80% of Compliance has always been a performative box checking exercise.

They delivered the product that every company wanted - make the box checking faster.

Forbes 30u30 pipeline remains undefeated.

How did none of this come up during diligence? Feels like a prime example of too good to be true.

This was such as interesting read, but I found this link via LinkedIn rather than hackernews.

I would have expected this to be somewhere at the top right now given how deep the article digs and evidence seems legit.

Even if this is a hit piece made by a competitor, the evidence put forwards is very damning:

> Conclusions present before customer signs or provides info

If false, the defamation damages here would be in the tens of millions. Huge respect to whoever stuck their neck out to post this.

Considering how YC companies are customers of other YC companies (presumably to lift ARR), how many YC companies have Delve compliance?

Should we worry about AI startup customer data…

Delve has released a response

https://delve.co/blog/response-to-misleading-claims

I've gone through this process and is this not a failure from the institute that are giving away these certifications for a fee without any due diligence?

intermediaries like delve have only amplified this failure.

it was obvious to anyone who was involved in this industry that, all of this is just security theatre with nothing really to back it up.

For those looking for help with SOC2 compliance, I had a good experience with another YC company, Vanta. That was some years ago so not sure if anything has changed since then but I would recommend checking them out.

Question: how likely is it that a number of 20-year olds have the passion of solving the problem of compliance auditing? I can hardly imagine that I'd even be interested in taking a look at the domain. It's just... so mundane. Or maybe the alpha-type overachievers don't care about the domain but the opportunity?

The only job of a test is to fail, so if you never see the page red it's not doing anything. It's refreshing to see this being called out instead of going with the flow because "everyone is doing so".

Lots of companies affected this, what blows my mind is when VC's were funding this how come no due-diligence was done on something as important as compliance. who even tries to scam on compliance like it's a known way to get caught.

Compliance isn't that hard once you stop looking for shortcuts and start spending time doing it correctly.

AWS is probably the best actual CaaS vendor out there. They have a product offering expressly designed to help their customers get through this jungle:

https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-a...

You are still responsible for everything on top of what AWS provides (software/configuration/policy), but their compliance package handles a massive portion of what you would otherwise have to do if you were on-prem. Physical security, hardware management, disaster recovery, et. al., you get essentially "for free".

A lot of startups move fast with a small team.

You build something great and big corporation X wants to buy a subscription but you need to be certified.

Much of this is a good checklist but some of it is very european.

"Where is the risk register to track controls in your 7 person company?"

Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.

You are documenting things nobody will read, making up processes that don't exist and translating the operations of a lean company into bureaucratic language.

What's needed is a variant of these standards for small teams, which is proportionate and pragmatic.

Love the depth of this post.

We were actually looking at it as well recently (we're using Drata). I was thinking "Cool, this looks like the next cool step forward". The claims didn't sound out of the world in my ears.

Every time an issue like this appears I wonder how many more undiscovered frauds are out there.

> The reason we felt the way we did was due to how little actual work any of us had to perform to become ‘compliant’, combined with a product practically devoid of any real AI

Guys guys, if only it had some of that real AI it would be all good!!

Forbes 30 under 30 strikes again.

Delve did not even try to fake the reports well. They could have used AI tooling to write somewhat plausible Assertions of Management, but they just dropped in clear form submissions to the reports they provided. Here is an example from Cluely:

> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).

> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).

I mean, just re-read this sentence:

> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful

It makes no sense at all.

Someone implemented the code to automate this report mill, and didn't think to even smooth it out with an LLM! There was clear intent here.

To imagine that an auditor reviewed and stamped this as a coherent body of work beggars belief.

Delve seems clearly scummy, but dear god the author's company was also engaging in fraud with their own customers and just hoping to skate by.

"The trouble starts when you look at the answers Delve’s AI provided. Based on what your Delve policies claim, the questionnaire AI answers questions stating you have an MDM, had a 200 hour pen-test performed, and do regular backup restoration simulations. Tens of questions are answered like that. Great, you just lied to your vendor but at least you have a good shot at landing the deal. So what did we do? We kept our mouths shut."

Pretty rotten stuff. I went from energy into the software startup world and as I've gotten further down that road and energy has become more and more of a hot field I've encountered a depressing increase in that "just do it to make a deal" ethos, but in critical infrastructure.

Like, no, former Apple PM who learned about an interconnection queue from ChatGPT last week, you are not going to fix the grid, and even moreso you can't "just do X and ask forgiveness later", not in electricity.

Major red flag with this should have been that their expensive marketing predicated heavily on them being MIT dropouts instead of any expertise in the space

I remember having sales calls with them and the vibe was that it was "cheap and quick"... exactly what you want for your compliance

I wonder if Y Combinator will start getting serious again about due diligence and founder selection.

SOC2 is quite a racket on its own so I'm not surprised to read this industry creates players like this.

I hope that with LLMs, answering security questionnaires will be much less time consuming for companies and less would opt out to get a full blown SOC2 cert. But it will probably play the other way.

Compliance is something that no one ever wants and everybody hates. Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!"

Thus providing compliance is really just paying someone to shift responsibility.

The regulator can ask whether you are compliant. You can present certificate from Delve or someone else and that's the end of it.

I've been talking about this for a while now. For those of you thinking... Oh, I use a "good" company... think otherwise.

https://x.com/HotAisle/status/1946302651383329081

The whole thing is a racket.

It feels like I'm screaming into the void, but compliance work is bad is because people make it so.

Willfully paying for a service that offers SOC 2 reports at 1/5th the usual rate and delivers them in days instead of months and deluding themselves (and others) that it's a proper audit.

Taking cookie cutter policies/controls jamming it into your org without any awareness whatsoever. Acting surprised when employees complain about draconian rules and the audit process is a pain because you wanted to take the shortcut.

Why can't people just do it the proper way the first time? Pay for a reputable auditing firm, write your own policies and implement controls that map to the actual organization, do a gap assessment with the auditing firm so that both parties is aligned on expectations, and spend the necessary time to undergo the audit. Getting it should be a milestone if you actually take it seriously and have a modicum of professionalism.

In my eyes, audits should be a trust exercise. You trust that your organization is organized in a way that meets standards (by doing the work) and the auditors trust that you aren't faking your evidence. As someone who has to regularly vet countless new software purchases, SOC 2 actually serves a role. Does anyone have a better idea of getting third party validation of how another company operates? Like sending them tons of questionnaires is the solution?

All this just breaks that trust by facilitating certification mills. Another example of fraud stemming from a country that churns out fake degrees, fake papers, fake conferences, and fake references.

We did passive recon on Delve's own security posture. Here's what ships to the browser: https://security.redeux.ai/research/delve-compliance-posture

Notice how none of Delve's affiliates on X are posting anything after that Substack post. Probably their lawyers told them not to say anything further.

What does that tell you about the scam that was unveiled?

Not good.

> Delve was founded in 2023 by Karun Kaushik and Selin Kocalar, both Forbes 30 Under 30 members and MIT dropouts who met as freshmen.

Forbes 30 under 30 remains undefeated

Interesting that the author (and "the others in his network") seem to only be concerned about the complete illegitimacy of their certs when they were already exposed and now they want to stand up and say they are the good guys for "exposing" Delve.

There is a lot of serious allegations in here. But some of these complaints apply to most SOC 2 compliance services. For example: it points out that Delve provides pre-filled documents and encourages you to accept them as is. In my experience that is typical. I have seen companies just rubber stamp pre-created documents that describe IT processes that do not accurately reflect actual policy because the MBA[1] running the project didn't want to pull in IT and had no idea what any of it meant.

[1] No offense to MBA, just using it as a placeholder for: business stakeholder with no IT background.

When I read the headline I thought "Fake compliance as a service" sounded like a great idea.

The rookie mistake they made is they forgot to bribe the regulators with promises of future job offers.

> the price quickly dropped to just $6,000 when they realized we were serious about going elsewhere, and they would throw in ISO 27001 and a 200 hour penetration test as well.

I'm sorry, but... $6,000 / 200 == $30 / hour? Just assuming the value of the actual certifications is $zero?

Wouldn't that raise some serious red flags?

there needs to be a fund with an ethos of "move slowly and do things accurately"

I can understand two 20 year olds committing fraud. I can't understand a team of engineers PRE-PUBLISHING A TRUST REPORT before a single field has been filled out. This is worse than fraud, its poor craftsmanship.

Slopliance?

Great write up. What makes this interesting...I thought it was cool what they were doing...but also seemed too good to be true. I went ahead a booked a demo call with them. Great personas. Very friendly. Can't say they had all the answers, but they did bring a CISO on the last meeting, which seemed a bit scripted. They also never disclosed any breaches, even after I asked them. Yikes. Good luck to the orgs that went through all that process.

Did they ever address why they had access to everyone’s SOC reports??

All this evidence seems pretty legit. I found this on LinkedIn and came here to post, but noticed it had already been posted. Surprised I didn’t see it on HN front page.

This could be AI's globe.com moment

Well now we know how Cluely and friends can claim to be SOC2 compliant.

People dont fully know it, but alot of capital in society gets accumulated by people with the right look, instead of with actual ability. In many cases, these startups start out as fraud, and hope to become real. VCs know this.

But the tragedy is that there is a fixed pie of capital to be allocated, and so when they allocate to people like this, it steals opportunity from someone else

> High profile companies like those listed in the image above

Never heard of any of them except Loveable.

What's the TLDR? Should one be worried if their business uses Delve?

vibe compliance

undefined

wow, cannot imagine now companies that tool the compliance, and get deals just to be fake. uff...

> No custom tailoring, no AI guidance, no real automation. Just pre-populated forms that required you to click “save”.

I hate that I've become this cynical, but it's gotten to the point where reading the "no x, no y, just z" construct makes me assume that writing is AI generated (and then I immediately stop caring about reading it)

wow you guys really delved into this

I miss 2010s YC until like 2017 ish when crypto sort of just caused a massive decline across the board.

I guess it is great if you're a grifter/scammer or looking to just sell off to a FANG.

[dead]

[dead]

[dead]

[flagged]

[dead]

[dead]

[dead]

undefined

Cluely and HockeyStack are scam companies too.

Cluely did the ChatGPT wrapper to cheat on interviews then sold the customer data to recruiters. The whole company promise is a scam, and useless since we have LLMs.

HockeyStack held contests for people to win cars etc and never delivered. They also lied about having revenues and a product when they had nothing built. Along with Greptile they were doing 7day weeks of unpaid labor from “trial periods”.

Scams all around.

[dead]

[dead]

[dead]

[dupe]

[dead]

[dead]

[dead]

How does this not reach the front page?

[flagged]

[flagged]

This seems like a hit job by a competitor. Really ruthless.

> Two months ago, an email went out to a few hundred Delve clients informing them that Delve had leaked their audit reports, alongside other confidential information, through a Google spreadsheet that was publicly accessible.

Who leaked the audit reports? Who sent this email? Who is taking the time to write this analysis and kill the company?

In my opinion, the majority of the points in the article are no news. A compliance saas that offers templates for policies, all of them do. The AI is a chatbot, well who thought.

I think the main point is the collusion between delve and the auditors. Is the evidence for that clear?