| ▲ | Delve – Fake Compliance as a Service(deepdelver.substack.com) |
| 295 points by freddykruger a day ago | 52 comments |
| |
|
| ▲ | chromatin 7 minutes ago | parent | next [-] |
| > Delve was founded in 2023 by Karun Kaushik and Selin Kocalar, both Forbes 30 Under 30 members and MIT dropouts who met as freshmen. Forbes 30 under 30 remains undefeated |
|
| ▲ | love2read 3 minutes ago | parent | prev | next [-] |
| Interesting that the author (and "the others in his network") seem to only be concerned about the complete illegitimacy of their certs when they were already exposed and now they want to stand up and say they are the good guys for "exposing" Delve. |
|
| ▲ | fareesh 24 minutes ago | parent | prev | next [-] |
| A lot of startups move fast with a small team. You build something great and big corporation X wants to buy a subscription but you need to be certified. Much of this is a good checklist but some of it is very european. "Where is the risk register to track controls in your 7 person company?" Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise. You are documenting things nobody will read, making up processes that don't exist and translating the operations of a lean company into bureaucratic language. What's needed is a variant of these standards for small teams, which is proportionate and pragmatic. |
| |
| ▲ | phyzix5761 a minute ago | parent | next [-] | | What is the purpose of a business though? To make profits for its owners. If the profit lies in doing all this corporate theater then that's the business. A company that focuses only on providing a service and product but ignores how their customer needs to use said service and product is going to go out of business. | |
| ▲ | ljm 2 minutes ago | parent | prev [-] | | Maybe you suouldn't be hacking due diligence if your team isn't ready for it |
|
|
| ▲ | hintymad an hour ago | parent | prev | next [-] |
| Question: how likely is it that a number of 20-year olds have the passion of solving the problem of compliance auditing? I can hardly imagine that I'd even be interested in taking a look at the domain. It's just... so mundane. Or maybe the alpha-type overachievers don't care about the domain but the opportunity? |
| |
| ▲ | wmf an hour ago | parent | next [-] | | Solving boring problems has been conventional startup wisdom for a long time. And a "mundane" startup might be more interesting than traditional high-paying jobs like finance/law/consulting. https://www.joelonsoftware.com/2007/12/06/where-theres-muck-... | |
| ▲ | busseio an hour ago | parent | prev [-] | | I work for a firm that develops custom software in regulated industries, and we have brilliant software & data engineers in their 20's working on compliance auditing, and more specifically "Compliance Management System health monitoring." We've be able to use a lot of AI-assisted engineering and AI in the software to solve longstanding business challenges in this space. I won't make assumptions about where you're located, but on the East Coast US it is big business among banks, utilities, healthcare, etc. |
|
|
| ▲ | suriya-ganesh 2 hours ago | parent | prev | next [-] |
| I've gone through this process and is this not a failure from the institute that are giving away these certifications for a fee without any due diligence? intermediaries like delve have only amplified this failure. it was obvious to anyone who was involved in this industry that, all of this is just security theatre with nothing really to back it up. |
|
| ▲ | cwal37 15 minutes ago | parent | prev | next [-] |
| Delve seems clearly scummy, but dear god the author's company was also engaging in fraud with their own customers and just hoping to skate by. "The trouble starts when you look at the answers Delve’s AI provided. Based on what your Delve policies claim, the questionnaire AI answers questions stating you have an MDM, had a 200 hour pen-test performed, and do regular backup restoration simulations. Tens of questions are answered like that. Great, you just lied to your vendor but at least you have a good shot at landing the deal. So what did we do? We kept our mouths shut." Pretty rotten stuff. I went from energy into the software startup world and as I've gotten further down that road and energy has become more and more of a hot field I've encountered a depressing increase in that "just do it to make a deal" ethos, but in critical infrastructure. Like, no, former Apple PM who learned about an interconnection queue from ChatGPT last week, you are not going to fix the grid, and even moreso you can't "just do X and ask forgiveness later", not in electricity. |
|
| ▲ | stringtoint 2 hours ago | parent | prev | next [-] |
| Love the depth of this post. We were actually looking at it as well recently (we're using Drata). I was thinking "Cool, this looks like the next cool step forward". The claims didn't sound out of the world in my ears. Every time an issue like this appears I wonder how many more undiscovered frauds are out there. |
|
| ▲ | sebmellen 2 hours ago | parent | prev | next [-] |
| Delve did not even try to fake the reports well. They could have used AI tooling to write somewhat plausible Assertions of Management, but they just dropped in clear form submissions to the reports they provided. Here is an example from Cluely: > We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria). > The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria). I mean, just re-read this sentence: > The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful It makes no sense at all. Someone implemented the code to automate this report mill, and didn't think to even smooth it out with an LLM! There was clear intent here. To imagine that an auditor reviewed and stamped this as a coherent body of work beggars belief. |
|
| ▲ | egorfine an hour ago | parent | prev | next [-] |
| Compliance is something that no one ever wants and everybody hates. Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!" Thus providing compliance is really just paying someone to shift responsibility. The regulator can ask whether you are compliant. You can present certificate from Delve or someone else and that's the end of it. |
| |
| ▲ | bedatadriven an hour ago | parent | next [-] | | I don't want to work wherever you do your thing. Software as a service means you provide a service, and you should take your responsibility to protect your customer's data super seriously. Compliance frameworks are one useful tool among many to support this effort. It helps us identify gaps, identify risks, make improvements. It also give us a way to communicate what we do to our partners. The behavior described in the medium post is fraud, pure and simple. I am a founder, and my ambition includes meeting the highest possible standards for my customers. | |
| ▲ | Muromec an hour ago | parent | prev | next [-] | | Not a single person wakes up in the morning thinking they wish to pay taxes and rent and do the laundry the other stuff that has to be done. I would be nice to smoke weed and play video games all day and order the deliveries. Some things just have to be done. | | |
| ▲ | egorfine an hour ago | parent [-] | | > thinking they wish to pay taxes Wellll this is not always the case. I have moved from a shithole country to a nice one and oh boy I am crying in gratitude every month that I pay taxes. Because it is every day that I can see my money working for me in the environment. But your point stands. | | |
| ▲ | Muromec an hour ago | parent | next [-] | | As a person who moved to a high-tax country I understand the sentiment. It's usually lost on the people who were always there paying those taxes. Somehow it often doesn't click that they get something in return. The same applies to all the audit and bureaucracy stuff. Does it do something? If you don't feel it does, does it mean it's not? I don't know really, but I hope somebody is rotating their key material as they provided in their security posture. | |
| ▲ | kakacik 42 minutes ago | parent | prev [-] | | There are well-used tax money, then there are stupidly burned tax money on ie buying favors of some part of population before elections, financing blindly without any checks social security programs that get abused to no end, or simply plain old corruption. I love bringing Switzerland up to annoy most of western/northern Europeans since their success is so obvious and undeniable while going in very different direction than most of Europe. Low to low-medium taxes, yet state budgets are frequently in positive numbers, there is no end to money spend on infra projects, train infra, but also rather strong social programs (just not ridiculously bad as mentioned above), top notch free healthcare and education. VAT taxes are 2-8% instead of 20-23% in all countries around. Country simply works(TM) because population is not hard comfort-zone-addicted and entitled bunch of spoiled whiny kids, they work relatively hard and it brings results, consistently and long term. They don't work more than americans nor asians, but thats enough for their prosperity. Do you think lets say a heavy tax burden in say Italy, or even France (not even going more into southern or eastern EU since that would be a small book) is really used well and efficiently? I visit those places frequently and it certainly doesn't seem that way. Random examples - Italy has garbage everywhere, people drive to highway stops to drop it there (so the wind blows it all around). Infrastructure seems like from 80s, with added age. From people dealing with bureaucracy there - its stuck in 19th century, direct approach will get you often nowhere. France - most communist state in western Europe, heck in all Europe, sans Belarus maybe. Yet if you talk to people, they are constantly pissed off at government, never happy with society or state they live in. I don't blame them, listening to French colleagues complain is often rather sad experience. Not something you read in travel guides, do you. | | |
| ▲ | KPGv2 13 minutes ago | parent [-] | | It doesn't hurt that Swiss immigration is very difficult to get through, and they have all that Holocaust money no Nazi or dead Jewish victim is ever going to come claim. |
|
|
| |
| ▲ | solatic 27 minutes ago | parent | prev | next [-] | | > Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!" Somehow I doubt that you are in the B2B/Enterprise space. When you're pitching demos and you hear from people "we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123", and you hear that over and over again because that is the real-world industry that you live in, then you better believe that there are founders who wake up in the morning wishing that. You clearly have no understanding of what compliance does. Compliance does not "shift responsibility". Compliance is you demonstrating to your customers that you give enough of a shit that you're willing to pay the table stakes to sit at the table. You can complain that the game has table stakes, but all worthwhile games have them. | | | |
| ▲ | Duhck an hour ago | parent | prev | next [-] | | When I worked in cybersecurity I had a similar realization. No one cared about security posture. They cared about insurance policies. People hired us to shift blame instead of improve security posture. this is not terribly different | | |
| ▲ | leeter an hour ago | parent | next [-] | | This is why I've said for years: If you want to drive best practices and policy with companies you can only do it with liability. Particularly non-insurable and non-tax deductible liability. If a company can't offload civil or criminal penalties to their insurance company and take the tax write down, they suddenly start caring about it. That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later. | |
| ▲ | bjackman an hour ago | parent | prev | next [-] | | One of my FAANG security projects incidentally helped with some compliance efforts (I made very sure it was incidental, constantly said things like "I am thrilled that I can help you guys achieve your goals but I wanna be clear that I don't give a shit about compliance and I won't be allowing it to influence the direction of my product" in meetings, it must have been extremely annoying to work with me). At some point I was asked to look over the documents for the compliance definition and it was really hilarious. I had to give my engineering perspective on which aspects of the requirements we were and weren't meeting. But they were stuff like "you must have logs". "You must authenticate users". "You must log failed authentication attempts". Did we fulfill these requirements? It's a meaningless question. Unless you were literally running an open door telnet service or something you could interpret the questions so as to support any answer you wanted to give. So I just had to be like "do you want me to say yes?" and they did, so I said yes. Nothing productive was ever achieved during that engagement. | |
| ▲ | wccrawford an hour ago | parent | prev [-] | | I think it's subtly different than that. Companies do want to be secure. They try, and they often fail because it's hard. They hire auditors to find problems and to shift blame. But since they only have 30 days to fix the problems that are found, it's going to see a lot like they only care about shifting the blame. Because at that point, they only care about passing that audit. Right after that, though, they start caring about security again. How do I know? 19 years experience going through those audits on the company side. For 11 months of the year, it was clear the boss cared about security. For that 1 month during the 'free retest' period, they only cared about passing that audit. |
| |
| ▲ | tfrancisl an hour ago | parent | prev [-] | | Maybe no one wakes up wanting to deal with compliance, but it you found a company that has legal or moral obligations to be compliant with these standards, you sure have signed yourself up for it. Passing the responsibility off to some other company is, quite simply, irresponsible. | | |
| ▲ | egorfine an hour ago | parent | next [-] | | > Passing the responsibility off to some other company is, quite simply, irresponsible. Then do not pass the responsibility. But here's the trick: the regulator would like to see an audit done by a firm and purchasing audit services is exactly that: passing responsibility. So legally you can't be compliant unless you passed responsibility. | | |
| ▲ | tfrancisl an hour ago | parent [-] | | These compliance companies are not primarily tasked with auditing, as this article makes very clear. Delve is in control of the auditing process in a way that is inappropriate and unusual for this industry. The work that the company with these obligations should be doing themselves is generating the Section 3 description and the controls. The auditor then independently verifies their compliance with the controls. Thats a clear delineation of responsibilty, IMO |
| |
| ▲ | egorfine an hour ago | parent | prev [-] | | Problem is, compliance is often detrimental to the cause. You want to encrypt users' data at rest? Illegal. You must store users data in a way prescribed by the law and it is extremely cumbersome, outdated and insecure. |
|
|
|
| ▲ | Muromec an hour ago | parent | prev | next [-] |
| The only job of a test is to fail, so if you never see the page red it's not doing anything. It's refreshing to see this being called out instead of going with the flow because "everyone is doing so". |
|
| ▲ | throwaway2016a an hour ago | parent | prev | next [-] |
| There is a lot of serious allegations in here. But some of these complaints apply to most SOC 2 compliance services. For example: it points out that Delve provides pre-filled documents and encourages you to accept them as is. In my experience that is typical. I have seen companies just rubber stamp pre-created documents that describe IT processes that do not accurately reflect actual policy because the MBA[1] running the project didn't want to pull in IT and had no idea what any of it meant. [1] No offense to MBA, just using it as a placeholder for: business stakeholder with no IT background. |
| |
| ▲ | hrimfaxi an hour ago | parent [-] | | Giving you template device management policies is one thing, it's a whole other thing to say you don't have to have board meetings and generating fake minutes. | | |
| ▲ | throwaway2016a an hour ago | parent | next [-] | | 100%, accepting pre-generated board meeting notes is egregious. This whole thing is awful and I am in no way defending it. The opposite, I think other compliance as a service companies also need to be scrutinized as well. | |
| ▲ | x0x0 36 minutes ago | parent | prev [-] | | If you aren't either having the minimal meetings or written consents per the requirements for the delaware C, something outside Delve's hands has gone off the rails... |
|
|
|
| ▲ | rvz 2 hours ago | parent | prev | next [-] |
| Notice how none of Delve's affiliates on X are posting anything after that Substack post. Probably their lawyers told them not to say anything further. What does that tell you about the scam that was unveiled? Not good. |
| |
| ▲ | JimDabell 2 hours ago | parent [-] | | The only thing it tells us is that they have received competent legal advice. Any counsel is going to tell you to shut up regardless of whether you are in the right or wrong. |
|
|
| ▲ | latchkey an hour ago | parent | prev | next [-] |
| I've been talking about this for a while now. For those of you thinking... Oh, I use a "good" company... think otherwise. https://x.com/HotAisle/status/1946302651383329081 The whole thing is a racket. |
|
| ▲ | gmerc 2 hours ago | parent | prev | next [-] |
| Well now we know how Cluely and friends can claim to be SOC2 compliant. |
|
| ▲ | imaurer an hour ago | parent | prev | next [-] |
| vibe compliance |
|
| ▲ | claudiug 2 hours ago | parent | prev | next [-] |
| wow, cannot imagine now companies that tool the compliance, and get deals just to be fake. uff... |
|
| ▲ | frenchie4111 2 hours ago | parent | prev | next [-] |
| wow you guys really delved into this |
|
| ▲ | stuckkeys an hour ago | parent | prev | next [-] |
| Great write up. What makes this interesting...I thought it was cool what they were doing...but also seemed too good to be true. I went ahead a booked a demo call with them. Great personas. Very friendly. Can't say they had all the answers, but they did bring a CISO on the last meeting, which seemed a bit scripted. They also never disclosed any breaches, even after I asked them. Yikes. Good luck to the orgs that went through all that process. |
|
| ▲ | biggletiddies 2 hours ago | parent | prev | next [-] |
| Cluely and HockeyStack are scam companies too. Cluely did the ChatGPT wrapper to cheat on interviews then sold the customer data to recruiters. The whole company promise is a scam, and useless since we have LLMs. HockeyStack held contests for people to win cars etc and never delivered. They also lied about having revenues and a product when they had nothing built. Along with Greptile they were doing 7day weeks of unpaid labor from “trial periods”. Scams all around. |
| |
| ▲ | calderwoodra an hour ago | parent | next [-] | | Greptile is an awesome product, not sure where the scam is there | |
| ▲ | porridgeraisin 2 hours ago | parent | prev [-] | | Wait what's the greptile story? | | |
| ▲ | buttsack an hour ago | parent [-] | | It says right there, 7-day work weeks (no days off). Also they were part of the cohort forcing workers to stay minimum until 9PM. Like every AI company, their "product" is a Next.js website, OPENAI_API_KEY, and a Stripe checkout page. | | |
|
|
|
| ▲ | resiros 2 hours ago | parent | prev [-] |
| This seems like a hit job by a competitor. Really ruthless. > Two months ago, an email went out to a few hundred Delve clients informing them that Delve had leaked their audit reports, alongside other confidential information, through a Google spreadsheet that was publicly accessible. Who leaked the audit reports? Who sent this email? Who is taking the time to write this analysis and kill the company? In my opinion, the majority of the points in the article are no news. A compliance saas that offers templates for policies, all of them do. The AI is a chatbot, well who thought. I think the main point is the collusion between delve and the auditors. Is the evidence for that clear? |
| |
| ▲ | emilycg 2 hours ago | parent | next [-] | | The key problem is the audits and the auditors. I have independently verified for our vendors that they have the same templated SOC2 as all of the leaked reports, which is concerning because that shows the auditors did not actually validate the controls. SOC2 is supposed to give you an INDEPENDENT evaluation of the compliance of a company "are they doing what they say they are" If the SOC2 report is just a pre-populated template, it is meaningless. It doesn't really matter the motivation of the "DeepDelver" - this has implications across all companies that rely on these vendors that have been "assessed" by Delve. | |
| ▲ | sebmellen 2 hours ago | parent | prev | next [-] | | Hit piece or not, the blatantly fraudulent behavior displayed by Delve is reprehensible. And they didn't even try. Read this management assertion for one of the (known) affected companies: > We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria). > The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria). | |
| ▲ | cyrusradfar 2 hours ago | parent | prev [-] | | There's no need for some conspiracy. It's a juicy story to talk about that hits a lot of checkboxes that make it viral -- 1. the hustle culture they promoted online was gross
2. they followed the 30u30 Forbes pattern like Liz Holmes, FTX, etc.
3. they're a YC co, so their's plenty of popular voices supporting them
The 3rd isn't to slight the program but folks definitely slam any companies that seem to be in the moral gray area as a proof the program is nihilistic and a net negative. People like to shove mistakes in the face of "successful" folks like investors/VCs.Finally, the security and compliance community is litigious by their nature and this startup, in general, was a net negative for a lot of people who do fractional / consulting work in security. | | |
| ▲ | sebmellen 2 hours ago | parent [-] | | What's more surprising to me, as a layperson, is that I found this out and investigated their shady auditor network in late December. It didn't take much work. Insight Partners invested in a 32 MILLION DOLLAR ROUND without any apparent shred of due diligence. What does that say about the VC market writ large? |
|
|
