't even try. Read this management assertion for one of the (known) affected companies:
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
It's a juicy story to talk about that hits a lot of checkboxes that make it viral --
1. the hustle culture they promoted online was gross
2. they followed the 30u30 Forbes pattern like Liz Holmes, FTX, etc.
3. they're a YC co, so their's plenty of popular voices supporting them
The 3rd isn't to slight the program but folks definitely slam any companies that seem to be in the moral gray area as a proof the program is nihilistic and a net negative. People like to shove mistakes in the face of "successful" folks like investors/VCs.
Finally, the security and compliance community is litigious by their nature and this startup, in general, was a net negative for a lot of people who do fractional / consulting work in security.
What's more surprising to me, as a layperson, is that I found this out and investigated their shady auditor network in late December. It didn't take much work.
Insight Partners invested in a 32 MILLION DOLLAR ROUND without any apparent shred of due diligence. What does that say about the VC market writ large?
80% of Compliance has always been a performative box checking exercise.
They delivered the product that every company wanted - make the box checking faster.
> 80% of Compliance has always been a performative box checking exercise.
You're making the same mistake as most people do: it's 80% box checking but that doesn't make it performative, the box checking is here so that the dude who checked the box become legally responsible for what's happening if they haven't done what they said they did.
If you didn't check that box you could always claim you didn't know you weren't supposed to do what you did. As soon as you've checked “yes, I'm doing things in the approved way”, this excuse disappears.
There is no relation between checking a box and becoming legally responsible for the vast majority of certifications.
The company may be legally in troble if the planets are aligned but that's all.
4 replies →
Not really, and I kinda envy you that you haven't really worked up close with compliance-related people.
A lot of compliance is basically corruption - while in country A, you might fall out of a window if you don't buy from the right people at 10x prices, but in 'civilized' country B, you have to buy from vendor X (who has the necessary paperwork), at 10x prices, or you wont be able to sell the product - and there are a million ways that they can turn the levers to kick you out of their markets, or at least make you pay protection money to these compliance organizations.
The systems of grift are very sophisticated, and very obvious to anyone but the people perpetuating and participating in them. As they say,iyt is difficult to get a man to understand something, when his salary depends upon his not understanding it.
A lot of compliance software is griftware - Sonarqube is a prime example - most engineers don't think it adds value, and the 'analysis' it produces is incredibly shoddy, but like a lot of cybersecurity products, it relies on a authoritarian company culture, certification TP conditional on using the software and achieving a good score etc and alarmist language with nice dashboards. A classic example, is it tags public fields in Java as a security issue. And then the management see that you are writing 'insecure code'.
And literal mouthbreathing idiots in upper management eat this shit up, or use it as a punitive measure against the devs who by their very nature do all the meaningful work.
I'm not saying all compliance is worthless, but if you approach quality from first principles, a 'compliant' product usually has to clear a very low bar of quality. And compliance usually keeps the quality low, and prices high, by forcing potential competitors out of the market.
And compliance can keep quality low in other ways, I've seen firsthand - by making devs work on BS tasks, or preventing improvements and fixes to codebases, because they're not tracked appropriately by whatever change management system.
I was incredibly wary of doing hacky solutions in these places, not out of a sense of commitment to quality, but the fact that once management sees your hacks WORK (kinda), all requests to clean up the garbage will be stonewalled.
Thankfully LLMs make this busywork very easy, through making this papermill garbage, and nitpicking busywork very easy, which I feel will bring at least some positive change in the world (at least to those who do meaningful work)
5 replies →
> the box checking is here so that the dude who checked the box become legally responsible for what's happening if they haven't done what they said they did.
Maybe so, but how often are small companies actually sued for compliance survey misrepresentations? My most positive look at such surveys, after filtering out all the nonsense, is sometimes they flag something we've missed in our self-directed efforts.
Okay, so who are we supposed to go to for SOC 2 compliance now if any number of the compliance automation companies might be charging 5 figures to do it fradulently?
Pay to play and keep selling. Understand the liabilities and cover your ass, address the biggest risks.
The point of SOC2 is really demonstrate that you have controls. The other fake compliance areas are scarier for sure. You used to see really blatant issues — I recall early SaaS companies pitching to my enterprise with sales engineers showing me customer data.
Microsoft refused to provide diagrams to the Feds detailing how Azure works. They got the FedRAMP High stamp anyway, because they already sold it to half the Fed. That’s more real… as a situation where a Chinese hacker could compromise data in a dedicated “government cloud” by compromising a certificate in an onprem dev environment should be impossible… yet it happened.
If you want to do it right, hire a CPA who takes it seriously and spend the time to complete it in-house and fully understand it. Then engage one of the big 4 to sign off on it. The big 4 don’t offer much for SOC2 above what Delve does, it’s all smoke and mirrors unless you personally take it seriously.
Last time I went through SOC 2 we talked to our auditor about this. His view was that there are and basically always have been auditors/companies that will sign off on anything without verifying it if you're paying them. The rest of the industry knows who they are though. If you are taking things seriously and hire an auditor who does, that's one of the things that they look at when you're reviewing the reports from the services/subprocessors that you use. Ie, you can get a SOC 2 that doesn't mean anything but then any of your customers who know/care will flag it and it won't be worth anything.
1 reply →
Big four have been caught approving fraudulent accounts too, so why not SOC? :)
I’d be amazed if the companies were entirely oblivious to this.
In my experience it’s we know that they know that we know that they know …..
There is a legal liability that comes with the bow checking. Nobody cares about box checking. Everyone cares about legal liability.
Nah. I’m gonna name some names.
I had a client in the compliance space - they handle detailed product information for Apple, Boeing, BAE systems, Philips, Siemens - you know, nothing important, just literally classified material and incredibly sensitive corporate material.
Anyway. We did ISO27001. We did it well, audited by Lloyds register, reputable stuff all the way down. Built actual meaningful processes.
Anyway, a massive PE entity bought them in a hostile takeover, fired everybody, binned the ISMS, moved to some “compliance” goons.
I saw the box ticking chicanery as it happened - as after firing everyone they of course didn’t follow the off boarding process, so I retained full access to their JIRA. I only lost access a year later when atlassian terminated the account for non-payment.
Nobody actually gives a shit, about anything.
13 replies →
In practice the only liability you might wind up with is whether you technically met the conditions for checking the box (instead of just checking falsely). But the liability for the overall consequences of not doing the actual job the checklist sets out to do tends to stay where it is.
These days, nobody cares about legal liability, which is the likelihood of losing a lawsuit if there's a lawsuit, either. They only care about actual lawsuits against their company. They have noticed they're pretty rare and if the company's going to go under it's going to go under anyway, so might as well take the extra profits from not worrying about it
3 replies →
That’s a separate excercise in most cases. Obtaining the cert is it’s in excercise and not sticky a security excercise
Small businesses very much like to gamble with the box checking.
I was asked to work for my employer as an responsible electrical engineer — a specific legal role that needs to be filled if your bosses don't want the liability buck to stop with them.
They fell in the same trap as you did now. You can try to make the libility tree complicated, but in the end the buck will stop with the person in charge unless they put things in place they have to legally put in place. Liability is like water, you can shift it around, but it always has to go somewhere. And if you don't know where it is as a boss, it is likely eating away at your foundation.
In my case they hoped I could just be the responsible electrical engineer on paper and a solve them of their liability. Then I explained them that I could do that, but that legally they would still liable until they provide that role with the time/resources/personal needed to do the job. In my case that would have meant dropping everything I did in my existing roles and reallocating 80% of my work time to that role.
In the end they decided to use an external company that covers that role for real. To them it was just a checkbox in the beginning, but only because they had no expertise in the legal dimension of the whole thing. And sure they could potentially have gone for years without problems, but one wrong electrical fire and they are in jail.
Under GDPR the potential liability we are talking about is 10 Million Euros or 2% of global annual turnover, whichever is higher. But yeah, go ahead, check your boxes.
Maybe like 40%, but also just check if they got a manual pentest.
That’s the only actual audit on “security”.
AI pentesting is just another SaaS.
Delve tried to automate the CPA, you can’t automate the audit. Same goes for the penetration test.
[dead]
Forbes 30u30 pipeline remains undefeated.
How did none of this come up during diligence? Feels like a prime example of too good to be true.
Trust me, you can lie and get away with it if you go through YC and dropped out of a top university. Garry Tan blocked me on X for pointing this out. It's a big club, and you ain't in it!
Fortunately, some of the old-YC spirit seems to be alive here on HN still.
They likely barely had a product when they applied to YC. It's more interesting as to why this wasn't discovered (if it is even true) when they were raising their Series A.
2 replies →
Dishonesty is high signal for VC
Like no one characterizes it like that, but this is the same business where you can tell a story about hiring a bunch of college friends to pretend to be your employees so a client comes to your "office" and thinks you're a legitimate business. And instead of looking in horror at how casually you'll lie to get business it's seen as scrappy and whimsical.
I think they're fairly open about looking for this signal, "be naughty" is one of their core tenants, no?
They probably saw good results with this back when everyone could take a piece of Craiglist's business and make a billion bucks. Now you're just left with the ethos of cheating your way to the top without a real business to attach it to.
This is the next one...
https://x.com/HotAisle/status/2035024494663016532
> How did none of this come up during diligence?
The article states that, "Even though we knew we’d technically be lying about our security to anyone we sent these policies to for review ... we decided to adopt these policies because we simply didn’t have the bandwidth to rewrite them all manually."
FWIW I think the 30u30 to fraud pipeline is overstated. There are 600 people on the American Forbes 30u30 list every year (it's "30 under 30 each year in each of 20 categories"), with 20ish notable instances of fraud, so maybe a quarter percent of the people on the 30u30 list will later become famous for fraud.
I think the pipeline is not really about the 30u30 list as a whole, but about the cover of the magazine, which I feel has had a very high rate of fraud.
You mean from the beginning? They could’ve just done it properly initially then moved to this scam process later
This was such as interesting read, but I found this link via LinkedIn rather than hackernews.
I would have expected this to be somewhere at the top right now given how deep the article digs and evidence seems legit.
I think it may be getting (intentionally?) suppressed from the homepage. Given this is a YCombinator website, I wouldn't rule that out.
Regardless, it's been an ongoing issue. I know a few involved companies — it takes basically 5 days to get a SOC 2 Type 2 report through Delve. And, of course, they market this way too: "SOC 2 in days". Unbelievable.
In case anyone hasn't seen my other posts about this:
(1) I had no idea this story existed and woke up to claims that I was obviously* suppressing it.
(2) I looked into it and found that no moderator had touched either of the two submissions of the story, but that both submissions had set off HN's voting ring detector. (Whether there was a voting ring or not, I don't know - that software isn't perfect. It has held up well over the years though.)
(3) We merged the two discussions and placed the merged thread on the front page.
(4) Why? Because we moderate HN less, not more, when YC or a YC startup is part of a story: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu.... This is literally the #1 principle of moderation in the sense that it was the very first thing that pg drilled into me: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que....
* https://quoteinvestigator.com/2018/11/18/know-trouble/
8 replies →
I see the submission time as an hour ago, so it actually looks like it got a second-chanced, i.e. boosted by the site admins.
1 reply →
It's a trending story on X. Was surprised there was no meaty discussion here on HN.
Surprised/not surprised that this is getting buried from the homepage
2 replies →
Even if this is a hit piece made by a competitor, the evidence put forwards is very damning:
> Conclusions present before customer signs or provides info
If false, the defamation damages here would be in the tens of millions. Huge respect to whoever stuck their neck out to post this.
In theory, yes, but you can't squeeze blood from a stone.
Delve has released a response
https://delve.co/blog/response-to-misleading-claims
> These are starting points only: customers are responsible for reviewing, modifying, and finalizing their own materials. Draft templates are not the same as “pre-filled evidence.”
Yeah, ok. BRB to start a bank where I template everyone a billion dollars, its up to you to be honest with how much money you have.
> “Non-denial denial” is a term of art in PR. Never read one? They’re fun.
— patio11 about this response (https://x.com/patio11/status/2035115379169677717)
To me this is the money shot (but it takes a couple of passes to understand):
> No small amount of criticism of LLMs is downstream of past decisions to reify form over function, resulting in the substance having been optimized out. Now the LLM threatens to make the form available in seconds
1 reply →
*Actual fun may vary.
> "If there are more attacks to respond to we will do so."
Wow, what a way to end the document.
They’ve possibly dug an even deeper hole now.
None of their ISO 27001 certificates, aside from the premium one-offs with the vCISO, are accredited by any reputable ISO accreditation body. I would even argue that IAS, who accredited Prescient Security (mentioned as a reputable body in the article), has a questionable reputation and certainly gives off a pay-to-play impression.
You can look up the names of their partners below. The one body I found that is on the register (Accorp) is accredited by UAF, a known cert-mill accreditation body, and I’m not even sure it’s the same Accorp that Delve has partnered with.
For reference, you want a ISO certificate issued by a body accredited by UKAS (UK gov. adjacent non-profit), ANAB (ANSI), or equivalent, all government-recognised. This is normally the first thing I check whenever someone claims ISO 27001 certification and it is a great heuristic to validate certification rigour.
https://www.iafcertsearch.org/search/certification-bodies
Shockingly low levels of DD by everyone involved here.
wow! they confirmed it in the last paragraph. "we are investigating possible leaks", not "we have filed a libel suit". A leak means an insider spilled the beans
This response is just... simply... terrible.
"Below are just some of the many inaccuracies in the story and then the truth."
"[G]iven how competitive this industry is, attacks like this sadly come with the territory."
"We are actively investigating any leaks and are still reviewing the Substack. If there are more attacks to respond to we will do so."
When you have a PR problem, you don't hire your marketing intern to write the response. You hire a PR consultant. Their funders' Rolodexes are probably full of them. If the Board approved the response, I'd be frankly shocked.
There's a deep lack of accountability here for their marketing statements. For example, "get SOC 2 compliant in days," which I would consider to be false advertising.
That, plus their willingness to arrange an essentially fraudulent auditor network (try to find who the real CPA is behind Accorp, for example), and also massively upcharge the prices of the SOC reports that they offered as a bundled service within the platform. There was no separation here. Del is the transfer agent. Del was always the intermediary and the transfer agent. There is no independence in their default auditor relationships.
At very best, this is a massive AICPA transgression.
At worst, blatant fraud.
I would wager that discovery would show the latter.
This basically boils down to, "Sure, we recommended you work with scammy low-quality auditors, but if you actually use them it's your own fault... we're just an automation tool!"
In other words, I'm reading this as effectively a full admission that the claims are true but the company is saying not their responsibility.
Very, very bad.
Where does it say we recommend you work with scammy low-quality auditors? They say that they use third party audit firms that are used by other compliance companies.
7 replies →
Considering how YC companies are customers of other YC companies (presumably to lift ARR), how many YC companies have Delve compliance?
Should we worry about AI startup customer data…
You can safely assume that all AI startups are stealing their customer data, don’t worry about that
I've gone through this process and is this not a failure from the institute that are giving away these certifications for a fee without any due diligence?
intermediaries like delve have only amplified this failure.
it was obvious to anyone who was involved in this industry that, all of this is just security theatre with nothing really to back it up.
For those looking for help with SOC2 compliance, I had a good experience with another YC company, Vanta. That was some years ago so not sure if anything has changed since then but I would recommend checking them out.
I had a pretty poor experience as a startup on Vanta. Maybe this is my own ignorance, but I told them when our contract was to renew that we do NOT want to renew. We were an early-stage startup soon to shut down and didn't need it. We never touched Vanta for 10 months before this, we never got SOC-2 (it was deprioritized). Not a single login in 10 months.
Nevertheless, they said it was: too late to opt out, that it can't be canceled or postponed, and then kept emailing us endlessly and sending to collections to pay them another $10K platform fee for the next year (more than we had in the company bank account).
I understand this with large corporations, but I don't think they're a good fit for startups.
It sounds like you signed a contract and weren’t happy with the terms. This is the point of a contract, though.
I like the Vanta people just fine and think it's a fine product, but I would not recommend it to startups looking to get SOC2.
https://fly.io/blog/soc2-the-screenshots-will-continue-until...
Most startups should be doing way, way less than automation platforms like these tell them they need to do to get a SOC2 attestation.
Not every sales team can convince a big paying customer that SOC2 isn't important. Lots of B2B SaaS companies have to play the enterprise lawyer game to get big contracts.
2 replies →
YC has funded both Vanta and OneLeet. It's a shame they also funded a hype machine like Delve.
I would recommend both Vanta and OneLeet as good quality tools to work with, having used both. The founders of OneLeet are very accessible, and Vanta has all the integrations you would need as both a small startup and an enterprise-grade player.
Secureframe and Drata are other tools in a similar class that are also legitimate.
Vanta misses a lot of things to cover iso27001, and clearly misunderstand this norm at times.
The integrations are what makes it really useful, but elements are not correctly connected between them, or are too limited to be useful : for instance access review information tells you who is an "admin", but ignores the various permissions levels (e.g: on GitHub, you can be an admin of a repository) which exists on each platforms. So let's say you are using rbac access policies, then all vanta integrations are meaningless because you cannot check roles, and you have to build /buy another tool...
Their policy builder is a bad joke, slow, incomplete, and you lose all automations when you need to change even one word. The default policies are quite bad anyway, very long and complex, pushing you to use forms which are not integrated into the platform, so again you have to maintain a duplicate system elsewhere.
Generally speaking, there's no help to keep in sync policies with processes and proofs, and let me tell you it goes out of sync very fast!
Question: how likely is it that a number of 20-year olds have the passion of solving the problem of compliance auditing? I can hardly imagine that I'd even be interested in taking a look at the domain. It's just... so mundane. Or maybe the alpha-type overachievers don't care about the domain but the opportunity?
Solving boring problems has been conventional startup wisdom for a long time. And a "mundane" startup might be more interesting than traditional high-paying jobs like finance/law/consulting. https://www.joelonsoftware.com/2007/12/06/where-theres-muck-...
I work for a firm that develops custom software in regulated industries, and we have brilliant software & data engineers in their 20's working on compliance auditing, and more specifically "Compliance Management System health monitoring."
We've be able to use a lot of AI-assisted engineering and AI in the software to solve longstanding business challenges in this space.
I won't make assumptions about where you're located, but on the East Coast US it is big business among banks, utilities, healthcare, etc.
I think there are lots of 20 year olds with a passion for making money
I wonder if it's almost like a new version of management consulting. You hire/invest in a bunch of smart 20-somethings who seem generally intelligent with the idea that they'll "disrupt" an industry with their from-first principles approach. Do the 23 year old McKinsey consultants particularly care about their work? No, but the McKinsey name is a fast way to gain clout and access to executives. Ditto the YC name
> Question: how likely is it that a number of 20-year olds have the passion of solving the problem of compliance auditing?
It mentions that they had a medical scribe product and ran into HIPAA compliance issues with it, so it's not a leap to think someone might go "hey this stuff is what sunk us last time, I bet we're not the only people with that problem".
I also think this has to do a lot with storytelling and message in the company. Do you have someone that can motivate and etc. Many things are boring under the hood to someone and interesting to someone else, but a good story about why and how is what makes a difference.
The problem may not be "intellectually interesting" to them at all, but building B2B SaaS does appeal to them from a lifestyle/prestige/pedigree perspective and will probably get them an exit to become a Venture investor even if they fail.
I'm in the industry (albeit not a 20-year old), and agree that the domain itself is incredibly dry.
The tech is quite interesting, thankfully.
From a customer perspective it's interesting - compliance sucks so much that even a slight improvement/automation goes a long way
I’m currently working on a KYC compliance startup. Loads of fun both technically and also KYC in it self. Most things can be fun and interesting to someone.
[dead]
The only job of a test is to fail, so if you never see the page red it's not doing anything. It's refreshing to see this being called out instead of going with the flow because "everyone is doing so".
Lots of companies affected this, what blows my mind is when VC's were funding this how come no due-diligence was done on something as important as compliance. who even tries to scam on compliance like it's a known way to get caught.
They're "AI Native". This maps with how the entire "AI revolution" has felt to me - like no due diligence has been done to validate the output of anything, and instead just the "AI" stamp is enough to satisfy investors.
I get where you are coming from, but still claiming "AI native" shouldn't change anything when it comes to due diligence. I agree tho the 'AI stamp" is letting a lot of things through.
I genuinely think this is because the elites like the MIT dropouts that started this company think the rest of us observers are stupid.
They have a billboard with the copy "Compliance before you tell your parents you dropped out of MIT"
Yeah that's a wild billboard lmao. btw 99% of MIT people are no different then the rest they just worked hard or paid hefty amounts, I have lots of friends that went there. Nonetheless the 1% are geniuses. Also saying MIT dropouts instantly makes your story credible, it's a funny concept. I'm starting to feel like an MIT dropout these days.
1 reply →
Compliance isn't that hard once you stop looking for shortcuts and start spending time doing it correctly.
AWS is probably the best actual CaaS vendor out there. They have a product offering expressly designed to help their customers get through this jungle:
https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-a...
You are still responsible for everything on top of what AWS provides (software/configuration/policy), but their compliance package handles a massive portion of what you would otherwise have to do if you were on-prem. Physical security, hardware management, disaster recovery, et. al., you get essentially "for free".
> Compliance isn't that hard once you stop looking for shortcuts and start spending time doing it correctly.
Trying to understand how someone can have this perspective when it’s usually someone’s full time salaried job in a lot of companies.
Maybe they meant "Not hard != quickly done". I don't think many people think bureaucracy is especially difficult. It's just time consuming.
But frankly if they meant that, the statement doesn't really say anything at all. Because what in this world is hard if you stop taking shortcuts and spend time doing it correctly?
1 reply →
A lot of that comes down to the costs associated with not being compliant and/or the requirements of existing contracts/insurance policies, where having dedicated FTEs to compliance is a requirement. Compliance might not be hard for the person/people managing the program, however it might seem difficult or complex to the FTEs that have to build to those standards if they do not have a security or governance background.
I assume they mean "getting a SOC2 report", which is the part that Delve attempts to automate. The maintenance of controls, adoption of new policy as the company evolves, etc, is what someone will do in the full time role and that Delve et al would do nothing to assist with.
I think that goes for any major cloud provider, not only AWS. But nothing is free, you pay a hefty premium to get this (compared to plain infra providers like Hetzner for example).
A lot of startups move fast with a small team.
You build something great and big corporation X wants to buy a subscription but you need to be certified.
Much of this is a good checklist but some of it is very european.
"Where is the risk register to track controls in your 7 person company?"
Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.
You are documenting things nobody will read, making up processes that don't exist and translating the operations of a lean company into bureaucratic language.
What's needed is a variant of these standards for small teams, which is proportionate and pragmatic.
SOC 2 is mostly about proving you do what your policies say, and there’s more flexibility than people think.
For small teams it doesn’t have to be heavyweight. A risk register can be a simple doc with a few real risks and mitigations.
That said, I agree there’s a lot of theater. For smaller companies and budgets, it often turns into rubber stamping. Auditors rely on the evidence you provide, so the report can look much cleaner than day to day reality.
Still, it has value. It forces you to formalize basic practices, and if you want those customers, you’re signing up for that level of scrutiny.
It ends up being a LARP
In reality the starting point itself is something absurd like "all vendors must be ISO certified no exceptions"
Nobody wants to be the person who says an exception is ok in this case, so you get lumped with having to certify.
Now your color palette generator startup is doing ISO certification. You are holding quarterly "information security governance meetings" and maintaining a risk register for... "blue vs slightly different blue".
Many such cases.
Exactly this. But my question here is also: is there not a competitive advantage to a big enterprise that applies standards in a more intelligent way? You have a SaaS, I have a Fortune 500 company that could use your product but I cannot use it because my procurement process is as long and winding ad the Road to Hana. In the meantime my competitor has a smarter procurement process that takes into account the impact and risk involved in renting your software. Don’t they get a competitive advantage over me by having a better process and as a result getting better vendors?
Unfortunately in most cases the buyers have way more liability/risk using a small vendor than opportunity. Often this is coming from regulators in certain industries.
In scenarios where the company REALLY REALLY wants to buy the SaaS, they often will invest in the company, one of the reasons for which being to ensure they have the resources to go through all the red tape.
I’ve found CIS Controls v8.1 to be good and sane, with actual benefits to security. Level 1 is a solid base, and Level 2 is good for picking from depending on where risks exist in your business.
CIS Benchmarks are worth a look too: They’re best practices for securing typical cloud platforms, SaaS and OS.
The risk register is ISO 27001. The "I" in ISO doesn't stand for Internet, it stands for international. You shouldn't be doing business with international customers if you don't have a risk register, which is why they're requesting it.
The D in Democratic People's Republic of Korea means it should be democratic so why is it a dictatorship?
The world doesn't work based on abbreviations. It's very normal for any company to ask you for ISO 27001 whether international or otherwise.
Why is the line drawn at being international?
What is it about customers in Ethiopia that necessitates this? What is it about American (non-international) customers that doesn't require a register?
Shouldn’t according to who? Who appointed ISO to say what should and shouldn’t be done?
4 replies →
What is the purpose of a business though? To make profits for its owners. If the profit lies in doing all this corporate theater then that's the business. A company that focuses only on providing a service and product but ignores how their customer needs to use said service and product is going to go out of business.
That is "a" purpose of a business, but not the primary purpose. The primary purpose of business is to provide a service or product people want. You can want profits all day long but if you don't have something people want you don't have a business.
If the purpose of every business were making profits every business would be a hedge fund (at which point there could be no hedge funds, but that's a separate issue). Profits are a necessary component of a businesses's activities, but not its purpose.
I would argue that profits are a result of what you do and not the purpose... Obviously intertwined but that's why its important to pick something you like
Maybe you suouldn't be hacking due diligence if your team isn't ready for it
Isn't ready for, or doesn't need?
I had to have meetings with… myself, at times, for compliance reasons.
"is very european." ... aa yes consumer protections. very european.
This assumes that there is only 1 way to protect consumers
Going through this with a medical startup... We have like 2 developer. But to get investment, put the app online etc. We need to fill out those paperwork... For things which just don't exist...
Isn't the point of the paperwork to get you to make those things exist?
> We need to fill out those paperwork... For things which just don't exist...
Things like what? HIPAA?
> Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.
Have you considered that the kind of companies that demand SOC2 compliance would be happy to pay extra for SOC2 compliance, if you offered it as an optional add-on costing $200k per year?
$200k is more for FedRAMP or PROTECTED+, but I think you’d be able to create a “compliance” addon for $20k quite successfully.
This is as designed to gatekeep these customers. Those in control of the checklists stand to benefit.
Translation: all your rules and regulations are crap, and we don't want to comply with any of them.
When in reality most rules and regulations are not crap, and you should care about them.
Especially when your startup advertises compliance with HIPAA (medical records), PCI-DSS (payments data) and a bunch of other data protection standards and regulations.
Data protection is a tiny component of what certifications like ISO and SOC2 involve. The data protection stuff is welcome and often pre-existing, the other stuff is what annoys people.
Most rules and regulations are not crap.
But whole compliance industry is crap.
One way they inflate expectations to extract money the other way they cut corners to rubber stamp BS to make it as cheap as possible for themselves.
Love the depth of this post.
We were actually looking at it as well recently (we're using Drata). I was thinking "Cool, this looks like the next cool step forward". The claims didn't sound out of the world in my ears.
Every time an issue like this appears I wonder how many more undiscovered frauds are out there.
> The reason we felt the way we did was due to how little actual work any of us had to perform to become ‘compliant’, combined with a product practically devoid of any real AI
Guys guys, if only it had some of that real AI it would be all good!!
Delve did not even try to fake the reports well. They could have used AI tooling to write somewhat plausible Assertions of Management, but they just dropped in clear form submissions to the reports they provided. Here is an example from Cluely:
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
I mean, just re-read this sentence:
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful
It makes no sense at all.
Someone implemented the code to automate this report mill, and didn't think to even smooth it out with an LLM! There was clear intent here.
To imagine that an auditor reviewed and stamped this as a coherent body of work beggars belief.
Delve seems clearly scummy, but dear god the author's company was also engaging in fraud with their own customers and just hoping to skate by.
"The trouble starts when you look at the answers Delve’s AI provided. Based on what your Delve policies claim, the questionnaire AI answers questions stating you have an MDM, had a 200 hour pen-test performed, and do regular backup restoration simulations. Tens of questions are answered like that. Great, you just lied to your vendor but at least you have a good shot at landing the deal. So what did we do? We kept our mouths shut."
Pretty rotten stuff. I went from energy into the software startup world and as I've gotten further down that road and energy has become more and more of a hot field I've encountered a depressing increase in that "just do it to make a deal" ethos, but in critical infrastructure.
Like, no, former Apple PM who learned about an interconnection queue from ChatGPT last week, you are not going to fix the grid, and even moreso you can't "just do X and ask forgiveness later", not in electricity.
At least they had the balls to post it
Per the piece, they only began to step away from Delve once they realized they couldn't close the deals they wanted and their hand was forced by outside asks.
And then also it took a rather large data leak later on to provide extra ammunition to decide and go forward with publishing this.
I'm glad they did, but there are a bunch of steps in between pure balls/altruism and what actually happened based on the blog.
1 reply →
> Like, no, former Apple PM who learned about an interconnection queue from ChatGPT last week, you are not going to fix the grid, and even moreso you can't "just do X and ask forgiveness later", not in electricity.
Just bribe the WECC auditors!
https://www.reddit.com/r/soc2/comments/1q7u90o/real_or_fake_...
Major red flag with this should have been that their expensive marketing predicated heavily on them being MIT dropouts instead of any expertise in the space
I remember having sales calls with them and the vibe was that it was "cheap and quick"... exactly what you want for your compliance
Most people only care about compliance if it stops them from closing a deal. I was at a startup where some enterprise said we needed a SOC 2. The founder talked them out of it by giving them a discount if they'd waive the requirement.
My company is tiny (just me) and at one point a client sent over a questionnaire that I needed to fill out. Half the things I already did, about 1/4th I did right then so I could check the box (added features/reports/etc), and the last 1/4th I looked into (including SOC2) and decided I’d rather lose the deal than try to do those things. I was completely truthful in the questionnaire and for those sections I just put “We can provide this but it costs extra”.
I ended up getting the contract and they never asked for those extra things. I guess that’s kind of the same thing your founder did but in reverse. Discount to skip it vs it will cost more to add it.
To be clear, I think most of the questionnaire was just “we want these answers on file”, I’m not in an industry where most of what they asked for is reasonable/needed. Though it scared the hell out of me when I got it because SOC2 (and some other things they asked about) is not cheap. Literally 1-2x the cost of the service I was selling. All for something I consider a _very_ small step about snake oil.
1 reply →
In a way, this may be a good thing for the 'compliance' ecosystem because it will prompt people to actually read the report and check the evidence, as opposed to trusting a badge.
If you read through the report PDFs of affected companies, you'll find a lot of stock wording and phrases that don't even make sense.
I wonder if Y Combinator will start getting serious again about due diligence and founder selection.
[flagged]
Compliance is something that no one ever wants and everybody hates. Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!"
Thus providing compliance is really just paying someone to shift responsibility.
The regulator can ask whether you are compliant. You can present certificate from Delve or someone else and that's the end of it.
I don't want to work wherever you do your thing. Software as a service means you provide a service, and you should take your responsibility to protect your customer's data super seriously. Compliance frameworks are one useful tool among many to support this effort. It helps us identify gaps, identify risks, make improvements. It also give us a way to communicate what we do to our partners. The behavior described in the medium post is fraud, pure and simple.
I am a founder, and my ambition includes meeting the highest possible standards for my customers.
I've done a mix of SOC2, ISO27001 and PCI L1 for 3 different startups. 2 of them b2b. All certified 100% and fully compliant.
The problem with the current frameworks is that the "controls" are so asinine and auditors so hard headed, that getting certified becomes a matter of "checking the box" .
Particularly most of those frameworks REQUIRE maintaining so much paper red tape that make a 10 person startup want to kill themselves. And in addition the costs are stupid high for startups that are just "starting up".
On the flip side, how many large companies have we seen that have all the SOCs, ISOS and whatnot certifications, and they get pwn3d and their data stolen or exposed.
It tells you that a place being certified doesn't guarantee shit.
The reality is that large companies ask for certs as a CYA mechanism: the "security" department of LargeCo, asks for the compliance cert so that when shit hits the fan, they can say "not my fault, they told me they were compliant"
The good thing is that with the new Bullshit generators (llm) this certifification/compliance process will collapse.
3 replies →
I think the thing we are confusing here is "compliance" vs the "highest possible standards".
In theory these two terms mean the same thing.
In practice compliance can be detrimental to the cause and values that you and I both share seemingly.
> I am a founder, and my ambition includes meeting the highest possible standards for my customers.
Same here. This is why I don't care about "compliance" - because I take the privacy of my customers sacred. For example, that means no KYC on my customers. And compliance requires KYC.
1 reply →
Not a single person wakes up in the morning thinking they wish to pay taxes and rent and do the laundry the other stuff that has to be done. I would be nice to smoke weed and play video games all day and order the deliveries.
Some things just have to be done.
> thinking they wish to pay taxes
Wellll this is not always the case. I have moved from a shithole country to a nice one and oh boy I am crying in gratitude every month that I pay taxes. Because it is every day that I can see my money working for me in the environment.
But your point stands.
12 replies →
When I worked in cybersecurity I had a similar realization. No one cared about security posture. They cared about insurance policies. People hired us to shift blame instead of improve security posture. this is not terribly different
This is why I've said for years: If you want to drive best practices and policy with companies you can only do it with liability. Particularly non-insurable and non-tax deductible liability. If a company can't offload civil or criminal penalties to their insurance company and take the tax write down, they suddenly start caring about it.
That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later.
2 replies →
One of my FAANG security projects incidentally helped with some compliance efforts (I made very sure it was incidental, constantly said things like "I am thrilled that I can help you guys achieve your goals but I wanna be clear that I don't give a shit about compliance and I won't be allowing it to influence the direction of my product" in meetings, it must have been extremely annoying to work with me).
At some point I was asked to look over the documents for the compliance definition and it was really hilarious. I had to give my engineering perspective on which aspects of the requirements we were and weren't meeting.
But they were stuff like "you must have logs". "You must authenticate users". "You must log failed authentication attempts".
Did we fulfill these requirements? It's a meaningless question. Unless you were literally running an open door telnet service or something you could interpret the questions so as to support any answer you wanted to give.
So I just had to be like "do you want me to say yes?" and they did, so I said yes. Nothing productive was ever achieved during that engagement.
I think it's subtly different than that.
Companies do want to be secure. They try, and they often fail because it's hard.
They hire auditors to find problems and to shift blame. But since they only have 30 days to fix the problems that are found, it's going to see a lot like they only care about shifting the blame. Because at that point, they only care about passing that audit.
Right after that, though, they start caring about security again.
How do I know? 19 years experience going through those audits on the company side. For 11 months of the year, it was clear the boss cared about security. For that 1 month during the 'free retest' period, they only cared about passing that audit.
1 reply →
> Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!"
Somehow I doubt that you are in the B2B/Enterprise space. When you're pitching demos and you hear from people "we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123", and you hear that over and over again because that is the real-world industry that you live in, then you better believe that there are founders who wake up in the morning wishing that.
You clearly have no understanding of what compliance does. Compliance does not "shift responsibility". Compliance is you demonstrating to your customers that you give enough of a shit that you're willing to pay the table stakes to sit at the table. You can complain that the game has table stakes, but all worthwhile games have them.
I think we are confusing something here.
> we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123
So you are not dreaming about XYZ-123 compliance, you are dreaming about being able to make sales to corporate entities.
This is a subtle semantic difference.
> there are founders who wake up in the morning wishing
Wishing juicy corporate customers. Not the XYZ-123 compliance per se.
> Compliance is you demonstrating to your customers that you give enough
money and time to emulate the asinine requirements of detrimental standards to pursue corporate sales instead of directing said resources to make your product better.
1 reply →
This
Maybe no one wakes up wanting to deal with compliance, but it you found a company that has legal or moral obligations to be compliant with these standards, you sure have signed yourself up for it. Passing the responsibility off to some other company is, quite simply, irresponsible.
> Passing the responsibility off to some other company is, quite simply, irresponsible.
Then do not pass the responsibility. But here's the trick: the regulator would like to see an audit done by a firm and purchasing audit services is exactly that: passing responsibility. So legally you can't be compliant unless you passed responsibility.
1 reply →
Problem is, compliance is often detrimental to the cause. You want to encrypt users' data at rest? Illegal. You must store users data in a way prescribed by the law and it is extremely cumbersome, outdated and insecure.
Here's me founding a company and thinking "Shit I really need to be on ITIL 4 and ISO9000 before I even consider taking this to market", but I guess we move in different circles.
Do you really want to be compliant to ITIL 4 or do you want to sell to your target market?
I'm pretty sure you want customers who pay money, and ITIL 4 badge is just a small mean to achieve that, not a goal per se.
3 replies →
SOC2 is quite a racket on its own so I'm not surprised to read this industry creates players like this.
I hope that with LLMs, answering security questionnaires will be much less time consuming for companies and less would opt out to get a full blown SOC2 cert. But it will probably play the other way.
I've been talking about this for a while now. For those of you thinking... Oh, I use a "good" company... think otherwise.
https://x.com/HotAisle/status/1946302651383329081
The whole thing is a racket.
It feels like I'm screaming into the void, but compliance work is bad is because people make it so.
Willfully paying for a service that offers SOC 2 reports at 1/5th the usual rate and delivers them in days instead of months and deluding themselves (and others) that it's a proper audit.
Taking cookie cutter policies/controls jamming it into your org without any awareness whatsoever. Acting surprised when employees complain about draconian rules and the audit process is a pain because you wanted to take the shortcut.
Why can't people just do it the proper way the first time? Pay for a reputable auditing firm, write your own policies and implement controls that map to the actual organization, do a gap assessment with the auditing firm so that both parties is aligned on expectations, and spend the necessary time to undergo the audit. Getting it should be a milestone if you actually take it seriously and have a modicum of professionalism.
In my eyes, audits should be a trust exercise. You trust that your organization is organized in a way that meets standards (by doing the work) and the auditors trust that you aren't faking your evidence. As someone who has to regularly vet countless new software purchases, SOC 2 actually serves a role. Does anyone have a better idea of getting third party validation of how another company operates? Like sending them tons of questionnaires is the solution?
All this just breaks that trust by facilitating certification mills. Another example of fraud stemming from a country that churns out fake degrees, fake papers, fake conferences, and fake references.
Notice how none of Delve's affiliates on X are posting anything after that Substack post. Probably their lawyers told them not to say anything further.
What does that tell you about the scam that was unveiled?
Not good.
The only thing it tells us is that they have received competent legal advice. Any counsel is going to tell you to shut up regardless of whether you are in the right or wrong.
We did passive recon on Delve's own security posture. Here's what ships to the browser: https://security.redeux.ai/research/delve-compliance-posture
> Delve was founded in 2023 by Karun Kaushik and Selin Kocalar, both Forbes 30 Under 30 members and MIT dropouts who met as freshmen.
Forbes 30 under 30 remains undefeated
The methodology questions remain:
does Forbes have a great method for identifying future felons?
do future felons push harder to come to Forbes' attention?
does being on the Forbes list unduly influence founders to commit felonies?
What is it with the dropouts and unethical businesses? It is almost as if dropping out makes them do things, and without credentials, those things are the things others will not do.
Interesting that the author (and "the others in his network") seem to only be concerned about the complete illegitimacy of their certs when they were already exposed and now they want to stand up and say they are the good guys for "exposing" Delve.
There is a lot of serious allegations in here. But some of these complaints apply to most SOC 2 compliance services. For example: it points out that Delve provides pre-filled documents and encourages you to accept them as is. In my experience that is typical. I have seen companies just rubber stamp pre-created documents that describe IT processes that do not accurately reflect actual policy because the MBA[1] running the project didn't want to pull in IT and had no idea what any of it meant.
[1] No offense to MBA, just using it as a placeholder for: business stakeholder with no IT background.
Giving you template device management policies is one thing, it's a whole other thing to say you don't have to have board meetings and generating fake minutes.
100%, accepting pre-generated board meeting notes is egregious. This whole thing is awful and I am in no way defending it. The opposite, I think other compliance as a service companies also need to be scrutinized as well.
If you aren't either having the minimal meetings or written consents per the requirements for the delaware C, something outside Delve's hands has gone off the rails...
Many small companies operate without any formal board meetings.
Not every company is a Delaware C corp.
Doesn't seem like a problem with SOC 2 compliance, seems like a problem where a company appointed someone who is not suited to handle a SOC 2 project.
As for the pre-filled stuff, that's what other SOC 2 companies mean when they try to sell you "compliance in a box." Not that bad if the company is starting from scratch (<1 year), but not realistic for a company that has an existing IT footprint.
However, the allegations here is that it is fraud. An "AI" company acting as a front for certification mills.
When I read the headline I thought "Fake compliance as a service" sounded like a great idea.
The rookie mistake they made is they forgot to bribe the regulators with promises of future job offers.
> the price quickly dropped to just $6,000 when they realized we were serious about going elsewhere, and they would throw in ISO 27001 and a 200 hour penetration test as well.
I'm sorry, but... $6,000 / 200 == $30 / hour? Just assuming the value of the actual certifications is $zero?
Wouldn't that raise some serious red flags?
$6000 for both SOC 2 and ISO 27001 with Pen tests ? lol. I paid over $8k just for ISO 27001 for our small company and have been quoted a lot more for SOC 2.
there needs to be a fund with an ethos of "move slowly and do things accurately"
The fund is called customers. The independent regulator is called the AICPA. It really comes down to who is paying attention
SOC2 is as useful as a privacy policy at protecting your data. It’s all humans following human incentives.
The value of SOC2 is that it does take some experience to be able to plausibly fake the evidence which weeds out people that truly have no idea what they're doing. It also provides a blueprint of the stuff you should be doing if you actually care.
But beyond that it's not worth a whole lot.
2 replies →
There are a few, roughly.
Like the best options in most categories, they don’t spend a bunch of money or time on brand presence, advertising.
You simply find them.
The United States military?
Slow is smooth and smooth is fast.
I can understand two 20 year olds committing fraud. I can't understand a team of engineers PRE-PUBLISHING A TRUST REPORT before a single field has been filled out. This is worse than fraud, its poor craftsmanship.
Slopliance?
Great write up. What makes this interesting...I thought it was cool what they were doing...but also seemed too good to be true. I went ahead a booked a demo call with them. Great personas. Very friendly. Can't say they had all the answers, but they did bring a CISO on the last meeting, which seemed a bit scripted. They also never disclosed any breaches, even after I asked them. Yikes. Good luck to the orgs that went through all that process.
All this evidence seems pretty legit. I found this on LinkedIn and came here to post, but noticed it had already been posted. Surprised I didn’t see it on HN front page.
It is being suppressed by @dang, I believe they may have a policy that allows suppression for bad YC-related news.
Moderators didn't see it, and our policy is the precise opposite of this – see https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu... or, for more color, https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que....
We've restored it to the front page now.
4 replies →
Did they ever address why they had access to everyone’s SOC reports??
Forbes 30 under 30 strikes again.
This could be AI's globe.com moment
Well now we know how Cluely and friends can claim to be SOC2 compliant.
People dont fully know it, but alot of capital in society gets accumulated by people with the right look, instead of with actual ability. In many cases, these startups start out as fraud, and hope to become real. VCs know this.
But the tragedy is that there is a fixed pie of capital to be allocated, and so when they allocate to people like this, it steals opportunity from someone else
> High profile companies like those listed in the image above
Never heard of any of them except Loveable.
What's the TLDR? Should one be worried if their business uses Delve?
vibe compliance
wow, cannot imagine now companies that tool the compliance, and get deals just to be fake. uff...
> No custom tailoring, no AI guidance, no real automation. Just pre-populated forms that required you to click “save”.
I hate that I've become this cynical, but it's gotten to the point where reading the "no x, no y, just z" construct makes me assume that writing is AI generated (and then I immediately stop caring about reading it)
wow you guys really delved into this
lmao
I miss 2010s YC until like 2017 ish when crypto sort of just caused a massive decline across the board.
I guess it is great if you're a grifter/scammer or looking to just sell off to a FANG.
agreed
[dead]
[dead]
[dead]
[flagged]
[dead]
[dead]
[dead]
[dead]
Cluely and HockeyStack are scam companies too.
Cluely did the ChatGPT wrapper to cheat on interviews then sold the customer data to recruiters. The whole company promise is a scam, and useless since we have LLMs.
HockeyStack held contests for people to win cars etc and never delivered. They also lied about having revenues and a product when they had nothing built. Along with Greptile they were doing 7day weeks of unpaid labor from “trial periods”.
Scams all around.
Greptile is an awesome product, not sure where the scam is there
[dead]
Wait what's the greptile story?
It says right there, 7-day work weeks (no days off).
Also they were part of the cohort forcing workers to stay minimum until 9PM.
Like every AI company, their "product" is a Next.js website, OPENAI_API_KEY, and a Stripe checkout page.
4 replies →
[dead]
[dead]
[dead]
[dupe]
[dead]
[dead]
[dead]
How does this not reach the front page?
We just found out about this story and the submissions of it. It looks like it didn't make the front page because it set off HN's voting ring detector.
Mods didn't touch either thread except (1) we merged the duplicate discussions and (2) we rolled back the voting ring penalty so that the story would be on the frontpage.
This is in keeping with the principle that we moderate stories less, not more, when YC or a YC startup is part of the story. That's been the case since the beginning, and I've posted about it dozens of times: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu....
Respectfully, I think there may be an issue with your voting ring detection, which is that if multiple people try to submit the same article and are redirected to an existing post and they upvote it, that might be setting off the voting ring alert. Can you check that?
I would imagine that's what happened here.
2 replies →
[flagged]
1 reply →
It's on the front page for me?
It does, but it's also a takedown of a YC-backed company.
Really great vetting there, guys.
LOL -For a good minute the comments were not visible. Someone is playing RR.
2 replies →
[flagged]
[flagged]
Wow thanks Claude for the insightful comment!
What’s the point of posting vacuous AI comments here?
https://x.com/connorcady_eth/status/2024651743066312721?s=46
This seems like a hit job by a competitor. Really ruthless.
> Two months ago, an email went out to a few hundred Delve clients informing them that Delve had leaked their audit reports, alongside other confidential information, through a Google spreadsheet that was publicly accessible.
Who leaked the audit reports? Who sent this email? Who is taking the time to write this analysis and kill the company?
In my opinion, the majority of the points in the article are no news. A compliance saas that offers templates for policies, all of them do. The AI is a chatbot, well who thought.
I think the main point is the collusion between delve and the auditors. Is the evidence for that clear?
The key problem is the audits and the auditors. I have independently verified for our vendors that they have the same templated SOC2 as all of the leaked reports, which is concerning because that shows the auditors did not actually validate the controls.
SOC2 is supposed to give you an INDEPENDENT evaluation of the compliance of a company "are they doing what they say they are"
If the SOC2 report is just a pre-populated template, it is meaningless.
It doesn't really matter the motivation of the "DeepDelver" - this has implications across all companies that rely on these vendors that have been "assessed" by Delve.
Really curious what you're going to do, going forward. Will you be rejecting compliance certified with Delve? Will you be forcing your vendors to redo compliance?
Hit piece or not, the blatantly fraudulent behavior displayed by Delve is reprehensible.
And they didn't even try. Read this management assertion for one of the (known) affected companies:
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
There's no need for some conspiracy.
It's a juicy story to talk about that hits a lot of checkboxes that make it viral --
The 3rd isn't to slight the program but folks definitely slam any companies that seem to be in the moral gray area as a proof the program is nihilistic and a net negative. People like to shove mistakes in the face of "successful" folks like investors/VCs.
Finally, the security and compliance community is litigious by their nature and this startup, in general, was a net negative for a lot of people who do fractional / consulting work in security.
What's more surprising to me, as a layperson, is that I found this out and investigated their shady auditor network in late December. It didn't take much work.
Insight Partners invested in a 32 MILLION DOLLAR ROUND without any apparent shred of due diligence. What does that say about the VC market writ large?