The Delve Scandal: Fake Compliance, Real Consequences

493 out of 494 SOC 2 audit reports. Nearly identical. Same boilerplate. Same grammatical errors. Same pre-written conclusions. The only differences? Company name, logo, and signature block.

That's the allegation at the centre of what might be the biggest compliance fraud story in recent startup history. Delve, a Y Combinator-backed compliance automation platform valued at $300 million, stands accused of running what one whistleblower calls 'Fake Compliance as a Service.'

Here's what we know, what's speculation, and why it matters far beyond one startup.

What Is Delve?

Delve is a compliance automation startup founded in 2023 by Karun Kaushik and Selin Kocalar, both MIT dropouts who landed on Forbes 30 Under 30. The company went through Y Combinator's W24 batch and raised a $32 million Series A from Insight Partners in July 2025, at a reported $300 million valuation.

The pitch was attractive: get your SOC 2, ISO 27001, HIPAA, or GDPR certification in days rather than months. Pricing sat around $20,000 for a SOC 2, undercutting the traditional market significantly. They claimed 1,500+ enterprise clients and 120+ platform integrations.

For anyone who's been through a genuine SOC 2 Type II audit, the 'days not months' claim should have raised eyebrows. A Type II audit, by definition, evaluates controls over an observation period of several months. There's no legitimate shortcut around that timeline.

How Did This Come to Light?

The unravelling started quietly. In December 2025, a publicly accessible Google spreadsheet exposed hundreds of confidential client audit reports. Delve acknowledged the leak internally, with CEO Kaushik emailing customers to assure them no external party had gained access to sensitive data.

Then, in early March 2026, a Reddit user in r/cybersecurity posted under the title 'Is it just me, or does every Delve SOC 2 report look the same?' They'd spotted identical typos across multiple vendor reports, including a doubled 'the' on page 44 that appeared in report after report. That thread became the catalyst for a much larger investigation.

On 18 March, an anonymous Substack account called 'DeepDelver' published a detailed exposé titled 'Delve - Fake Compliance as a Service - Part I.' The evidence was granular and specific, built on analysis of the leaked document cache.

What Are the Specific Allegations?

The DeepDelver investigation makes several distinct claims, each with varying levels of supporting evidence.

Were the Reports Templated?

According to the analysis, 493 of 494 leaked SOC 2 reports contained essentially identical language, structure, and even the same grammatical mistakes. A specific phrase appeared in 99.8% of documents: 'An Endpoint Security Solution is installed with the feature of scanning the device automatically and log reports are reviewed.'

All 259 Type II reports in the set claimed zero security incidents, zero personnel changes, and zero cyber incidents during their observation periods. For anyone who's worked in security, that's not just unlikely. It's statistically implausible across hundreds of different organisations.

The most damning detail: auditor conclusions and test procedures were allegedly pre-populated in draft reports before clients had submitted their company descriptions. As DeepDelver put it: 'The conclusion existed before there was anything to audit.'

Who Were the Auditors?

Virtually all clients were routed through two firms: Accorp and Gradient Certification. The investigation traced both to India-based operations using virtual office addresses in the US and UAE. Gradient was registered in Wyoming through a mailbox agent commonly associated with shell company formation, with its president listed at the same Delhi address as the Indian parent entity.

Two additional firms, Glocert and DKPC, were identified as part of the same network.

Whether these firms conducted any genuine independent review is the central question. The whistleblower alleges they functioned as certification mills, rubber-stamping pre-written reports.

Was Evidence Fabricated?

The investigation claims background checks showed 'passed' results for fictitious employees, including characters from The Office. Pre-fabricated board meeting minutes and security simulation reports could allegedly be adopted with a single click. Trust pages on client websites were reportedly populated before any compliance work had been done.

These are the most serious allegations and, it should be noted, the hardest to independently verify.

What Has Delve Said?

Delve published a blog post on 20 March titled 'Response to Misleading Claims.' The core defence rests on several points:

On reports: Delve says it 'does not issue compliance reports.' The platform assists with implementation and grants auditors dashboard access. 'Final reports and opinions are issued solely by independent, licensed auditors, not Delve.'

On templates: 'Overlap in structure and language across reports is expected' because most platforms use 'fixed control sets based on widely accepted standards set forth by the AICPA, ISO, and more.'

On pre-filled content: Delve 'provides templates to help teams document their processes,' but customers 'are responsible for reviewing, modifying, and finalizing their own materials.'

CEO Kaushik also sent a mass email to partners dismissing the whistleblower report as 'falsified claims from an AI-generated bot.' That particular choice of deflection has not aged well.

What's Verified vs. What's Speculation?

This distinction matters. Not everything in the DeepDelver report has been independently confirmed, and not everything in Delve's defence holds up either.

Confirmed or Strongly Evidenced

The December 2025 data leak happened. Delve acknowledged it.
The near-identical report language across 493 documents is based on documentary analysis that Delve has not specifically refuted.
The audit firms Accorp and Gradient trace to India-based operations with nominal US presence through registered agent addresses. This is verifiable through corporate filings.
Insight Partners scrubbed its investment blog post about Delve after the allegations surfaced, as reported by TechCrunch. It was later restored.
Delve disabled its 'Book a Demo' feature on its website.
Security researcher Jamieson O'Reilly of Dvuln confirmed finding security vulnerabilities in Delve's own external attack surface. The irony of a compliance company with poor security is hard to overstate.

Credible but Unconfirmed

The fictitious employee background checks (including The Office characters) are reported across multiple sources citing the DeepDelver investigation, but haven't been independently verified by major outlets.
Whether auditor conclusions were genuinely pre-written before client input is supported by the documentary evidence, but Delve disputes the characterisation.
Whether the audit firms are 'part of the same operation' or a legitimate (if dubious) network remains the whistleblower's interpretation.

Still Speculation

No formal regulatory findings from the SEC, AICPA, or any state CPA board as of 27 March 2026.
Whether this constitutes criminal fraud vs. aggressive business practices is an open legal question.
Y Combinator has not publicly commented.
The identity of 'DeepDelver' is unknown.

The LiteLLM Coincidence

The timing could not have been worse for Delve. On 19 March, the same day the DeepDelver report dropped, LiteLLM (another YC project with 3.4 million daily downloads) was hit by credential-harvesting malware through a supply chain attack.

LiteLLM prominently displayed SOC 2 and ISO 27001 certifications on its website. Both were obtained through Delve.

TechCrunch called it 'Silicon Valley's two biggest dramas intersecting.' The malware entered through a compromised dependency (Trivy GitHub Actions), which is technically outside the scope of SOC 2 controls. But the optics of a Delve-certified company getting breached within hours of fraud allegations surfacing are brutal.

It raises the question everyone is asking: if these certifications didn't catch anything, what were they actually certifying?

Why Does This Matter Beyond Delve?

The Hacker News discussion captured the broader sentiment well. Most security professionals weren't surprised by the allegations. They were surprised someone finally documented what many consider an open secret: a significant portion of compliance work is performative.

One commenter stated plainly: 'all of this is just security theatre with nothing really to back it up.' Another shared witnessing a major vendor with GDPR certification that deliberately implemented cryptographic measures incorrectly to pass certification.

The compliance industry has a structural problem. Companies need certifications to win enterprise contracts. Certifications require auditors. Auditors are paid by the companies they audit. The incentive to rubber-stamp is baked into the model.

Delve didn't create this problem. But if the allegations hold, they industrialised it. They turned the quiet nod-and-wink of compliance theatre into a product with 120+ integrations and a $300 million valuation.

What Are the Potential Consequences?

For Delve's clients, the exposure is real:

Companies relying on Delve-obtained HIPAA compliance face potential criminal liability for operating without genuine compliance.
GDPR violations carry fines of up to 4% of global annual turnover or €20 million, whichever is higher.
Any organisation that accepted a Delve client's SOC 2 report as proof of security during vendor due diligence may need to re-evaluate.

For the audit firms, Accorp, Gradient, Glocert, and DKPC face potential investigation by the AICPA and state CPA boards for independence violations. If the pre-written conclusions allegation is proven, that's a direct violation of AICPA AT-C Section 205, the standard governing attestation engagements.

For the broader market, this could accelerate regulatory scrutiny of AI-automated compliance tools. The EU AI Act's conformity assessment provisions were designed to prevent exactly this kind of scenario, as one analysis from Systima AI has already argued.

What Happens Next?

As of 27 March 2026, no formal regulatory action has been announced. But the pieces are in motion:

Multiple TechCrunch investigations have added mainstream coverage.
Security researchers are independently probing Delve's own infrastructure and finding vulnerabilities.
The AICPA and state CPA boards have grounds to investigate the audit firms if they choose to.
Delve's clients are presumably reassessing their compliance posture.

The real test will be whether regulators act, or whether the compliance industry absorbs this as another cautionary tale and carries on. Given the scale of the allegations (1,500+ clients, $32 million in VC funding, certifications covering HIPAA and GDPR), doing nothing would be a statement in itself.

One thing is clear: 'SOC 2 in days' was always too good to be true. The question now is how many companies built their security posture on that promise.

This post reflects publicly available information as of 27 March 2026. If formal regulatory findings or additional evidence emerge, we'll update accordingly.

Legal disclaimer: As of the date of publication, no criminal or civil charges have been filed against Delve, its founders, or any associated parties. No court or regulatory body has made any finding of guilt, liability, or wrongdoing. The allegations described in this article are derived from third-party reporting, publicly available documents, and the company's own published response. This post is intended as factual commentary on a matter of public interest and does not constitute legal advice or an assertion of guilt. Delve disputes the characterisation of the allegations and their official response is linked above.

Sources:

Quick Links

Latest