[resiros]

This seems like a hit job by a competitor. Really ruthless.

> Two months ago, an email went out to a few hundred Delve clients informing them that Delve had leaked their audit reports, alongside other confidential information, through a Google spreadsheet that was publicly accessible.

Who leaked the audit reports? Who sent this email? Who is taking the time to write this analysis and kill the company?

In my opinion, the majority of the points in the article are no news. A compliance saas that offers templates for policies, all of them do. The AI is a chatbot, well who thought.

I think the main point is the collusion between delve and the auditors. Is the evidence for that clear?

[emilycg]

The key problem is the audits and the auditors. I have independently verified for our vendors that they have the same templated SOC2 as all of the leaked reports, which is concerning because that shows the auditors did not actually validate the controls.

SOC2 is supposed to give you an INDEPENDENT evaluation of the compliance of a company "are they doing what they say they are"

If the SOC2 report is just a pre-populated template, it is meaningless.

It doesn't really matter the motivation of the "DeepDelver" - this has implications across all companies that rely on these vendors that have been "assessed" by Delve.

[OsrsNeedsf2P]

Really curious what you're going to do, going forward. Will you be rejecting compliance certified with Delve? Will you be forcing your vendors to redo compliance?

[sebmellen]

Hit piece or not, the blatantly fraudulent behavior displayed by Delve is reprehensible.

And they didn't even try. Read this management assertion for one of the (known) affected companies:

> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).

> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).

[cyrusradfar]

There's no need for some conspiracy.

It's a juicy story to talk about that hits a lot of checkboxes that make it viral --

  1. the hustle culture they promoted online was gross
  2. they followed the 30u30 Forbes pattern like Liz Holmes, FTX, etc. 
  3. they're a YC co, so their's plenty of popular voices supporting them

The 3rd isn't to slight the program but folks definitely slam any companies that seem to be in the moral gray area as a proof the program is nihilistic and a net negative. People like to shove mistakes in the face of "successful" folks like investors/VCs.

Finally, the security and compliance community is litigious by their nature and this startup, in general, was a net negative for a lot of people who do fractional / consulting work in security.

[sebmellen]

What's more surprising to me, as a layperson, is that I found this out and investigated their shady auditor network in late December. It didn't take much work.

Insight Partners invested in a 32 MILLION DOLLAR ROUND without any apparent shred of due diligence. What does that say about the VC market writ large?