On March 19, 2026, an investigative report revealed that Delve, a Y Combinator-backed compliance automation startup valued at $300 million, had been generating fabricated SOC 2 audit reports for over 400 companies. The reports were 99.8% identical across all clients, contained pre-written audit conclusions, and were issued through auditors traced to Indian certification mills operating through US shell structures.
This is not a case of cutting corners. This is compliance fraud at industrial scale, and it has implications for every company that relied on a Delve-issued SOC 2 report, every enterprise buyer that accepted one, and every vendor in the downstream supply chain.
What happened
Delve was founded in 2023 by MIT dropouts Karun Kaushik and Selin Kocalar. The company marketed itself as delivering compliance certifications "in days" through "agentic AI" and raised $32 million in Series A funding at a $300 million valuation led by Insight Partners in July 2025.
In December 2025, a publicly accessible Google Spreadsheet was discovered containing links to hundreds of confidential audit reports. An employee had shared the spreadsheet in Slack with "anyone with the link" permissions. The spreadsheet was indexed by search engines and archived online before Delve could remove it.
The leaked folder contained approximately 575 files: 494 SOC 2 reports and 81 ISO 27001 documents. Analysis of these documents revealed systemic fabrication.
The mechanics of the fraud
Pre-written audit conclusions
Delve generated complete SOC 2 audit reports, including the Independent Service Auditor's Report (Section 1) and all test procedures and conclusions (Section 4), before clients had provided their company description, network diagrams, or signatures. The auditor's conclusion existed before the auditor had anything to audit.
Template reports at scale
Analysis of the leaked documents revealed 99.8% identical language across 494 SOC 2 reports. The same grammatical errors appeared verbatim in nearly all reports. Every client received the same security programme description, the same infrastructure descriptions, regardless of size, industry, or actual architecture.
All 259 Type II reports claimed zero security incidents, zero personnel changes, and zero cyber incidents during their observation periods. Across hundreds of different organizations, this is a statistical impossibility.
Fabricated evidence
The platform offered clients one-click adoption of pre-fabricated evidence including:
- Board meeting minutes for meetings that never occurred
- Identical risk assessments across all clients
- Fabricated device security evidence for employees who never completed onboarding
- Security incident documentation marked "completed" without actual incidents
- Trust pages displaying 100% completion and listing penetration tests never conducted
Certification mill auditors
The investigation identified Delve's primary audit partners as Indian certification mills operating through US shell structures:
- Accorp was used for 99%+ of clients, traced to Indian operations using virtual US/UAE office addresses
- Gradient Certification was registered in Wyoming through a mailbox agent, with its president listed at the same Delhi address as the Indian entity
- Glocert filed dormant accounts with UK Companies House for four consecutive years reporting zero revenue
For a handful of marquee clients like Lovable and Bland, Delve used more reputable auditors such as Prescient Assurance and Aprio, and compliance for those clients was conducted mostly off-platform using expensive external vCISOs.
Who was affected
The leaked reports identified over 400 companies, including some processing Protected Health Information for millions of US citizens and some serving national defense interests. Notable affected companies include:
- Lovable (AI app builder, 412K+ LinkedIn followers)
- Duos Edge AI (NASDAQ-traded, ticker DUOT)
- Bland (AI phone calls)
- Sully (healthcare AI)
- Levels.fyi
- HockeyStack
- Browser Use
Delve's own marketing claimed 1,700+ customers by early 2026, suggesting the leaked 494 reports may represent only a fraction of the total.
The industry response
Lovable publicly stated they are not a Delve customer, having proactively moved to Vanta in late 2025. Their SOC 2 Type II was independently audited by Prescient Security.
Prescient Security stated they formally disengaged from Delve in September 2025 and audited their Delve-associated clients independently using standard audit methodologies.
Delve published a response titled "Response to Misleading Claims" arguing they are merely an automation platform and that customers are responsible for reviewing and finalizing their own materials. CEO Karun Kaushik initially dismissed the investigation as "an AI-generated email" with "falsified claims."
The deeper problem: Multiple industry commentators noted that the Delve scandal is an extreme manifestation of existing problems in the SOC 2 ecosystem, not an isolated anomaly. As one Hacker News commenter put it: "80% of compliance has always been a performative box checking exercise. Delve just delivered the product that every company wanted: make the box checking faster."
Legal exposure for affected companies
Companies that relied on Delve-issued reports face significant legal and regulatory risk:
- HIPAA: Companies processing PHI with fraudulent compliance certifications face potential criminal liability. Willful neglect carries criminal penalties including prison time.
- GDPR: Companies face fines up to 4% of global annual revenue or 20 million euros for processing EU resident data without genuine compliance controls.
- AICPA: All attestations are potentially invalidated due to violations of AT-C Section 205 (independence requirements) and AT-C Section 315 (compliance attestation procedures).
- Vendor risk: Any organization that accepted a Delve client's SOC 2 report as part of vendor risk assessment now has an unverified dependency in their own compliance chain.
The cascading trust problem
The SOC 2 ecosystem relies on downstream trust. Enterprise buyers accept vendor SOC 2 reports as proof of security controls. If those reports are fabricated, every company in the supply chain that relied on them has a gap in their own risk assessment, creating a domino effect of unverified compliance claims.
This is not theoretical. If your organization accepted a SOC 2 report from any of the 400+ affected companies during vendor onboarding, your own compliance posture now has an unverified dependency. Your auditor may need to be notified.
What this means going forward
The Delve scandal exposes structural weaknesses in the self-policing attestation model where companies select their own assessors. It raises fundamental questions about whether the current SOC 2 framework can resist a "race to the bottom on price and speed" when venture-backed startups are incentivized to move as fast as possible.
For companies currently pursuing or maintaining SOC 2 compliance, the takeaway is clear: there are no shortcuts to genuine security. A compliance report is only as trustworthy as the process behind it. If your compliance vendor promises SOC 2 "in days," you should ask what is being skipped.
Need a legitimate compliance assessment?
We provide genuine penetration testing and compliance support with real security engineers, not AI-generated templates. Every engagement is scoped, tested, and reported by humans.
