How did none of this come up during diligence? Feels like a prime example of too good to be true.
Fortunately, some of the old-YC spirit seems to be alive here on HN still.
The article states that, "Even though we knew we’d technically be lying about our security to anyone we sent these policies to for review ... we decided to adopt these policies because we simply didn’t have the bandwidth to rewrite them all manually."
Like no one characterizes it like that, but this is the same business where you can tell a story about hiring a bunch of college friends to pretend to be your employees so a client comes to your "office" and thinks you're a legitimate business. And instead of looking in horror at how casually you'll lie to get business it's seen as scrappy and whimsical.
I would have expected this to be somewhere at the top right now given how deep the article digs and evidence seems legit.
Regardless, it's been an ongoing issue. I know a few involved companies — it takes basically 5 days to get a SOC 2 Type 2 report through Delve. And, of course, they market this way too: "SOC 2 in days". Unbelievable.
(1) I had no idea this story existed and woke up to claims that I was obviously* suppressing it.
(2) I looked into it and found that no moderator had touched either of the two submissions of the story, but that both submissions had set off HN's voting ring detector. (Whether there was a voting ring or not, I don't know - that software isn't perfect. It has held up well over the years though.)
(3) We merged the two discussions and placed the merged thread on the front page.
(4) Why? Because we moderate HN less, not more, when YC or a YC startup is part of a story: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu.... This is literally the #1 principle of moderation in the sense that it was the very first thing that pg drilled into me: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que....
To be fair, it seems you’re saying the submission was being suppressed, just not intentionally. Lots of props of course for transparency and reboosting the story
For example, the comment I was referring to, which was the first one I saw, said "It is being suppressed by @dang" (https://news.ycombinator.com/item?id=47457010). You can't get more personal, definitive, or wrong than that.
In my other comment, I actually did not mean to write “it is being suppressed by dang” but rather “it is being suppressed @dang”… Because my impression is that that alerts you somehow? I may be wrong about this.
Please give your long-time readers the benefit of the doubt. I was correct that it was being suppressed. I'm also very thankful for your moderation of the site. I know you do a lot of hard work on that front.
I guess it is great if you're a grifter/scammer or looking to just sell off to a FANG.
Really great vetting there, guys.
Had you checked the other thread during that "good minute", you'd have seen that all the comments were intact.
Mods didn't touch either thread except (1) we merged the duplicate discussions and (2) we rolled back the voting ring penalty so that the story would be on the frontpage.
This is in keeping with the principle that we moderate stories less, not more, when YC or a YC startup is part of the story. That's been the case since the beginning, and I've posted about it dozens of times: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu....
I would imagine that's what happened here.
Edit: 10% of the votes came from resubmissions of the URL. The other 90% came from other sources.
We've restored it to the front page now.
What matters in this case is (1) it's a software penalty that has nothing to do with the content of a story, (2) moderators didn't touch the submissions or even know they existed, and (3) once we did know that they existed, we merged the threads and placed the story on the frontpage - that is, we went out of our way to give this story more attention, not less - in keeping with the principle explained here: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu....
I ended up getting the contract and they never asked for those extra things. I guess that’s kind of the same thing your founder did but in reverse. Discount to skip it vs it will cost more to add it.
To be clear, I think most of the questionnaire was just “we want these answers on file”, I’m not in an industry where most of what they asked for is reasonable/needed. Though it scared the hell out of me when I got it because SOC2 (and some other things they asked about) is not cheap. Literally 1-2x the cost of the service I was selling. All for something I consider a _very_ small step about snake oil.
Same boat about 2 years ago: the compliance is a lot more flexible than you would think - it doesn't matter if you have a poor password policy, what matters is that you document you have a poor password policy.
Your client didn't have to get a compliant vendor to remain compliant themselves; what matters to their compliance is formal attestations from their vendor about where they are not compliant.
As a 1-man show I went through the same thing, still got the contract even though I had to formally attest to not having maybe 25% of those boxes ticked. The whole point is that it is recorded that you don't have MFA, or that you failed a pentest on these 5 items... or that you have a vendor who fails these specific 43 requirements.
If you read through the report PDFs of affected companies, you'll find a lot of stock wording and phrases that don't even make sense.
I hate that I've become this cynical, but it's gotten to the point where reading the "no x, no y, just z" construct makes me assume that writing is AI generated (and then I immediately stop caring about reading it)
SOC2 is as useful as a privacy policy at protecting your data. It’s all humans following human incentives.
But beyond that it's not worth a whole lot.
I feel like in the last five years all prior knowledge and art wrt infosecurity was lost from the "dev community". My guess is that hackers have an embarrassment of exploits and are being unusually quiet. I expect a series of major breaches/hacks over the next few months that are ignored and it just becomes normal to have all of your customer data dumped onto the public web. For example, the digital banking system could go under, and most kids would just download some new crypto app. It won't really matter that nothing replaces the dollar or our global banking infrastructure. The zeroing out of the financial system would just be the "coyote suddenly being affected by gravity".
Like the best options in most categories, they don’t spend a bunch of money or time on brand presence, advertising.
You simply find them.
What does that tell you about the scam that was unveiled?
Not good.
> Two months ago, an email went out to a few hundred Delve clients informing them that Delve had leaked their audit reports, alongside other confidential information, through a Google spreadsheet that was publicly accessible.
Who leaked the audit reports? Who sent this email? Who is taking the time to write this analysis and kill the company?
In my opinion, the majority of the points in the article are no news. A compliance saas that offers templates for policies, all of them do. The AI is a chatbot, well who thought.
I think the main point is the collusion between delve and the auditors. Is the evidence for that clear?
And they didn't even try. Read this management assertion for one of the (known) affected companies:
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
It's a juicy story to talk about that hits a lot of checkboxes that make it viral --
1. the hustle culture they promoted online was gross
2. they followed the 30u30 Forbes pattern like Liz Holmes, FTX, etc.
3. they're a YC co, so their's plenty of popular voices supporting them
Finally, the security and compliance community is litigious by their nature and this startup, in general, was a net negative for a lot of people who do fractional / consulting work in security.
Insight Partners invested in a 32 MILLION DOLLAR ROUND without any apparent shred of due diligence. What does that say about the VC market writ large?
SOC2 is supposed to give you an INDEPENDENT evaluation of the compliance of a company "are they doing what they say they are"
If the SOC2 report is just a pre-populated template, it is meaningless.
It doesn't really matter the motivation of the "DeepDelver" - this has implications across all companies that rely on these vendors that have been "assessed" by Delve.
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
I mean, just re-read this sentence:
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful
It makes no sense at all.
Someone implemented the code to automate this report mill, and didn't think to even smooth it out with an LLM! There was clear intent here.
To imagine that an auditor reviewed and stamped this as a coherent body of work beggars belief.
Cluely did the ChatGPT wrapper to cheat on interviews then sold the customer data to recruiters. The whole company promise is a scam, and useless since we have LLMs.
HockeyStack held contests for people to win cars etc and never delivered. They also lied about having revenues and a product when they had nothing built. Along with Greptile they were doing 7day weeks of unpaid labor from “trial periods”.
Scams all around.
Also they were part of the cohort forcing workers to stay minimum until 9PM.
Like every AI company, their "product" is a Next.js website, OPENAI_API_KEY, and a Stripe checkout page.
They were not paid at all, they were working long-term on a "trial period". And yes it's very illegal. I was there and saw it first-hand.
The guys they had on trial periods - though I'm sure they were very intelligent - were not really firing on all cylinders if you know what I mean.
intermediaries like delve have only amplified this failure.
it was obvious to anyone who was involved in this industry that, all of this is just security theatre with nothing really to back it up.
We were actually looking at it as well recently (we're using Drata). I was thinking "Cool, this looks like the next cool step forward". The claims didn't sound out of the world in my ears.
Every time an issue like this appears I wonder how many more undiscovered frauds are out there.
Thus providing compliance is really just paying someone to shift responsibility.
The regulator can ask whether you are compliant. You can present certificate from Delve or someone else and that's the end of it.
At some point I was asked to look over the documents for the compliance definition and it was really hilarious. I had to give my engineering perspective on which aspects of the requirements we were and weren't meeting.
But they were stuff like "you must have logs". "You must authenticate users". "You must log failed authentication attempts".
Did we fulfill these requirements? It's a meaningless question. Unless you were literally running an open door telnet service or something you could interpret the questions so as to support any answer you wanted to give.
So I just had to be like "do you want me to say yes?" and they did, so I said yes. Nothing productive was ever achieved during that engagement.
That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later.
Too often liabilities exceed assets, or the liabilities are externalised.
Liability doesn't work as an incentive for many risks. For uncommon but extreme risks, it can be better to roll the dice on company failure than regularly pay low amounts for mitigation.
It is especially effective to ignore liabilities when a company has poor profitability anyways.
And then you see major companies sidestep the costs of their liabilities (plenty of examples after security failures, but also companies like Johnson&Johnson).
Practically I think that leaking data is inevitable. A junior developer absolutely WILL vibecode a piece of code with glaring security vulnerabilities. An experienced sysadmin WILL temporarily allow public access to the S3 bucket and then forget.
So if you make sure liabilities are covered by corporate assets and are uninsurable, you will find out a world with no services soon.
I don't know what middle ground is possible to find here.
Companies do want to be secure. They try, and they often fail because it's hard.
They hire auditors to find problems and to shift blame. But since they only have 30 days to fix the problems that are found, it's going to see a lot like they only care about shifting the blame. Because at that point, they only care about passing that audit.
Right after that, though, they start caring about security again.
How do I know? 19 years experience going through those audits on the company side. For 11 months of the year, it was clear the boss cared about security. For that 1 month during the 'free retest' period, they only cared about passing that audit.
I'm not sure about that.
Leaking customers' data bears no meaningful penalties and has no repercussions while securely storing said data costs money, add frictions and brings nothing but expenses to the bottom line.
Many companies will make a wise business decision to never spend a single cent in the direction of security and safety of data.
Some things just have to be done.
Wellll this is not always the case. I have moved from a shithole country to a nice one and oh boy I am crying in gratitude every month that I pay taxes. Because it is every day that I can see my money working for me in the environment.
But your point stands.
The same applies to all the audit and bureaucracy stuff. Does it do something? If you don't feel it does, does it mean it's not? I don't know really, but I hope somebody is rotating their key material as they provided in their security posture.
no. Because actually rotating keys and passing audit for rotating keys are two different things and oftentimes those two are unrelated.
I love bringing Switzerland up to annoy most of western/northern Europeans since their success is so obvious and undeniable while going in very different direction than most of Europe. Low to low-medium taxes, yet state budgets are frequently in positive numbers, there is no end to money spend on infra projects, train infra, but also rather strong social programs (just not ridiculously bad as mentioned above), top notch free healthcare and education. VAT taxes are 2-8% instead of 20-23% in all countries around. Country simply works(TM) because population is not hard comfort-zone-addicted and entitled bunch of spoiled whiny kids, they work relatively hard and it brings results, consistently and long term. They don't work more than americans nor asians, but thats enough for their prosperity.
Do you think lets say a heavy tax burden in say Italy, or even France (not even going more into southern or eastern EU since that would be a small book) is really used well and efficiently? I visit those places frequently and it certainly doesn't seem that way. Random examples - Italy has garbage everywhere, people drive to highway stops to drop it there (so the wind blows it all around). Infrastructure seems like from 80s, with added age. From people dealing with bureaucracy there - its stuck in 19th century, direct approach will get you often nowhere. France - most communist state in western Europe, heck in all Europe, sans Belarus maybe. Yet if you talk to people, they are constantly pissed off at government, never happy with society or state they live in. I don't blame them, listening to French colleagues complain is often rather sad experience. Not something you read in travel guides, do you.
Immigration is tough, but managed way better than any EU country. Half of the world wants to come here, its a tiny place so it only makes sense they take only those who can find job in the country. Even though EU tried many times to strong arm them.
I don't think people understand the concept of neutrality, its fine only if it suits them. They accepted both jewish and other refugees, and also germans. Even when completely surrounded by axis. Nazi leadership repeatedly claimed in their writing how Swiss confederacy is the biggest principal enemy of nazi 3rd reich and must be eliminated at all costs. (Some) Swiss understood the danger much better than rest of European countries who tried to appease hitler. Also Swiss helped allies way more than they tolerated nazis and gave them ie access to Campione d'Italia to organize fight against axis. For further reading please check this starting point [1] if you actually care to understand history
No need to get angry about this
Also those people from the Eastern EU also have the Liberty to migrate there
>because population is not hard comfort-zone-addicted and entitled bunch of spoiled whiny kids
I'm not sure why would I need lower taxes in exchange for more work. This somehow feels like a scam.
The fact the country runs better than literally anything else in European continent is motivating enough for many folks. Higher quality free education, better healthcare, lower criminality, country simply has better future when looking at past and current situation. I am more than happy to put the same 40h work week I would be working mostly elsewhere, to give my kids a (much) better start in life, and to give the same better life to myself. Easy deal, but please stay at home and be happy if you are, I am not selling this country just showing other, sometimes inconvenient facts.
Those two countries are textbook examples of ineffective state taxation-wise. Similar insane tax burden can be found in Scandinavian countries but at the same time these are the happiest countries in the world [1].
And I live in Poland where taxes are used efficiently. Or so it seems on a daily basis.
[1] https://worldpopulationreview.com/country-rankings/happiest-...
Then do not pass the responsibility. But here's the trick: the regulator would like to see an audit done by a firm and purchasing audit services is exactly that: passing responsibility. So legally you can't be compliant unless you passed responsibility.
I am a founder, and my ambition includes meeting the highest possible standards for my customers.
The problem with the current frameworks is that the "controls" are so asinine and auditors so hard headed, that getting certified becomes a matter of "checking the box" .
Particularly most of those frameworks REQUIRE maintaining so much paper red tape that make a 10 person startup want to kill themselves. And in addition the costs are stupid high for startups that are just "starting up".
On the flip side, how many large companies have we seen that have all the SOCs, ISOS and whatnot certifications, and they get pwn3d and their data stolen or exposed.
It tells you that a place being certified doesn't guarantee shit.
The reality is that large companies ask for certs as a CYA mechanism: the "security" department of LargeCo, asks for the compliance cert so that when shit hits the fan, they can say "not my fault, they told me they were compliant"
The good thing is that with the new Bullshit generators (llm) this certifification/compliance process will collapse.
With ISO27001 or SOC 2, I have more information about the other party's ability to manage those risks than just taking their word for it. I'm trusting a third party auditor to vouch for them.
Fraud undermines all kinds of relationships and yes LLMs make it worse. The last job we opened I got hundreds of perfect cover letters asserting the candidates met all of the criteria. Bah.
My perhaps naive hope is that a few of these companies involved will face criminal fraud charges and we will start to develop new reflexes as a society that just bc LLMs making lying very very easy, there are still consequences.
... spend time and money to emulate the asinine requirements of outdated standards instead of actually making the product better and more secure.
> I'm trusting a third party auditor to vouch for them.
Like Delve?
And Delve isn't an auditor. Though they were apparently in cohoots with equally criminal third party auditors. So I guess I'm going to be looking more closely at just exactly who exactly are auditing our vendors in the future...
In theory these two terms mean the same thing.
In practice compliance can be detrimental to the cause and values that you and I both share seemingly.
> I am a founder, and my ambition includes meeting the highest possible standards for my customers.
Same here. This is why I don't care about "compliance" - because I take the privacy of my customers sacred. For example, that means no KYC on my customers. And compliance requires KYC.
Somehow I doubt that you are in the B2B/Enterprise space. When you're pitching demos and you hear from people "we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123", and you hear that over and over again because that is the real-world industry that you live in, then you better believe that there are founders who wake up in the morning wishing that.
You clearly have no understanding of what compliance does. Compliance does not "shift responsibility". Compliance is you demonstrating to your customers that you give enough of a shit that you're willing to pay the table stakes to sit at the table. You can complain that the game has table stakes, but all worthwhile games have them.
> we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123
So you are not dreaming about XYZ-123 compliance, you are dreaming about being able to make sales to corporate entities.
This is a subtle semantic difference.
> there are founders who wake up in the morning wishing
Wishing juicy corporate customers. Not the XYZ-123 compliance per se.
> Compliance is you demonstrating to your customers that you give enough
money and time to emulate the asinine requirements of detrimental standards to pursue corporate sales instead of directing said resources to make your product better.
Well guess what people told you they wanted? They wanted XYZ-123. And you're not going to find success until you learn to get obsessed about making something people want.
I'm pretty sure you want customers who pay money, and ITIL 4 badge is just a small mean to achieve that, not a goal per se.
The things is, you know and I know, ITIL is like sex in high school. Everyone says they're doing it loads, everyone says they know all about it, everyone says they're really good at it, but no-one is any good at it, no-one knows anything about it, and no-one is actually doing any of it at all.
[1] No offense to MBA, just using it as a placeholder for: business stakeholder with no IT background.
Not every company is a Delaware C corp.
As for the pre-filled stuff, that's what other SOC 2 companies mean when they try to sell you "compliance in a box." Not that bad if the company is starting from scratch (<1 year), but not realistic for a company that has an existing IT footprint.
However, the allegations here is that it is fraud. An "AI" company acting as a front for certification mills.
https://x.com/HotAisle/status/1946302651383329081
The whole thing is a racket.
We've be able to use a lot of AI-assisted engineering and AI in the software to solve longstanding business challenges in this space.
I won't make assumptions about where you're located, but on the East Coast US it is big business among banks, utilities, healthcare, etc.
The tech is quite interesting, thankfully.
From a customer perspective it's interesting - compliance sucks so much that even a slight improvement/automation goes a long way
It mentions that they had a medical scribe product and ran into HIPAA compliance issues with it, so it's not a leap to think someone might go "hey this stuff is what sunk us last time, I bet we're not the only people with that problem".
You build something great and big corporation X wants to buy a subscription but you need to be certified.
Much of this is a good checklist but some of it is very european.
"Where is the risk register to track controls in your 7 person company?"
Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.
You are documenting things nobody will read, making up processes that don't exist and translating the operations of a lean company into bureaucratic language.
What's needed is a variant of these standards for small teams, which is proportionate and pragmatic.
I had to have meetings with… myself, at times, for compliance reasons.
In scenarios where the company REALLY REALLY wants to buy the SaaS, they often will invest in the company, one of the reasons for which being to ensure they have the resources to go through all the red tape.
CIS Benchmarks are worth a look too: They’re best practices for securing typical cloud platforms, SaaS and OS.
For small teams it doesn’t have to be heavyweight. A risk register can be a simple doc with a few real risks and mitigations.
That said, I agree there’s a lot of theater. For smaller companies and budgets, it often turns into rubber stamping. Auditors rely on the evidence you provide, so the report can look much cleaner than day to day reality.
Still, it has value. It forces you to formalize basic practices, and if you want those customers, you’re signing up for that level of scrutiny.
In reality the starting point itself is something absurd like "all vendors must be ISO certified no exceptions"
Nobody wants to be the person who says an exception is ok in this case, so you get lumped with having to certify.
Now your color palette generator startup is doing ISO certification. You are holding quarterly "information security governance meetings" and maintaining a risk register for... "blue vs slightly different blue".
Many such cases.
Things like what? HIPAA?
What is it about customers in Ethiopia that necessitates this? What is it about American (non-international) customers that doesn't require a register?
The world doesn't work based on abbreviations. It's very normal for any company to ask you for ISO 27001 whether international or otherwise.
When in reality most rules and regulations are not crap, and you should care about them.
Especially when your startup advertises compliance with HIPAA (medical records), PCI-DSS (payments data) and a bunch of other data protection standards and regulations.
But whole compliance industry is crap.
One way they inflate expectations to extract money the other way they cut corners to rubber stamp BS to make it as cheap as possible for themselves.
Have you considered that the kind of companies that demand SOC2 compliance would be happy to pay extra for SOC2 compliance, if you offered it as an optional add-on costing $200k per year?
"The trouble starts when you look at the answers Delve’s AI provided. Based on what your Delve policies claim, the questionnaire AI answers questions stating you have an MDM, had a 200 hour pen-test performed, and do regular backup restoration simulations. Tens of questions are answered like that. Great, you just lied to your vendor but at least you have a good shot at landing the deal. So what did we do? We kept our mouths shut."
Pretty rotten stuff. I went from energy into the software startup world and as I've gotten further down that road and energy has become more and more of a hot field I've encountered a depressing increase in that "just do it to make a deal" ethos, but in critical infrastructure.
Like, no, former Apple PM who learned about an interconnection queue from ChatGPT last week, you are not going to fix the grid, and even moreso you can't "just do X and ask forgiveness later", not in electricity.
And then also it took a rather large data leak later on to provide extra ammunition to decide and go forward with publishing this.
I'm glad they did, but there are a bunch of steps in between pure balls/altruism and what actually happened based on the blog.
Just bribe the WECC auditors!
Forbes 30 under 30 remains undefeated
does Forbes have a great method for identifying future felons?
do future felons push harder to come to Forbes' attention?
does being on the Forbes list unduly influence founders to commit felonies?
I'm sorry, but... $6,000 / 200 == $30 / hour? Just assuming the value of the actual certifications is $zero?
Wouldn't that raise some serious red flags?
AWS is probably the best actual CaaS vendor out there. They have a product offering expressly designed to help their customers get through this jungle:
https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-a...
You are still responsible for everything on top of what AWS provides (software/configuration/policy), but their compliance package handles a massive portion of what you would otherwise have to do if you were on-prem. Physical security, hardware management, disaster recovery, et. al., you get essentially "for free".
Trying to understand how someone can have this perspective when it’s usually someone’s full time salaried job in a lot of companies.
But frankly if they meant that, the statement doesn't really say anything at all. Because what in this world is hard if you stop taking shortcuts and spend time doing it correctly?
> Conclusions present before customer signs or provides info
If false, the defamation damages here would be in the tens of millions. Huge respect to whoever stuck their neck out to post this.
Yeah, ok. BRB to start a bank where I template everyone a billion dollars, its up to you to be honest with how much money you have.
That, plus their willingness to arrange an essentially fraudulent auditor network (try to find who the real CPA is behind Accorp, for example), and also massively upcharge the prices of the SOC reports that they offered as a bundled service within the platform. There was no separation here. Del is the transfer agent. Del was always the intermediary and the transfer agent. There is no independence in their default auditor relationships.
At very best, this is a massive AICPA transgression.
At worst, blatant fraud.
I would wager that discovery would show the latter.
In other words, I'm reading this as effectively a full admission that the claims are true but the company is saying not their responsibility.
Very, very bad.
But really all you have to do is look at the reports themselves. They are so shoddily written that it's hard to believe any legitimate firm would issue them. If you Ctrl F for Clueley in this thread, you will see my comment with a sample excerpt from the assertion of management for one of their reports.
6.7 Misled auditor - Prescient
With this conclusion:
Looking at that report, there are clear signs that Delve either knowingly misled Prescient, or that Prescient accommodated Delve’s deficient process. Given their reputation and by the small number of Delve/Prescient reports out there, I’m assuming it is the former.
— patio11 about this response (https://x.com/patio11/status/2035115379169677717)
> No small amount of criticism of LLMs is downstream of past decisions to reify form over function, resulting in the substance having been optimized out. Now the LLM threatens to make the form available in seconds
None of their ISO 27001 certificates, aside from the premium one-offs with the vCISO, are accredited by any reputable ISO accreditation body. I would even argue that IAS, who accredited Prescient Security (mentioned as a reputable body in the article), has a questionable reputation and certainly gives off a pay-to-play impression.
You can look up the names of their partners below. The one body I found that is on the register (Accorp) is accredited by UAF, a known cert-mill accreditation body, and I’m not even sure it’s the same Accorp that Delve has partnered with.
For reference, you want a ISO certificate issued by a body accredited by UKAS (UK gov. adjacent non-profit), ANAB (ANSI), or equivalent, all government-recognised. This is normally the first thing I check whenever someone claims ISO 27001 certification and it is a great heuristic to validate certification rigour.
https://www.iafcertsearch.org/search/certification-bodies
Shockingly low levels of DD by everyone involved here.
Wow, what a way to end the document.
"Below are just some of the many inaccuracies in the story and then the truth."
"[G]iven how competitive this industry is, attacks like this sadly come with the territory."
"We are actively investigating any leaks and are still reviewing the Substack. If there are more attacks to respond to we will do so."
When you have a PR problem, you don't hire your marketing intern to write the response. You hire a PR consultant. Their funders' Rolodexes are probably full of them. If the Board approved the response, I'd be frankly shocked.
But the tragedy is that there is a fixed pie of capital to be allocated, and so when they allocate to people like this, it steals opportunity from someone else
They delivered the product that every company wanted - make the box checking faster.
I had a client in the compliance space - they handle detailed product information for Apple, Boeing, BAE systems, Philips, Siemens - you know, nothing important, just literally classified material and incredibly sensitive corporate material.
Anyway. We did ISO27001. We did it well, audited by Lloyds register, reputable stuff all the way down. Built actual meaningful processes.
Anyway, a massive PE entity bought them in a hostile takeover, fired everybody, binned the ISMS, moved to some “compliance” goons.
I saw the box ticking chicanery as it happened - as after firing everyone they of course didn’t follow the off boarding process, so I retained full access to their JIRA. I only lost access a year later when atlassian terminated the account for non-payment.
Nobody actually gives a shit, about anything.
I guess if you have the muscle to brush off legal action from the govt you’re ok. If you’re an unsuspecting startup - that could be a problem.
*Doesn’t name any names.*
Not that I want you to, I feel it would open you up to libel exposure. But can we both acknowledge that you didn’t name the entity that coasted through their audit?
blackrock is the asset manager
though I'm not saying it couldn't have been the latter
That's the case until there is the threat of discovery. The real issue is if the PE firm bought the company for the value of the IP and any damages awarded was included in the 'cost of business', which is why liability needs to be extended to those persons who make that decision, not just the corporate entity.
You don't want to be in this position, really. And that's the whole point of compliance.
Then it becomes the CEO who's responsible. “Compliance” is there to protect the shareholders!
The point of SOC2 is really demonstrate that you have controls. The other fake compliance areas are scarier for sure. You used to see really blatant issues — I recall early SaaS companies pitching to my enterprise with sales engineers showing me customer data.
Microsoft refused to provide diagrams to the Feds detailing how Azure works. They got the FedRAMP High stamp anyway, because they already sold it to half the Fed. That’s more real… as a situation where a Chinese hacker could compromise data in a dedicated “government cloud” by compromising a certificate in an onprem dev environment should be impossible… yet it happened.
> But what do you do when the enterprise you are selling to asks you to show that pen-test report (which you never did despite paying for it, because Delve told you a pentest-tools.com vulnerability scan sufficed)? When they ask for your most recent risk assessment, do you just screenshot Delve’s pre-fabricated assessment and pray nobody will pay attention?
> It was that point where the realization sank in. We knew we messed up. We were unable to answer most questions honestly without jeopardizing the deals we were trying to land. We scrambled to get things done the proper way outside of Delve, in an effort to pretend to know what we were doing, but it ended up simply being too much work to get done quickly enough to save things.
You're making the same mistake as most people do: it's 80% box checking but that doesn't make it performative, the box checking is here so that the dude who checked the box become legally responsible for what's happening if they haven't done what they said they did.
If you didn't check that box you could always claim you didn't know you weren't supposed to do what you did. As soon as you've checked “yes, I'm doing things in the approved way”, this excuse disappears.
Maybe so, but how often are small companies actually sued for compliance survey misrepresentations? My most positive look at such surveys, after filtering out all the nonsense, is sometimes they flag something we've missed in our self-directed efforts.
A lot of compliance is basically corruption - while in country A, you might fall out of a window if you don't buy from the right people at 10x prices, but in 'civilized' country B, you have to buy from vendor X (who has the necessary paperwork), at 10x prices, or you wont be able to sell the product - and there are a million ways that they can turn the levers to kick you out of their markets, or at least make you pay protection money to these compliance organizations.
The systems of grift are very sophisticated, and very obvious to anyone but the people perpetuating and participating in them. As they say,iyt is difficult to get a man to understand something, when his salary depends upon his not understanding it.
A lot of compliance software is griftware - Sonarqube is a prime example - most engineers don't think it adds value, and the 'analysis' it produces is incredibly shoddy, but like a lot of cybersecurity products, it relies on a authoritarian company culture, certification TP conditional on using the software and achieving a good score etc and alarmist language with nice dashboards. A classic example, is it tags public fields in Java as a security issue. And then the management see that you are writing 'insecure code'.
And literal mouthbreathing idiots in upper management eat this shit up, or use it as a punitive measure against the devs who by their very nature do all the meaningful work.
I'm not saying all compliance is worthless, but if you approach quality from first principles, a 'compliant' product usually has to clear a very low bar of quality. And compliance usually keeps the quality low, and prices high, by forcing potential competitors out of the market.
And compliance can keep quality low in other ways, I've seen firsthand - by making devs work on BS tasks, or preventing improvements and fixes to codebases, because they're not tracked appropriately by whatever change management system.
I was incredibly wary of doing hacky solutions in these places, not out of a sense of commitment to quality, but the fact that once management sees your hacks WORK (kinda), all requests to clean up the garbage will be stonewalled.
Thankfully LLMs make this busywork very easy, through making this papermill garbage, and nitpicking busywork very easy, which I feel will bring at least some positive change in the world (at least to those who do meaningful work)
Or insane stuff like it doing a blanket-ban on security related code in the app (but importing a third party lib that does the same is fine).
The analyses in general are low quality and you can see not a lot of effort or thought went into them.
They are not the product - compliance, and dashboards for boomers is.
I'm curious about what did it detect for you? In my experience it stops very obvious bad patterns like using string manipulation to submit SQL (which in certain circumstances might even be fine, even necessary), but it can't really trace non-obvious security issues (like tracing a value through the code, making sure its valid on every codepath), it just doesn't have the compiler machinery to do that.
- the requirements.
- the compliance process that makes sure the company members at all level follow the requirements.
Yes, in many topics, particularly in IT, there's no good requirements being enforced, because the people suggesting them are mostly grifters. But that's not a problem with compliance proper, it's simply a garbage in garbage out process.
The company may be legally in troble if the planets are aligned but that's all.
When we reached out to them, they showed us a cert about how they were GDPR compliant, issued by a huge brand-name consulting firm.
In the paper they said they implemented certain standard-mandated cryptographic measures to 'anonymize' the data. Thing is, they implemented them wrong on purpose, so that they could actually identify users by inverting hashes with a rainbow table.
There was a lot of BS legal reasoning in there but the bigname firm signed off on it. Oh and at the bottom, it had a provision, that if the company were to be sued for breach of GDPR, the consluting firm would not be liable any way.
But this was good enough for tons of companies and govt agencies to just use that software.
So that's what compliance certs get you.
At least in cybersecurity, there are no certifications that "certify" that you are secure. There are plenty of them that will assess your processes, their execution, etc., but the reality of the risk is next door. This is typically the case for ISO 27001, which has ISO 27002 (the ex British Standard from the 90s) that theoretically governs the controls you should have in place. But it simply does not work.
When you have a major leak, this is usually a company with half a page of certifications, but, hey, mistakes happen. The key problem that these mistakes come from is a fundamentally wrong approach to cybersecurity, but nobody cares.
This is really a two-layered approach: you need to have a mechanism to manage your processes, and a real-life risk assessment. This last part is usually what fails most because there are not many people who can build a comprehensive risk analysis.
The problem with risk analysis is that you either have consultants who read books about risk but never operationally managed cybersecurity (and they provide "high level" risks which as useless without the "low level" part), or tech people who understand their part very well and see it as the most important. Having a very good CISO is what helps.
This CISO should also have politico-socialo-whatever leverage to make things happen. Put them in a position where their words are not the words of god and you fail immediately.
A large company is absolutely not homogeneous - as opposed to what reports will state. There is usually a core that is well known, and then 10 or 100 tentacles of semi-controlled systems where bad things happen. This blindness to the reality of the company is what hits the hardest.
How to manage a complex system is not for a HN comment, this requires time, resources and know-how. And leverage.
They fell in the same trap as you did now. You can try to make the libility tree complicated, but in the end the buck will stop with the person in charge unless they put things in place they have to legally put in place. Liability is like water, you can shift it around, but it always has to go somewhere. And if you don't know where it is as a boss, it is likely eating away at your foundation.
In my case they hoped I could just be the responsible electrical engineer on paper and a solve them of their liability. Then I explained them that I could do that, but that legally they would still liable until they provide that role with the time/resources/personal needed to do the job. In my case that would have meant dropping everything I did in my existing roles and reallocating 80% of my work time to that role.
In the end they decided to use an external company that covers that role for real. To them it was just a checkbox in the beginning, but only because they had no expertise in the legal dimension of the whole thing. And sure they could potentially have gone for years without problems, but one wrong electrical fire and they are in jail.
Under GDPR the potential liability we are talking about is 10 Million Euros or 2% of global annual turnover, whichever is higher. But yeah, go ahead, check your boxes.
That’s the only actual audit on “security”.
AI pentesting is just another SaaS.
Delve tried to automate the CPA, you can’t automate the audit. Same goes for the penetration test.
In my experience it’s we know that they know that we know that they know …..
I would recommend both Vanta and OneLeet as good quality tools to work with, having used both. The founders of OneLeet are very accessible, and Vanta has all the integrations you would need as both a small startup and an enterprise-grade player.
Secureframe and Drata are other tools in a similar class that are also legitimate.
https://fly.io/blog/soc2-the-screenshots-will-continue-until...
Most startups should be doing way, way less than automation platforms like these tell them they need to do to get a SOC2 attestation.
Basically, they are saying that you should tailor your SOC2 implementation so that it's actually useful without being a horrible overbearing process, that you have that option and should take it.
The pitch isn't "don't get a SOC2", or "convince big paying customers that SOC2 isn't important". It's "don't worry about SOC2 until a big paying customer says they'll make big payments if you get it, and when you do worry about it, don't let SOC2 compliance trick you into doing bonkers infrastructure things"
Nevertheless, they said it was: too late to opt out, that it can't be canceled or postponed, and then kept emailing us endlessly and sending to collections to pay them another $10K platform fee for the next year (more than we had in the company bank account).
I understand this with large corporations, but I don't think they're a good fit for startups.
The integrations are what makes it really useful, but elements are not correctly connected between them, or are too limited to be useful : for instance access review information tells you who is an "admin", but ignores the various permissions levels (e.g: on GitHub, you can be an admin of a repository) which exists on each platforms. So let's say you are using rbac access policies, then all vanta integrations are meaningless because you cannot check roles, and you have to build /buy another tool...
Their policy builder is a bad joke, slow, incomplete, and you lose all automations when you need to change even one word. The default policies are quite bad anyway, very long and complex, pushing you to use forms which are not integrated into the platform, so again you have to maintain a duplicate system elsewhere.
Generally speaking, there's no help to keep in sync policies with processes and proofs, and let me tell you it goes out of sync very fast!
Willfully paying for a service that offers SOC 2 reports at 1/5th the usual rate and delivers them in days instead of months and deluding themselves (and others) that it's a proper audit.
Taking cookie cutter policies/controls jamming it into your org without any awareness whatsoever. Acting surprised when employees complain about draconian rules and the audit process is a pain because you wanted to take the shortcut.
Why can't people just do it the proper way the first time? Pay for a reputable auditing firm, write your own policies and implement controls that map to the actual organization, do a gap assessment with the auditing firm so that both parties is aligned on expectations, and spend the necessary time to undergo the audit. Getting it should be a milestone if you actually take it seriously and have a modicum of professionalism.
In my eyes, audits should be a trust exercise. You trust that your organization is organized in a way that meets standards (by doing the work) and the auditors trust that you aren't faking your evidence. As someone who has to regularly vet countless new software purchases, SOC 2 actually serves a role. Does anyone have a better idea of getting third party validation of how another company operates? Like sending them tons of questionnaires is the solution?
All this just breaks that trust by facilitating certification mills. Another example of fraud stemming from a country that churns out fake degrees, fake papers, fake conferences, and fake references.
Should we worry about AI startup customer data…
The rookie mistake they made is they forgot to bribe the regulators with promises of future job offers.
Never heard of any of them except Loveable.
They have a billboard with the copy "Compliance before you tell your parents you dropped out of MIT"
I don't think that's true. I didn't get into any elite schools unlike almost all of them.
Guys guys, if only it had some of that real AI it would be all good!!
I hope that with LLMs, answering security questionnaires will be much less time consuming for companies and less would opt out to get a full blown SOC2 cert. But it will probably play the other way.