If your company obtained SOC 2 certification through the Delve compliance platform, and your auditor was Prescient Security (also known as Prescient Assurance), you are likely asking yourself a very uncomfortable question right now: is my SOC 2 report legitimate?
The answer depends on when and how your audit was conducted. Here is what we know, what you need to verify, and what your next steps should be.
The Prescient-Delve relationship
Prescient Security was one of several audit firms that worked with Delve clients. Unlike the bulk auditors (Accorp, Gradient, Glocert) used for the majority of Delve's 400+ clients, Prescient was typically reserved for Delve's higher-profile clients — the ones whose names would appear on the marketing page.
On March 20, 2026, Prescient Security publicly stated:
"We formally disengaged from Delve in September 2025. Importantly, we audited our Delve-associated clients independently and in accordance with the standard audit methodologies. We stand firmly behind the integrity, independence, and rigor of our audit processes."
This statement raises important questions. If Prescient disengaged in September 2025, what prompted that decision? Were there concerns about Delve's practices before the December 2025 leak? And critically, what does "independently" mean in the context of a platform that was generating pre-written audit conclusions?
Questions you need to answer right now
1. Was your audit conducted before or after September 2025?
Prescient says they disengaged from Delve in September 2025. If your SOC 2 audit was completed before that date, the engagement may have involved Delve's platform infrastructure — meaning your audit evidence, control descriptions, and potentially even test procedures may have been generated or influenced by Delve's templates.
2. What evidence was actually tested?
The Delve platform offered one-click adoption of pre-fabricated evidence including board meeting minutes, risk assessments, and device security documentation. Ask Prescient directly: did they test your actual controls, or did they test evidence that Delve's platform generated?
3. Is your report template-based or custom?
Compare your SOC 2 report against the leaked Delve template reports. The leaked documents showed 99.8% identical language across 494 reports. If your report contains the same boilerplate descriptions of your security program, infrastructure, and controls, that is a red flag regardless of who signed it.
4. Were penetration tests actually conducted?
Multiple Delve trust pages listed penetration tests and data recovery simulations that were never performed. If your SOC 2 report or trust page references security testing, verify that the testing actually occurred and that you have the deliverables to prove it.
5. Did your controls actually exist during the observation period?
This is the hardest question. Delve's platform allowed companies to mark controls as "complete" with pre-fabricated evidence. If your team adopted Delve's templates without actually implementing the underlying controls, your SOC 2 report describes a security posture that does not exist.
The accreditation question
Hacker News commentators raised concerns about Prescient's own accreditation. Prescient Security is accredited by IAS (International Accreditation Service). Some industry observers have noted that IAS is not considered a top-tier accreditation body compared to UKAS (UK), ANAB (US/ANSI), or other government-recognized bodies.
This does not mean Prescient's audits are invalid. But when evaluating the strength of your SOC 2 report, understanding the accreditation chain matters. A SOC 2 audit from a CPA firm is governed by AICPA standards regardless of the firm's ISO accreditation status. However, for ISO 27001 certifications, the accreditation body matters significantly.
Key check: If you hold an ISO 27001 certificate through Prescient, verify their accreditation body is recognized by IAF (International Accreditation Forum). You can search certification bodies at iafcertsearch.org/search/certification-bodies.
What to do now: a 7-step action plan
Step 1: Contact Prescient directly
Request written confirmation of the methodology used for your specific engagement. Ask whether any part of the audit relied on Delve's platform, templates, or pre-generated evidence. Get this in writing.
Step 2: Conduct an independent gap assessment
Engage a separate security firm to perform a SOC 2 readiness assessment against your actual environment. This will identify gaps between what your report describes and what your controls actually look like today.
Step 3: Review your evidence
Go through every piece of evidence referenced in your SOC 2 report. Did those board meetings happen? Were those access reviews conducted? Do those policies exist and are employees aware of them? If you adopted Delve's one-click templates, the answer to some of these may be no.
Step 4: Assess your penetration testing
If your report references penetration testing, confirm you have an actual pentest report from a qualified firm. If you do not, schedule a genuine penetration test immediately. This is typically the first thing enterprise buyers verify.
Step 5: Consult legal counsel
If your SOC 2 report was shared with enterprise customers, partners, or used during sales processes, you may have contractual obligations to disclose that the report's integrity is in question. Companies processing healthcare data face additional HIPAA considerations.
Step 6: Notify downstream if required
If your enterprise customers accepted your SOC 2 report as part of their vendor risk assessment, and that report cannot be verified as legitimate, proactive disclosure is generally better than waiting for customers to discover the issue independently.
Step 7: Plan your legitimate re-certification
Whether your current report is compromised or not, use this as an opportunity to build genuine compliance. A legitimate SOC 2 takes weeks to months, not days. That is the point. The observation period exists because real controls need to be operating over time.
The broader lesson
The Delve scandal is a reminder that compliance is not a product you buy — it is a discipline you practice. No platform can automate the actual work of securing your systems, training your people, and operating controls consistently over time.
Automation tools like Vanta, Drata, and Secureframe can make the administrative burden lighter. They can help you collect evidence, track control status, and manage the audit workflow. But they cannot replace the underlying security work. If you skipped the work and relied on Delve to paper over the gap, the gap is still there.
Need to verify your compliance posture?
We offer independent SOC 2 readiness assessments, penetration testing, and compliance gap analysis. Real testing by real security engineers.
