A Y Combinator compliance startup called Delve just got caught selling essentially the same SOC 2 report to 494 companies. Not similar, but almost identical. Same paragraphs. Same grammatical errors. Different logos. And the kicker: the reports said every single one of those companies had zero security incidents. All 259 of them. Every observation period. Statistically impossible and apparently nobody noticed, or nobody cared.
Background
Delve is a Y Combinator-backed compliance automation startup that raised $32 million in Series A funding at a $300 million valuation, backed by Insight Partners. It marketed itself as the fastest platform for achieving SOC 2, ISO 27001, HIPAA, and GDPR certifications, what every startup wants: check the compliance box fast, close enterprise deals, satisfy procurement. I wrote previously about them here:
The Initial Suspected Fraud (Part I — March 2026)
An anonymous whistleblower (“DeepDelver”), claiming to be a former Delve client, published an investigation based on a leaked Google spreadsheet containing hundreds of Delve client audit reports. Key findings:
-
493 out of 494 SOC 2 reports were essentially identical containing the same boilerplate paragraphs, same grammatical errors (literally “because there no security incidents”), only the logo and company name swapped
-
Every single Type II report claimed zero security incidents across all 259 companies and every observation period. This is statistically impossible
-
Reports were generated before any audit work occurred — Delve wrote the auditor conclusions, test procedures, and final reports, then handed them to rubber-stamp firms
-
99%+ of audits funneled through two firms: Accorp and Gradient Certification — described as Indian certification mills operating through US shell structures (virtual US addresses, same Delhi office)
Part II, Day 2 — The Whistleblower Escalates
After Part I published, a Delve employee came forward with screenshots, internal Slack messages, and video evidence. Part II Day 2 adds a second dimension to the scandal:
-
Internal Slack conversations showing executives explicitly discussing how to “paper over” gaps in the SOC 2 Type II process
-
Allegations that Delve stole intellectual property from Sim.ai, a company that became a Delve client, after which Delve allegedly copied their open-source technology (SimStudio Pathways), violated the license, and profited from it
-
Insight Partners subsequently scrubbed their investment post about Delve from public channels
What Delve Was Selling (and What Buyers Thought They Were Getting)
Delve offered automated compliance at a fraction of traditional cost. SOC 2, ISO 27001, HIPAA, GDPR. Something every startup and mid-market company wants. Check the compliance box fast, the ability to close enterprise deals and satisfy procurement. Delve raised $32M selling this dream.
Their customers unfortunately treat SOC 2 like a purchase, not a process. They want the certificate without the responsibility of the controls. Delve found the buyers who wanted to skip the hard part and gave them exactly that.
Instead of living the dream, Delve customers indulged in a fantasy and ultimately got burned.
How the Delve Machine Actually Worked
Customers were directed to complete an online form. Data from that form was used to prepopulate pre-written report templates before any audit occurred. Delve wrote its own conclusions for the audits before any human completed an actual audit.
They then used two audit firms (Accorp, Gradient) functioning as rubber stamps to push through these reports. Both firms were raced to India via US shell companies. Their AICPA accreditation is suspect at best. Keep in mind that all firms issuing audit reports for SOC 2 must be certified and must employ a CPA to sign off on the final report. Proof of evidence collection must also be archived in the event the AICPA decides to audit the audit firm.
Delve acted as a proxy the company being audited and the auditor with no independence, no actual review of any evidence. A whistleblower from inside Delve provided Slack messages of executives explicitly discussing how to paper over SOC 2 gaps.
Now there are allegations of IP theft from a client (Sim.ai). Delve may have weaponized client trust in a second, separate way by selling IP “borrowed” from one customer to others.
Why This Matters Beyond Delve
1. Your vendors may have Delve compliance reports.
If any of your third-party vendors got their SOC 2, ISO 27001 or other compliance report through Delve, you did your vendor security review against a fabricated document. Your third-party risk program just failed silently, and you have nothing to back up your third-party vendors claims regarding their security program.
2. Auditor independence is the bedrock of compliance — and it’s being hollowed out.
The compliance automation space has created enormous pressure to commoditize something that requires genuine professional judgment. When “fast and cheap” wins procurement, this is where it ends.
3. Procurement teams are not equipped to catch this.
Checking the box “do you have a SOC 2?” doesn’t protect you. Knowing who issued it and how the audit was conducted is now a necessary part of vendor due diligence.
4. The regulatory exposure lands on you, not your vendor.
If you’re in healthcare, finance, or any regulated industry and you accepted a fraudulent SOC 2 from a vendor, the compliance gap is yours regardless of what the certificate says.
What Good Compliance Actually Looks Like
First, Know your auditor. Big Four and recognized firms matter. Verify the audit firm independently and check AICPA membership for SOC 2, accreditation bodies for ISO. Accredited auditors should be very forthcoming in sharing their credentials and their authorization to issue audit reports. If they are not, find a different auditor.
Next, Ask about methodology, not just the certificate. How long was the observation period? What controls were tested? What exceptions were noted? Does the auditor provide guidance? Is their goal to improve your security posture or simply issue a report?
Zero exceptions should raise eyebrows. Real audits find things. A clean report from a company that’s never been audited before is a yellow flag, not a green one. A good auditor will point out gaps early in the review period and provide you with steps to remediate the issue. This allows gaps to be noted and marked as remediated directly in the report.
Don’t let speed be the primary evaluation criterion. The point is the controls, not the certificate. A good audit firm will evaluate every control, make recommendations for improvement and will generally be a good team player in wanting the ultimate outcome to be a stronger organizational security posture.
Use the Delve example as a forcing function with your board. "Here’s why we invest in real compliance, and what fake compliance costs when it fails." Cheap isn’t always better. See value not lowest cost or fastest path. A good audit firm can recommend the right tools to implement to get you on a path to continuous compliance monitoring, but that path does not include the fabrication of evidence or bypassing auditor observations.
Closing / Call to Action
The Delve story is going to get worse before it gets better — Part II is a five-day series and the whistleblower has receipts. But don’t wait for the full story to act.
Audit your vendor list. Ask hard questions. And if someone is selling you compliance that sounds too fast and too cheap, I guarantee you it probably is.
Keep in mind, compliance does not equal security. Your compliance program should serve as a baseline for operational excellence and security control implementation. That program should evolve and mature as your company grows. Ideally, the continued improvement of your compliance program should close the gap between your compliance standards and the best possible security posture for your organization. Framework recommendations don’t keep up with technology. Good auditors understand that and implementing controls that are ideal and better than the minimum should be your goal.
If you have been impacted by Delve’s actions, feel free to reach out and we can discuss strategies for regaining your customer trust and stay tuned for more articles from DeepDelver on Substack!
#Cybersecurity #SOC2 #Compliance #CISO #ThirdPartyRisk #GRC #Delve
Primary Sources (DeepDelver Investigation)
[1] DeepDelver. “Delve — Fake Compliance as a Service, Part I.” Substack, March 19, 2026. https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service
[2] DeepDelver. “Delve — Fake Compliance as a Service, Part II — Day 1 of 5.” Substack, March 29, 2026. https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service-61d
[3] DeepDelver. “Delve — Fake Compliance as a Service, Part II — Day 2 of 5.” Substack, March 30, 2026. https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service-98a
News Coverage
[4] Hatmaker, Taylor. “Delve Accused of Misleading Customers with ‘Fake Compliance’.” TechCrunch, March 22, 2026. https://techcrunch.com/2026/03/22/delve-accused-of-misleading-customers-with-fake-compliance/
[5] Hatmaker, Taylor. “Insight Partners Scrubs Investment Post About Delve Amid ‘Fake Compliance’ Allegations.” TechCrunch, March 23, 2026. https://techcrunch.com/2026/03/23/insight-partners-scrubs-investment-post-amid-fake-compliance-allegations/
[6] Hatmaker, Taylor. “Delve Whistleblower Strikes Again, with Alleged Receipts About ‘Fake Compliance’.” TechCrunch, March 30, 2026. https://techcrunch.com/2026/03/30/delve-whistleblower-strikes-again-with-alleged-receipts-about-fake-compliance/
[7] Sherry, Ben. “The Delve Scandal: A Y Combinator Darling Just Got Hit with a Bombshell Fraud Accusation.” Inc. Magazine, March 2026. https://www.inc.com/ben-sherry/the-delve-scandal-a-y-combinator-darling-just-got-hit-with-a-bombshell-fraud-accusation/91320652
[8] “The Whistleblower Who Won’t Quit: Inside Delve’s Escalating Compliance Crisis.” WebProNews, March 2026. https://www.webpronews.com/the-whistleblower-who-wont-quit-inside-delves-escalating-compliance-crisis/
[9] “Troubled YC Startup Delve Faces New Allegations of Open Source Violations.” National Today / San Francisco Today, April 1, 2026. https://nationaltoday.com/us/ca/san-francisco/news/2026/04/01/troubled-yc-startup-delve-faces-new-allegations-of-open-source-violations/
Analysis & Industry Commentary
[10] “The Delve Scandal: When Your SOC 2 Report Is Just a Template.” ComplianceHub.Wiki, March 2026. https://compliancehub.wiki/delve-compliance-startup-fake-soc2-audit-scandal/
[11] “The Delve Compliance Scandal: What It Means for Your Security Reviews — and What to Do Next.” Targhee Security, March 2026. https://www.targheesec.com/resources/delve-compliance-scandal