You build something great and big corporation X wants to buy a subscription but you need to be certified.
Much of this is a good checklist but some of it is very european.
"Where is the risk register to track controls in your 7 person company?"
Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.
You are documenting things nobody will read, making up processes that don't exist and translating the operations of a lean company into bureaucratic language.
What's needed is a variant of these standards for small teams, which is proportionate and pragmatic.
Exactly this. But my question here is also: is there not a competitive advantage to a big enterprise that applies standards in a more intelligent way? You have a SaaS, I have a Fortune 500 company that could use your product but I cannot use it because my procurement process is as long and winding ad the Road to Hana. In the meantime my competitor has a smarter procurement process that takes into account the impact and risk involved in renting your software. Don’t they get a competitive advantage over me by having a better process and as a result getting better vendors?
I’ve found CIS Controls v8.1 to be good and sane, with actual benefits to security. Level 1 is a solid base, and Level 2 is good for picking from depending on where risks exist in your business.
CIS Benchmarks are worth a look too: They’re best practices for securing typical cloud platforms, SaaS and OS.
What is the purpose of a business though? To make profits for its owners. If the profit lies in doing all this corporate theater then that's the business. A company that focuses only on providing a service and product but ignores how their customer needs to use said service and product is going to go out of business.
Compliance isn't that hard once you stop looking for shortcuts and start spending time doing it correctly.
AWS is probably the best actual CaaS vendor out there. They have a product offering expressly designed to help their customers get through this jungle:
You are still responsible for everything on top of what AWS provides (software/configuration/policy), but their compliance package handles a massive portion of what you would otherwise have to do if you were on-prem. Physical security, hardware management, disaster recovery, et. al., you get essentially "for free".
I think that goes for any major cloud provider, not only AWS. But nothing is free, you pay a hefty premium to get this (compared to plain infra providers like Hetzner for example).
Question: how likely is it that a number of 20-year olds have the passion of solving the problem of compliance auditing? I can hardly imagine that I'd even be interested in taking a look at the domain. It's just... so mundane. Or maybe the alpha-type overachievers don't care about the domain but the opportunity?
Solving boring problems has been conventional startup wisdom for a long time. And a "mundane" startup might be more interesting than traditional high-paying jobs like finance/law/consulting. https://www.joelonsoftware.com/2007/12/06/where-theres-muck-...
I work for a firm that develops custom software in regulated industries, and we have brilliant software & data engineers in their 20's working on compliance auditing, and more specifically "Compliance Management System health monitoring."
We've be able to use a lot of AI-assisted engineering and AI in the software to solve longstanding business challenges in this space.
I won't make assumptions about where you're located, but on the East Coast US it is big business among banks, utilities, healthcare, etc.
I wonder if it's almost like a new version of management consulting. You hire/invest in a bunch of smart 20-somethings who seem generally intelligent with the idea that they'll "disrupt" an industry with their from-first principles approach. Do the 23 year old McKinsey consultants particularly care about their work? No, but the McKinsey name is a fast way to gain clout and access to executives. Ditto the YC name
The problem may not be "intellectually interesting" to them at all, but building B2B SaaS does appeal to them from a lifestyle/prestige/pedigree perspective and will probably get them an exit to become a Venture investor even if they fail.
Interesting that the author (and "the others in his network") seem to only be concerned about the complete illegitimacy of their certs when they were already exposed and now they want to stand up and say they are the good guys for "exposing" Delve.
I've gone through this process and is this not a failure from the institute that are giving away these certifications for a fee without any due diligence?
intermediaries like delve have only amplified this failure.
it was obvious to anyone who was involved in this industry that, all of this is just security theatre with nothing really to back it up.
We were actually looking at it as well recently (we're using Drata). I was thinking "Cool, this looks like the next cool step forward". The claims didn't sound out of the world in my ears.
Every time an issue like this appears I wonder how many more undiscovered frauds are out there.
The only job of a test is to fail, so if you never see the page red it's not doing anything. It's refreshing to see this being called out instead of going with the flow because "everyone is doing so".
I think it may be getting (intentionally?) suppressed from the homepage. Given this is a YCombinator website, I wouldn't rule that out.
Regardless, it's been an ongoing issue. I know a few involved companies — it takes basically 5 days to get a SOC 2 Type 2 report through Delve. And, of course, they market this way too: "SOC 2 in days". Unbelievable.
What is it with the dropouts and unethical businesses? It is almost as if dropping out makes them do things, and without credentials, those things are the things others will not do.
Compliance is something that no one ever wants and everybody hates. Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!"
Thus providing compliance is really just paying someone to shift responsibility.
The regulator can ask whether you are compliant. You can present certificate from Delve or someone else and that's the end of it.
I don't want to work wherever you do your thing. Software as a service means you provide a service, and you should take your responsibility to protect your customer's data super seriously. Compliance frameworks are one useful tool among many to support this effort. It helps us identify gaps, identify risks, make improvements. It also give us a way to communicate what we do to our partners. The behavior described in the medium post is fraud, pure and simple.
I am a founder, and my ambition includes meeting the highest possible standards for my customers.
Not a single person wakes up in the morning thinking they wish to pay taxes and rent and do the laundry the other stuff that has to be done. I would be nice to smoke weed and play video games all day and order the deliveries.
When I worked in cybersecurity I had a similar realization. No one cared about security posture. They cared about insurance policies. People hired us to shift blame instead of improve security posture. this is not terribly different
> Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!"
Somehow I doubt that you are in the B2B/Enterprise space. When you're pitching demos and you hear from people "we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123", and you hear that over and over again because that is the real-world industry that you live in, then you better believe that there are founders who wake up in the morning wishing that.
You clearly have no understanding of what compliance does. Compliance does not "shift responsibility". Compliance is you demonstrating to your customers that you give enough of a shit that you're willing to pay the table stakes to sit at the table. You can complain that the game has table stakes, but all worthwhile games have them.
Maybe no one wakes up wanting to deal with compliance, but it you found a company that has legal or moral obligations to be compliant with these standards, you sure have signed yourself up for it. Passing the responsibility off to some other company is, quite simply, irresponsible.
Trust me, you can lie and get away with it if you go through YC and dropped out of a top university. Garry Tan blocked me on X for pointing this out. It's a big club, and you ain't in it!
Fortunately, some of the old-YC spirit seems to be alive here on HN still.
The article states that, "Even though we knew we’d technically be lying about our security to anyone we sent these policies to for review ... we decided to adopt these policies because we simply didn’t have the bandwidth to rewrite them all manually."
Like no one characterizes it like that, but this is the same business where you can tell a story about hiring a bunch of college friends to pretend to be your employees so a client comes to your "office" and thinks you're a legitimate business. And instead of looking in horror at how casually you'll lie to get business it's seen as scrappy and whimsical.
Delve did not even try to fake the reports well. They could have used AI tooling to write somewhat plausible Assertions of Management, but they just dropped in clear form submissions to the reports they provided. Here is an example from Cluely:
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
I mean, just re-read this sentence:
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful
It makes no sense at all.
Someone implemented the code to automate this report mill, and didn't think to even smooth it out with an LLM! There was clear intent here.
To imagine that an auditor reviewed and stamped this as a coherent body of work beggars belief.
There is a lot of serious allegations in here. But some of these complaints apply to most SOC 2 compliance services. For example: it points out that Delve provides pre-filled documents and encourages you to accept them as is. In my experience that is typical. I have seen companies just rubber stamp pre-created documents that describe IT processes that do not accurately reflect actual policy because the MBA[1] running the project didn't want to pull in IT and had no idea what any of it meant.
[1] No offense to MBA, just using it as a placeholder for: business stakeholder with no IT background.
Doesn't seem like a problem with SOC 2 compliance, seems like a problem where a company appointed someone who is not suited to handle a SOC 2 project.
As for the pre-filled stuff, that's what other SOC 2 companies mean when they try to sell you "compliance in a box." Not that bad if the company is starting from scratch (<1 year), but not realistic for a company that has an existing IT footprint.
However, the allegations here is that it is fraud. An "AI" company acting as a front for certification mills.
Giving you template device management policies is one thing, it's a whole other thing to say you don't have to have board meetings and generating fake minutes.
> the price quickly dropped to just $6,000 when they realized we were serious about going elsewhere, and they would throw in ISO 27001 and a 200 hour penetration test as well.
I'm sorry, but... $6,000 / 200 == $30 / hour? Just assuming the value of the actual certifications is $zero?
$6000 for both SOC 2 and ISO 27001 with Pen tests ? lol. I paid over $8k just for ISO 27001 for our small company and have been quoted a lot more for SOC 2.
Delve seems clearly scummy, but dear god the author's company was also engaging in fraud with their own customers and just hoping to skate by.
"The trouble starts when you look at the answers Delve’s AI provided. Based on what your Delve policies claim, the questionnaire AI answers questions stating you have an MDM, had a 200 hour pen-test performed, and do regular backup restoration simulations. Tens of questions are answered like that. Great, you just lied to your vendor but at least you have a good shot at landing the deal. So what did we do? We kept our mouths shut."
Pretty rotten stuff. I went from energy into the software startup world and as I've gotten further down that road and energy has become more and more of a hot field I've encountered a depressing increase in that "just do it to make a deal" ethos, but in critical infrastructure.
Like, no, former Apple PM who learned about an interconnection queue from ChatGPT last week, you are not going to fix the grid, and even moreso you can't "just do X and ask forgiveness later", not in electricity.
Notice how none of Delve's affiliates on X are posting anything after that Substack post. Probably their lawyers told them not to say anything further.
What does that tell you about the scam that was unveiled?
The only thing it tells us is that they have received competent legal advice. Any counsel is going to tell you to shut up regardless of whether you are in the right or wrong.
Major red flag with this should have been that their expensive marketing predicated heavily on them being MIT dropouts instead of any expertise in the space
> No custom tailoring, no AI guidance, no real automation. Just pre-populated forms that required you to click “save”.
I hate that I've become this cynical, but it's gotten to the point where reading the "no x, no y, just z" construct makes me assume that writing is AI generated (and then I immediately stop caring about reading it)
Great write up. What makes this interesting...I thought it was cool what they were doing...but also seemed too good to be true. I went ahead a booked a demo call with them. Great personas. Very friendly. Can't say they had all the answers, but they did bring a CISO on the last meeting, which seemed a bit scripted. They also never disclosed any breaches, even after I asked them. Yikes. Good luck to the orgs that went through all that process.
All this evidence seems pretty legit. I found this on LinkedIn and came here to post, but noticed it had already been posted. Surprised I didn’t see it on HN front page.
Cluely did the ChatGPT wrapper to cheat on interviews then sold the customer data to recruiters. The whole company promise is a scam, and useless since we have LLMs.
HockeyStack held contests for people to win cars etc and never delivered. They also lied about having revenues and a product when they had nothing built. Along with Greptile they were doing 7day weeks of unpaid labor from “trial periods”.
We just found out about this story and the submissions of it. It looks like it didn't make the front page because it set off HN's voting ring detector.
Mods didn't touch either thread except (1) we merged the duplicate discussions and (2) we rolled back the voting ring penalty so that the story would be on the frontpage.
This is in keeping with the principle that we moderate stories less, not more, when YC or a YC startup is part of the story. That's been the case since the beginning, and I've posted about it dozens of times: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu....
This seems like a hit job by a competitor. Really ruthless.
> Two months ago, an email went out to a few hundred Delve clients informing them that Delve had leaked their audit reports, alongside other confidential information, through a Google spreadsheet that was publicly accessible.
Who leaked the audit reports? Who sent this email? Who is taking the time to write this analysis and kill the company?
In my opinion, the majority of the points in the article are no news. A compliance saas that offers templates for policies, all of them do. The AI is a chatbot, well who thought.
I think the main point is the collusion between delve and the auditors. Is the evidence for that clear?
The key problem is the audits and the auditors. I have independently verified for our vendors that they have the same templated SOC2 as all of the leaked reports, which is concerning because that shows the auditors did not actually validate the controls.
SOC2 is supposed to give you an INDEPENDENT evaluation of the compliance of a company "are they doing what they say they are"
If the SOC2 report is just a pre-populated template, it is meaningless.
It doesn't really matter the motivation of the "DeepDelver" - this has implications across all companies that rely on these vendors that have been "assessed" by Delve.
Hit piece or not, the blatantly fraudulent behavior displayed by Delve is reprehensible.
And they didn't even try. Read this management assertion for one of the (known) affected companies:
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
It's a juicy story to talk about that hits a lot of checkboxes that make it viral --
1. the hustle culture they promoted online was gross
2. they followed the 30u30 Forbes pattern like Liz Holmes, FTX, etc.
3. they're a YC co, so their's plenty of popular voices supporting them
The 3rd isn't to slight the program but folks definitely slam any companies that seem to be in the moral gray area as a proof the program is nihilistic and a net negative. People like to shove mistakes in the face of "successful" folks like investors/VCs.
Finally, the security and compliance community is litigious by their nature and this startup, in general, was a net negative for a lot of people who do fractional / consulting work in security.
A lot of startups move fast with a small team.
You build something great and big corporation X wants to buy a subscription but you need to be certified.
Much of this is a good checklist but some of it is very european.
"Where is the risk register to track controls in your 7 person company?"
Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.
You are documenting things nobody will read, making up processes that don't exist and translating the operations of a lean company into bureaucratic language.
What's needed is a variant of these standards for small teams, which is proportionate and pragmatic.
Exactly this. But my question here is also: is there not a competitive advantage to a big enterprise that applies standards in a more intelligent way? You have a SaaS, I have a Fortune 500 company that could use your product but I cannot use it because my procurement process is as long and winding ad the Road to Hana. In the meantime my competitor has a smarter procurement process that takes into account the impact and risk involved in renting your software. Don’t they get a competitive advantage over me by having a better process and as a result getting better vendors?
I’ve found CIS Controls v8.1 to be good and sane, with actual benefits to security. Level 1 is a solid base, and Level 2 is good for picking from depending on where risks exist in your business.
CIS Benchmarks are worth a look too: They’re best practices for securing typical cloud platforms, SaaS and OS.
Maybe you suouldn't be hacking due diligence if your team isn't ready for it
What is the purpose of a business though? To make profits for its owners. If the profit lies in doing all this corporate theater then that's the business. A company that focuses only on providing a service and product but ignores how their customer needs to use said service and product is going to go out of business.
This is as designed to gatekeep these customers. Those in control of the checklists stand to benefit.
Compliance isn't that hard once you stop looking for shortcuts and start spending time doing it correctly.
AWS is probably the best actual CaaS vendor out there. They have a product offering expressly designed to help their customers get through this jungle:
https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-a...
You are still responsible for everything on top of what AWS provides (software/configuration/policy), but their compliance package handles a massive portion of what you would otherwise have to do if you were on-prem. Physical security, hardware management, disaster recovery, et. al., you get essentially "for free".
I think that goes for any major cloud provider, not only AWS. But nothing is free, you pay a hefty premium to get this (compared to plain infra providers like Hetzner for example).
Question: how likely is it that a number of 20-year olds have the passion of solving the problem of compliance auditing? I can hardly imagine that I'd even be interested in taking a look at the domain. It's just... so mundane. Or maybe the alpha-type overachievers don't care about the domain but the opportunity?
Solving boring problems has been conventional startup wisdom for a long time. And a "mundane" startup might be more interesting than traditional high-paying jobs like finance/law/consulting. https://www.joelonsoftware.com/2007/12/06/where-theres-muck-...
I work for a firm that develops custom software in regulated industries, and we have brilliant software & data engineers in their 20's working on compliance auditing, and more specifically "Compliance Management System health monitoring."
We've be able to use a lot of AI-assisted engineering and AI in the software to solve longstanding business challenges in this space.
I won't make assumptions about where you're located, but on the East Coast US it is big business among banks, utilities, healthcare, etc.
I'm in the industry (albeit not a 20-year old), and agree that the domain itself is incredibly dry.
The tech is quite interesting, thankfully.
From a customer perspective it's interesting - compliance sucks so much that even a slight improvement/automation goes a long way
I wonder if it's almost like a new version of management consulting. You hire/invest in a bunch of smart 20-somethings who seem generally intelligent with the idea that they'll "disrupt" an industry with their from-first principles approach. Do the 23 year old McKinsey consultants particularly care about their work? No, but the McKinsey name is a fast way to gain clout and access to executives. Ditto the YC name
The problem may not be "intellectually interesting" to them at all, but building B2B SaaS does appeal to them from a lifestyle/prestige/pedigree perspective and will probably get them an exit to become a Venture investor even if they fail.
Even if this is a hit piece made by a competitor, the evidence put forwards is very damning:
> Conclusions present before customer signs or provides info
If false, the defamation damages here would be in the tens of millions. Huge respect to whoever stuck their neck out to post this.
Interesting that the author (and "the others in his network") seem to only be concerned about the complete illegitimacy of their certs when they were already exposed and now they want to stand up and say they are the good guys for "exposing" Delve.
I've gone through this process and is this not a failure from the institute that are giving away these certifications for a fee without any due diligence?
intermediaries like delve have only amplified this failure.
it was obvious to anyone who was involved in this industry that, all of this is just security theatre with nothing really to back it up.
Love the depth of this post.
We were actually looking at it as well recently (we're using Drata). I was thinking "Cool, this looks like the next cool step forward". The claims didn't sound out of the world in my ears.
Every time an issue like this appears I wonder how many more undiscovered frauds are out there.
The only job of a test is to fail, so if you never see the page red it's not doing anything. It's refreshing to see this being called out instead of going with the flow because "everyone is doing so".
This was such as interesting read, but I found this link via LinkedIn rather than hackernews.
I would have expected this to be somewhere at the top right now given how deep the article digs and evidence seems legit.
I think it may be getting (intentionally?) suppressed from the homepage. Given this is a YCombinator website, I wouldn't rule that out.
Regardless, it's been an ongoing issue. I know a few involved companies — it takes basically 5 days to get a SOC 2 Type 2 report through Delve. And, of course, they market this way too: "SOC 2 in days". Unbelievable.
> Delve was founded in 2023 by Karun Kaushik and Selin Kocalar, both Forbes 30 Under 30 members and MIT dropouts who met as freshmen.
Forbes 30 under 30 remains undefeated
The methodology questions remain:
does Forbes have a great method for identifying future felons?
do future felons push harder to come to Forbes' attention?
does being on the Forbes list unduly influence founders to commit felonies?
What is it with the dropouts and unethical businesses? It is almost as if dropping out makes them do things, and without credentials, those things are the things others will not do.
Compliance is something that no one ever wants and everybody hates. Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!"
Thus providing compliance is really just paying someone to shift responsibility.
The regulator can ask whether you are compliant. You can present certificate from Delve or someone else and that's the end of it.
I don't want to work wherever you do your thing. Software as a service means you provide a service, and you should take your responsibility to protect your customer's data super seriously. Compliance frameworks are one useful tool among many to support this effort. It helps us identify gaps, identify risks, make improvements. It also give us a way to communicate what we do to our partners. The behavior described in the medium post is fraud, pure and simple.
I am a founder, and my ambition includes meeting the highest possible standards for my customers.
Not a single person wakes up in the morning thinking they wish to pay taxes and rent and do the laundry the other stuff that has to be done. I would be nice to smoke weed and play video games all day and order the deliveries.
Some things just have to be done.
When I worked in cybersecurity I had a similar realization. No one cared about security posture. They cared about insurance policies. People hired us to shift blame instead of improve security posture. this is not terribly different
> Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!"
Somehow I doubt that you are in the B2B/Enterprise space. When you're pitching demos and you hear from people "we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123", and you hear that over and over again because that is the real-world industry that you live in, then you better believe that there are founders who wake up in the morning wishing that.
You clearly have no understanding of what compliance does. Compliance does not "shift responsibility". Compliance is you demonstrating to your customers that you give enough of a shit that you're willing to pay the table stakes to sit at the table. You can complain that the game has table stakes, but all worthwhile games have them.
Maybe no one wakes up wanting to deal with compliance, but it you found a company that has legal or moral obligations to be compliant with these standards, you sure have signed yourself up for it. Passing the responsibility off to some other company is, quite simply, irresponsible.
Forbes 30u30 pipeline remains undefeated.
How did none of this come up during diligence? Feels like a prime example of too good to be true.
Trust me, you can lie and get away with it if you go through YC and dropped out of a top university. Garry Tan blocked me on X for pointing this out. It's a big club, and you ain't in it!
Fortunately, some of the old-YC spirit seems to be alive here on HN still.
This is the next one...
https://x.com/HotAisle/status/2035024494663016532
> How did none of this come up during diligence?
The article states that, "Even though we knew we’d technically be lying about our security to anyone we sent these policies to for review ... we decided to adopt these policies because we simply didn’t have the bandwidth to rewrite them all manually."
You mean from the beginning? They could’ve just done it properly initially then moved to this scam process later
Dishonesty is high signal for VC
Like no one characterizes it like that, but this is the same business where you can tell a story about hiring a bunch of college friends to pretend to be your employees so a client comes to your "office" and thinks you're a legitimate business. And instead of looking in horror at how casually you'll lie to get business it's seen as scrappy and whimsical.
I remember having sales calls with them and the vibe was that it was "cheap and quick"... exactly what you want for your compliance
Delve did not even try to fake the reports well. They could have used AI tooling to write somewhat plausible Assertions of Management, but they just dropped in clear form submissions to the reports they provided. Here is an example from Cluely:
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
I mean, just re-read this sentence:
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful
It makes no sense at all.
Someone implemented the code to automate this report mill, and didn't think to even smooth it out with an LLM! There was clear intent here.
To imagine that an auditor reviewed and stamped this as a coherent body of work beggars belief.
There is a lot of serious allegations in here. But some of these complaints apply to most SOC 2 compliance services. For example: it points out that Delve provides pre-filled documents and encourages you to accept them as is. In my experience that is typical. I have seen companies just rubber stamp pre-created documents that describe IT processes that do not accurately reflect actual policy because the MBA[1] running the project didn't want to pull in IT and had no idea what any of it meant.
[1] No offense to MBA, just using it as a placeholder for: business stakeholder with no IT background.
Doesn't seem like a problem with SOC 2 compliance, seems like a problem where a company appointed someone who is not suited to handle a SOC 2 project.
As for the pre-filled stuff, that's what other SOC 2 companies mean when they try to sell you "compliance in a box." Not that bad if the company is starting from scratch (<1 year), but not realistic for a company that has an existing IT footprint.
However, the allegations here is that it is fraud. An "AI" company acting as a front for certification mills.
Giving you template device management policies is one thing, it's a whole other thing to say you don't have to have board meetings and generating fake minutes.
> the price quickly dropped to just $6,000 when they realized we were serious about going elsewhere, and they would throw in ISO 27001 and a 200 hour penetration test as well.
I'm sorry, but... $6,000 / 200 == $30 / hour? Just assuming the value of the actual certifications is $zero?
Wouldn't that raise some serious red flags?
$6000 for both SOC 2 and ISO 27001 with Pen tests ? lol. I paid over $8k just for ISO 27001 for our small company and have been quoted a lot more for SOC 2.
Slopliance?
https://www.reddit.com/r/soc2/comments/1q7u90o/real_or_fake_...
Delve seems clearly scummy, but dear god the author's company was also engaging in fraud with their own customers and just hoping to skate by.
"The trouble starts when you look at the answers Delve’s AI provided. Based on what your Delve policies claim, the questionnaire AI answers questions stating you have an MDM, had a 200 hour pen-test performed, and do regular backup restoration simulations. Tens of questions are answered like that. Great, you just lied to your vendor but at least you have a good shot at landing the deal. So what did we do? We kept our mouths shut."
Pretty rotten stuff. I went from energy into the software startup world and as I've gotten further down that road and energy has become more and more of a hot field I've encountered a depressing increase in that "just do it to make a deal" ethos, but in critical infrastructure.
Like, no, former Apple PM who learned about an interconnection queue from ChatGPT last week, you are not going to fix the grid, and even moreso you can't "just do X and ask forgiveness later", not in electricity.
At least they had the balls to post it
there needs to be a fund with an ethos of "move slowly and do things accurately"
The fund is called customers. The independent regulator is called the AICPA. It really comes down to who is paying attention
SOC2 is as useful as a privacy policy at protecting your data. It’s all humans following human incentives.
The United States military?
There are a few, roughly.
Like the best options in most categories, they don’t spend a bunch of money or time on brand presence, advertising.
You simply find them.
Well now we know how Cluely and friends can claim to be SOC2 compliant.
Notice how none of Delve's affiliates on X are posting anything after that Substack post. Probably their lawyers told them not to say anything further.
What does that tell you about the scam that was unveiled?
Not good.
The only thing it tells us is that they have received competent legal advice. Any counsel is going to tell you to shut up regardless of whether you are in the right or wrong.
Major red flag with this should have been that their expensive marketing predicated heavily on them being MIT dropouts instead of any expertise in the space
I've been talking about this for a while now. For those of you thinking... Oh, I use a "good" company... think otherwise.
https://x.com/HotAisle/status/1946302651383329081
The whole thing is a racket.
> No custom tailoring, no AI guidance, no real automation. Just pre-populated forms that required you to click “save”.
I hate that I've become this cynical, but it's gotten to the point where reading the "no x, no y, just z" construct makes me assume that writing is AI generated (and then I immediately stop caring about reading it)
wow, cannot imagine now companies that tool the compliance, and get deals just to be fake. uff...
vibe compliance
Great write up. What makes this interesting...I thought it was cool what they were doing...but also seemed too good to be true. I went ahead a booked a demo call with them. Great personas. Very friendly. Can't say they had all the answers, but they did bring a CISO on the last meeting, which seemed a bit scripted. They also never disclosed any breaches, even after I asked them. Yikes. Good luck to the orgs that went through all that process.
wow you guys really delved into this
All this evidence seems pretty legit. I found this on LinkedIn and came here to post, but noticed it had already been posted. Surprised I didn’t see it on HN front page.
It is being suppressed by @dang, I believe they may have a policy that allows suppression for bad YC-related news.
I miss 2010s YC until like 2017 ish when crypto sort of just caused a massive decline across the board.
I guess it is great if you're a grifter/scammer or looking to just sell off to a FANG.
agreed
Cluely and HockeyStack are scam companies too.
Cluely did the ChatGPT wrapper to cheat on interviews then sold the customer data to recruiters. The whole company promise is a scam, and useless since we have LLMs.
HockeyStack held contests for people to win cars etc and never delivered. They also lied about having revenues and a product when they had nothing built. Along with Greptile they were doing 7day weeks of unpaid labor from “trial periods”.
Scams all around.
Greptile is an awesome product, not sure where the scam is there
Wait what's the greptile story?
How does this not reach the front page?
We just found out about this story and the submissions of it. It looks like it didn't make the front page because it set off HN's voting ring detector.
Mods didn't touch either thread except (1) we merged the duplicate discussions and (2) we rolled back the voting ring penalty so that the story would be on the frontpage.
This is in keeping with the principle that we moderate stories less, not more, when YC or a YC startup is part of the story. That's been the case since the beginning, and I've posted about it dozens of times: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu....
It's on the front page for me?
It does, but it's also a takedown of a YC-backed company.
Really great vetting there, guys.
This seems like a hit job by a competitor. Really ruthless.
> Two months ago, an email went out to a few hundred Delve clients informing them that Delve had leaked their audit reports, alongside other confidential information, through a Google spreadsheet that was publicly accessible.
Who leaked the audit reports? Who sent this email? Who is taking the time to write this analysis and kill the company?
In my opinion, the majority of the points in the article are no news. A compliance saas that offers templates for policies, all of them do. The AI is a chatbot, well who thought.
I think the main point is the collusion between delve and the auditors. Is the evidence for that clear?
The key problem is the audits and the auditors. I have independently verified for our vendors that they have the same templated SOC2 as all of the leaked reports, which is concerning because that shows the auditors did not actually validate the controls.
SOC2 is supposed to give you an INDEPENDENT evaluation of the compliance of a company "are they doing what they say they are"
If the SOC2 report is just a pre-populated template, it is meaningless.
It doesn't really matter the motivation of the "DeepDelver" - this has implications across all companies that rely on these vendors that have been "assessed" by Delve.
Hit piece or not, the blatantly fraudulent behavior displayed by Delve is reprehensible.
And they didn't even try. Read this management assertion for one of the (known) affected companies:
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
There's no need for some conspiracy.
It's a juicy story to talk about that hits a lot of checkboxes that make it viral --
The 3rd isn't to slight the program but folks definitely slam any companies that seem to be in the moral gray area as a proof the program is nihilistic and a net negative. People like to shove mistakes in the face of "successful" folks like investors/VCs.Finally, the security and compliance community is litigious by their nature and this startup, in general, was a net negative for a lot of people who do fractional / consulting work in security.