Delve – Fake Compliance as a Service

Posted by freddykruger 1 day ago

Delve – Fake Compliance as a Service(deepdelver.substack.com)

315 points | 106 commentspage 2

AFF87 5 hours ago|

I remember having sales calls with them and the vibe was that it was "cheap and quick"... exactly what you want for your compliance

sebmellen 3 hours ago||

Delve did not even try to fake the reports well. They could have used AI tooling to write somewhat plausible Assertions of Management, but they just dropped in clear form submissions to the reports they provided. Here is an example from Cluely:

> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).

> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).

I mean, just re-read this sentence:

> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful

It makes no sense at all.

Someone implemented the code to automate this report mill, and didn't think to even smooth it out with an LLM! There was clear intent here.

To imagine that an auditor reviewed and stamped this as a coherent body of work beggars belief.

ersshh 20 hours ago||

Forbes 30u30 pipeline remains undefeated.

How did none of this come up during diligence? Feels like a prime example of too good to be true.

sebmellen 20 hours ago||

Trust me, you can lie and get away with it if you go through YC and dropped out of a top university. Garry Tan blocked me on X for pointing this out. It's a big club, and you ain't in it!

Fortunately, some of the old-YC spirit seems to be alive here on HN still.

jvwww 31 minutes ago||

They likely barely had a product when they applied to YC. It's more interesting as to why this wasn't discovered (if it is even true) when they were raising their Series A.

rithdmc 3 hours ago|||

> How did none of this come up during diligence?

The article states that, "Even though we knew we’d technically be lying about our security to anyone we sent these policies to for review ... we decided to adopt these policies because we simply didn’t have the bandwidth to rewrite them all manually."

latchkey 3 hours ago|||

This is the next one...

https://x.com/HotAisle/status/2035024494663016532

allovertheworld 9 hours ago|||

You mean from the beginning? They could’ve just done it properly initially then moved to this scam process later

duped 2 hours ago||

Dishonesty is high signal for VC

Like no one characterizes it like that, but this is the same business where you can tell a story about hiring a bunch of college friends to pretend to be your employees so a client comes to your "office" and thinks you're a legitimate business. And instead of looking in horror at how casually you'll lie to get business it's seen as scrappy and whimsical.

Muromec 2 hours ago||

The only job of a test is to fail, so if you never see the page red it's not doing anything. It's refreshing to see this being called out instead of going with the flow because "everyone is doing so".

throwaway2016a 3 hours ago||

There is a lot of serious allegations in here. But some of these complaints apply to most SOC 2 compliance services. For example: it points out that Delve provides pre-filled documents and encourages you to accept them as is. In my experience that is typical. I have seen companies just rubber stamp pre-created documents that describe IT processes that do not accurately reflect actual policy because the MBA[1] running the project didn't want to pull in IT and had no idea what any of it meant.

[1] No offense to MBA, just using it as a placeholder for: business stakeholder with no IT background.

hrimfaxi 3 hours ago||

Giving you template device management policies is one thing, it's a whole other thing to say you don't have to have board meetings and generating fake minutes.

throwaway2016a 3 hours ago|||

100%, accepting pre-generated board meeting notes is egregious. This whole thing is awful and I am in no way defending it. The opposite, I think other compliance as a service companies also need to be scrutinized as well.

x0x0 2 hours ago|||

If you aren't either having the minimal meetings or written consents per the requirements for the delaware C, something outside Delve's hands has gone off the rails...

whatinthenote 1 hour ago||

Doesn't seem like a problem with SOC 2 compliance, seems like a problem where a company appointed someone who is not suited to handle a SOC 2 project.

As for the pre-filled stuff, that's what other SOC 2 companies mean when they try to sell you "compliance in a box." Not that bad if the company is starting from scratch (<1 year), but not realistic for a company that has an existing IT footprint.

However, the allegations here is that it is fraud. An "AI" company acting as a front for certification mills.

cwal37 2 hours ago||

Delve seems clearly scummy, but dear god the author's company was also engaging in fraud with their own customers and just hoping to skate by.

"The trouble starts when you look at the answers Delve’s AI provided. Based on what your Delve policies claim, the questionnaire AI answers questions stating you have an MDM, had a 200 hour pen-test performed, and do regular backup restoration simulations. Tens of questions are answered like that. Great, you just lied to your vendor but at least you have a good shot at landing the deal. So what did we do? We kept our mouths shut."

Pretty rotten stuff. I went from energy into the software startup world and as I've gotten further down that road and energy has become more and more of a hot field I've encountered a depressing increase in that "just do it to make a deal" ethos, but in critical infrastructure.

Like, no, former Apple PM who learned about an interconnection queue from ChatGPT last week, you are not going to fix the grid, and even moreso you can't "just do X and ask forgiveness later", not in electricity.

OsrsNeedsf2P 1 hour ago|

At least they had the balls to post it

cwal37 13 minutes ago||

Per the piece, they only began to step away from Delve once they realized they couldn't close the deals they wanted and their hand was forced by outside asks.

And then also it took a rather large data leak later on to provide extra ammunition to decide and go forward with publishing this.

I'm glad they did, but there are a bunch of steps in between pure balls/altruism and what actually happened based on the blog.

ManuelSuarez 20 hours ago||

https://www.reddit.com/r/soc2/comments/1q7u90o/real_or_fake_...

fantasizr 4 hours ago||

there needs to be a fund with an ethos of "move slowly and do things accurately"

sunir 4 hours ago||

The fund is called customers. The independent regulator is called the AICPA. It really comes down to who is paying attention

SOC2 is as useful as a privacy policy at protecting your data. It’s all humans following human incentives.

Spivak 3 hours ago||

The value of SOC2 is that it does take some experience to be able to plausibly fake the evidence which weeds out people that truly have no idea what they're doing. It also provides a blueprint of the stuff you should be doing if you actually care.

But beyond that it's not worth a whole lot.

fantasizr 2 hours ago||

yeah it's funny to see some defense of this practice as "well the whole thing is pointless anyway so nothing is lost by defrauding folks". Pretty hollow argument

neutronicus 3 hours ago|||

The United States military?

hrimfaxi 3 hours ago||

Slow is smooth and smooth is fast.

DANmode 3 hours ago||

There are a few, roughly.

Like the best options in most categories, they don’t spend a bunch of money or time on brand presence, advertising.

You simply find them.

gmerc 4 hours ago||

Well now we know how Cluely and friends can claim to be SOC2 compliant.

rvz 4 hours ago|

Notice how none of Delve's affiliates on X are posting anything after that Substack post. Probably their lawyers told them not to say anything further.

What does that tell you about the scam that was unveiled?

Not good.

JimDabell 4 hours ago|

The only thing it tells us is that they have received competent legal advice. Any counsel is going to tell you to shut up regardless of whether you are in the right or wrong.

More comments...