Loading...
Loading...
A leak of hundreds of SOC 2 (and some ISO 27001) reports tied to compliance automation startup Delve is fueling allegations that “compliance in days” was achieved through templated, copy‑paste audits and even fabricated evidence rather than rigorous testing. Researchers indexed 533 leaked reports across 455 companies and found near-total boilerplate similarity, repeated auditor details, and generic system descriptions, prompting tools to detect template fingerprints and check whether vendors appear in the dataset. The controversy is widening into a broader integrity crisis for SOC 2-driven procurement, third‑party risk management, and audit marketplaces, with potential regulatory scrutiny, contract disputes, and urgent vendor re-verification.
Researchers indexed a leaked set of 533 SOC 2 audit reports from Delve and found striking uniformity across 455 companies: 99.8% identical structure and content patterns. Key findings include the same auditor license number appearing in nearly all reports, identical page placements for key sections, repeated “no exceptions noted” statements, and system descriptions apparently copy-pasted from company marketing sites. The team built searchable tooling to check if a company appears in the leak, scan arbitrary SOC 2 text for ten template fingerprints, and a “swipe” game to test human detection of fake excerpts. The leak raises questions about the rigor and trustworthiness of SOC 2 attestations and could undermine their credibility for vendors and buyers.
Researchers indexed a public leak of 533 SOC 2 and ISO 27001 audit reports tied to Delve, finding 455 affected companies and 99.8% identical boilerplate across reports. Delve allegedly sold compliance certifications without conducting real audits, and the leaked documents reveal near‑copy‑paste audits that undermine trust in vendor security claims. The database and free scanning tools let organizations search companies, report types, dates, and trust scores to see if a supplier’s compliance was likely faked. The revelation threatens customers, investors, and partners who rely on audits for risk assessments and could trigger regulatory scrutiny, contract disputes, and urgent vendor reviews across the tech supply chain. Keywords: delve, soc 2, iso 27001
Researchers published a public index of 533 leaked SOC 2 and ISO 27001 audit reports tied to Delve, revealing 455 companies used allegedly fake certifications; forensic analysis found 99.8% identical boilerplate across reports. Delve reportedly sold compliance badges without conducting real audits, prompting a broad integrity crisis that could undermine vendor trust, customer relationships, and investor confidence. The leak includes report types and dates and has spawned free verification tools and a searchable database so security teams can check vendors quickly. The incident raises urgent questions about third‑party risk management, audit marketplaces, and how organizations validate outsourced compliance assurances.
Delve accused of misleading customers with ‘fake compliance’
&#32; submitted by &#32; <a href="https://www.reddit.com/user/one_user"> /u/one_user </a> <br/> <span><a href="https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service">[link]</a></span> &#32; <span><a href="https://www.reddit.com/r/programming/comments/1rze1zs/delve_fake_compliance_as_a_service_soc_2/">[comments]</a></span>
A deep-dive exposé alleges Delve, a YC-associated startup, sold “fake compliance” — offering rapid SOC 2 reports with minimal effort: prefilled forms, generic controls, and little real evidence or automation. Hacker News commenters and others accuse Delve of enabling fraudulent claims of compliance, question investor due diligence, and note the company’s marketing promise of “SOC 2 in days.” The story matters because SOC 2 reports underpin trust for SaaS and cloud vendors; widespread fakery would threaten procurement, security assessments, and survivor companies relying on third-party attestations. The debate also raises platform moderation and startup-network protection concerns, given claims of suppression and pushback from insiders.
A Substack post by “DeepDelver” published March 19, 2026 accuses Delve (YC W24) of “fake compliance as a service,” alleging it helped hundreds of customers appear compliant without meeting requirements. The author says Delve generated fabricated evidence (e.g., board meetings, tests, processes), produced near-identical audit reports, and claimed “100% compliance” while skipping major framework controls. The post also alleges Delve used Indian “certification mills” operating via U.S. shell entities, with auditors breaching independence rules, potentially exposing clients to HIPAA criminal liability and GDPR fines. The investigation was prompted by an email sent to a few hundred Delve clients about a publicly accessible Google spreadsheet that allegedly leaked audit reports and other confidential data; the author claims Delve denied wrongdoing when questioned. Links to archives, leaked spreadsheets, and reports are provided.
A DeepDelver investigation alleges YC W24 startup Delve sold “fake compliance” by generating fabricated audit evidence and issuing auditor-like reports, duping hundreds of customers into believing they met standards like SOC 2, HIPAA and GDPR. The report claims Delve produced identical audit documents, used shell US auditors operated by Indian certification mills, and pressured clients to accept fake artifacts rather than perform real controls. Leaked spreadsheets and reports are cited as evidence, and Delve is accused of denying and deflecting when confronted. If accurate, the scheme exposes clients to regulatory liability, reputational damage and potential fines, and raises wider questions about automated compliance startups and marketplace vetting. Key players: Delve, alleged auditor mills, and affected clients including enterprises and a NASDAQ-listed company.