March 2026

Compliance Theatre: What the Delve Scandal Means for Your Security Reports

A YC-backed compliance startup called Delve has been accused of fabricating SOC 2, ISO 27001, HIPAA, and GDPR compliance reports. Not cutting corners. Not being sloppy. According to a detailed independent investigation, fabricating.

According to the investigation, a leaked Google Spreadsheet - shared via Slack with "anyone with the link" permissions - contained ~575 confidential audit reports. The analysis found that 492 out of 494 SOC 2 reports contained the identical grammatically incorrect phrase. 493 out of 494 used the same infrastructure description. All 259 Type II reports reportedly claimed zero security incidents, zero personnel changes, zero customer terminations, and zero cyber incidents across hundreds of companies over months of observation.

The investigation also alleges that auditor conclusions were pre-written - with firm IDs embedded in draft reports before clients had provided system descriptions. A copy-paste error reportedly revealed one auditor's firm ID inside another auditor's cover page.

This isn't a story about one bad actor. It's a story about what happens when the security industry optimises for the appearance of security instead of the reality of it.

The Checkbox Factory

Delve's model worked because it exploited a genuine market pressure: compliance is expensive, slow, and confusing. There's nothing wrong with using automation and AI to make compliance faster and more affordable - that's a good thing. The problem isn't the tooling. It's what you do with it.

Automation should help you gather evidence faster, interpret findings more clearly, and guide people through the process. What it shouldn't do is generate conclusions before anyone has looked at your systems. A SOC 2 report has value precisely because an independent auditor examined your specific controls and found them adequate. Automate the evidence collection, by all means. But the conclusions have to come from the evidence, not the other way around.

The investigation alleges Delve went further: pre-generating board meeting minutes, risk assessments, and security incident simulations that clients could adopt with a single click. TechCrunch reported that the platform published fully populated trust pages claiming vulnerability scanning, penetration testing, and data recovery simulations before compliance work was complete.

The investigation also raised concerns about the auditors involved, alleging that the primary SOC 2 auditor operated through virtual office addresses and that ISO certificates lacked accreditation from recognised bodies.

If the allegations hold up, this isn't automation. It's something much worse.

Why This Matters to You

The broader concern isn't limited to Delve's customers. If any compliance provider is cutting corners on this scale, the companies relying on those reports could face real consequences:

• Regulatory exposure - compliance obligations you believed were met may not actually be satisfied
• Insurance complications - cyber insurance may not cover incidents where the underlying compliance evidence turns out to be inadequate
• Customer trust damage - if your trust page was auto-generated, your customers were misled too
• Contract risk - enterprise customers who discover that controls behind a trust page aren't real tend to walk

But here's the harder question: even if you didn't use Delve, how confident are you that your security vendor is actually doing the work?

Five Questions to Ask Your Security Provider

1. "Can I see the raw scan output?" - A legitimate security assessment produces artefacts: tool logs, configuration snapshots, vulnerability evidence. If your provider can only show you the polished report, ask why.
2. "What tools did you actually run?" - "We use proprietary methodology" is sometimes legitimate and sometimes a euphemism for "we used a template." Ask for specifics.
3. "What did you find that was unique to us?" - If every finding in your report could apply to any company, it probably does. Real assessments find things specific to your architecture, your configuration, your deployment.
4. "How do your findings change between assessments?" - If your security posture looks identical quarter to quarter with no changes, either nothing ever changes in your environment (unlikely) or nobody's actually looking.
5. "What didn't you test, and why?" - Honest providers have scope boundaries and say so. Dishonest ones claim comprehensive coverage. The most trustworthy answer is one that includes limitations.

The Real Question Isn't Price - It's Honesty

According to reports, Delve's prices dropped from $15,000 to $6,000 when customers mentioned competitors. When clients threatened to leave, they were reportedly paired with an external vCISO for manual off-platform work.

Affordable compliance isn't the problem. AI-assisted evidence gathering isn't the problem. The problem is when a provider isn't transparent about what's automated and what isn't, what's been examined and what hasn't, and where the conclusions actually came from.

Good automation makes compliance faster and more accessible. It should also make the evidence trail clearer, not murkier. If a tool helped generate a finding, say so. If a human reviewed it, say that too. The customer deserves to know how their report was produced.

What Good Looks Like

At ThreatControl, every finding in every report traces to evidence - a scan result, a configuration observation, a verifiable technical fact. We run real tools against real infrastructure. When we find nothing in a particular area, we say "nothing found" - not "compliant." Those are different statements, and the distinction matters.

We use AI to help interpret findings and generate contextual remediation guidance - and we're upfront about it. Two companies with the same vulnerability get different remediation guidance because they have different stacks, different risk profiles, and different business priorities. AI helps us deliver that context faster. But the evidence comes from real scans, and the conclusions come from the evidence.

We're a small firm. We don't have Delve's $32 million in funding. What we have is transparency about how our reports are produced, and the ability to stand behind every line. In security, that turns out to be worth more.

The Takeaway

When the investigation broke, Delve published a five-point response. Discussion on Hacker News noted that the response appeared to reframe allegations rather than address them directly. Separately, observers noted that the crisis response page contained approximately 4,000 words of hidden content in the HTML - invisible to browsers, visible to search crawlers.

It's the same pattern at every layer: things that look right on the surface but don't stand up to inspection.

The Delve scandal will fade from the news. But the pressure that created it won't. Compliance will keep getting more complex. Security assessments will keep getting more expensive. And there will always be someone offering to make it all go away with a click.

Your job is to make sure the security reports with your company's name on them describe reality, not theatre. Ask the questions. Verify the evidence. And if your provider can't show you the work, find one who can.

ThreatControl provides security assessment services for SMEs - external penetration testing, cloud security review, vulnerability assessment, and supply chain risk analysis. Every report is evidence-based and contextual to your environment. Get in touch.

← Back to blog