The Delve scandal is the most dramatic compliance fraud in SOC 2 history. But the reaction from much of the security industry has not been shock — it has been a resigned nod. Because the uncomfortable truth is that Delve was selling what the market was buying: the appearance of security without the cost of actually being secure.
This article is not about Delve. It is about the systemic problem Delve exploited and why compliance automation, even when used honestly, cannot substitute for genuine security work.
The compliance-security gap
There is a fundamental difference between being compliant and being secure. Compliance asks: "Do you have controls that meet framework requirements?" Security asks: "Can an attacker compromise your system?"
These questions overlap, but they are not the same. A company can be fully compliant with SOC 2 and still be trivially vulnerable to SQL injection in its main application. A company can fail its SOC 2 audit because of a documentation gap while having excellent security practices that the framework does not measure.
Delve exploited this gap by making compliance infinitely easy while doing nothing for security. But even legitimate compliance automation tools operate primarily on the compliance side of this divide.
What automation can and cannot do
What compliance platforms do well
- Evidence collection: Pulling screenshots from AWS, Azure, and GCP to prove configuration settings automatically
- Control monitoring: Detecting when MFA is disabled, when an access review is overdue, or when a policy has not been updated
- Workflow management: Tracking which controls are implemented, who is responsible, and what the audit timeline looks like
- Integration: Connecting to your identity provider, cloud infrastructure, and HR systems to collect evidence continuously
These are genuinely valuable capabilities. Vanta, Drata, and Secureframe save compliance teams hundreds of hours of manual evidence collection. That time savings is real.
What no platform can automate
- Penetration testing: No automated tool can replicate what a skilled human pentester finds. Vulnerability scanners find known CVEs. Pentesters find business logic flaws, chained attack paths, and context-dependent vulnerabilities that scanners cannot detect.
- Threat modeling: Understanding how your specific architecture, data flows, and business processes create unique attack surfaces requires human analysis.
- Security culture: Whether your engineering team actually follows secure coding practices, takes security reviews seriously, and reports suspicious activity cannot be measured by a platform integration.
- Incident response readiness: A platform can verify that an incident response document exists. It cannot tell you whether your team can actually execute it under pressure.
- Risk judgment: Deciding which risks are acceptable, which need mitigation, and how to prioritize limited security resources requires understanding your specific business context.
The Delve playbook was simple: automate the appearance of controls without requiring the controls to actually exist. But even honest automation only handles evidence collection — the underlying security work still needs to happen.
The perverse incentives
The SOC 2 ecosystem has a structural problem: the buyer of the audit is the company being audited. This creates predictable incentives:
- Companies want compliance as fast and cheaply as possible to close enterprise deals
- Platforms compete on speed and price, creating pressure to lower the bar
- Auditors who are too thorough lose clients to auditors who are more accommodating
- Enterprise buyers rarely read SOC 2 reports in detail — they check the box that one exists
Delve took this to an extreme by fabricating everything. But the incentive structure that allowed Delve to exist for years applies to the entire ecosystem. When the goal is "get the certificate" rather than "be secure," the certificate loses its meaning regardless of whether fraud is involved.
What the industry needs to change
Enterprise buyers need to actually read the reports
A SOC 2 report is not a pass/fail certificate. It is a detailed document describing what was tested, how it was tested, and what was found. If your vendor risk team accepts SOC 2 reports as a binary checkbox without reading the contents, you will accept fraudulent reports along with legitimate ones.
Auditor independence needs enforcement
The AICPA standards require auditor independence, but enforcement is largely self-policing. When a platform like Delve acts as an intermediary between the company and the auditor, provides pre-written audit conclusions, and selects auditors based on willingness to rubber-stamp, the independence requirement is rendered meaningless.
Penetration testing needs to be independently verified
A SOC 2 report that claims a penetration test was conducted should include enough detail to verify the claim — the testing firm, the scope, the methodology, and a summary of findings. Multiple Delve trust pages listed penetration tests that never occurred.
The "compliance in days" claim should be a disqualifier
SOC 2 Type II requires a minimum observation period during which controls must be operating. Any platform claiming to deliver Type II compliance in days is either lying about the timeline or skipping the observation period. Neither is acceptable.
What this means for your organization
If you are pursuing SOC 2 or ISO 27001 compliance, use the Delve scandal as a catalyst to do it genuinely:
- Use compliance automation for what it is good at — evidence collection, monitoring, and workflow — but do not confuse the tool with the outcome
- Invest in actual security work — penetration testing, code reviews, threat modeling, and incident response exercises
- Choose your auditor carefully — verify their credentials independently, talk to them directly, and choose firms with genuine reputations
- Build a security program, not just a compliance program — the best compliance outcome is a natural byproduct of actually being secure
Compliance frameworks exist to create a baseline of security practices. When the process of achieving compliance becomes disconnected from the practice of being secure, the framework fails. Delve proved how far that disconnect can go. The question for every organization now is: where are you on that spectrum?
Security first, compliance follows
We help organizations build genuine security programs that make compliance a natural outcome. Penetration testing, security assessments, and compliance support from real security engineers.
