We indexed the Delve audit leak: 533 reports, 455 companies, 99.8% identical

fadijob

We analyzed the leaked Delve audit reports and found some wild patterns: - The same auditor license number (PAC-FIRM-LIC-47383) appears in 487 out of 494 reports - Every Type II report has identical page numbers: Section 4 at page 30, tests at page 59, Section 5 at page 82 - 220+ "No exceptions noted" per report, across every single client - The system descriptions were copy-pasted from each company's marketing website We built tools to check this data: - Search by company name to see if they're in the leaked database - Paste any SOC 2 report text to scan for 10 template fingerprints - A swipe game where you try to tell real audit excerpts from the fakes (harder than you'd think) 455 companies indexed, all free, no signup needed. I'm also curious what the HN community thinks about the fingerprint detection approach, are there patterns we're missing?

mikert89

Just know that alot of startups with all star founders are closer to delve than not. Its mostly marketing, "look at this MIT genius that noticed something about legacy xyz industry that no one else did" Truth is venture funds are allocating a limited pie of what is really societies capital to people that dont deserve it

Barbing

Thanks for compiling this. Will get used to every sufficiently-interesting data dump being beautifully analyzed shortly after release.

tptacek

The damage this will do to the reputation of the SOC2 Security Attestation is incalculable.

nirushiv

This has to result in jail time for multiple people… right?

ppqqrr

what do you expect? if you’re “automating” an audit, it already means you don’t care. the LLM is there to blur the calculus of responsibility, take the blame if someone cares enough to look. happy customers, until someone “delves” a little too deep (like you did) and ruins the slumber party.

adriand

Is SOC 2 legit? I have this on my roadmap but now I’m wondering if it’s just security theatre?

jdns

> "We may receive compensation from vendors listed below. All recommendations are based on independent research." this + new HN account? couldn't be more obviously a competitor. not to defend delve, but can’t be pushing this like some noble effort with the goal of transparency also lol @ the fake realtime "just searched for" toasts on a setInterval in the bottom left.

charcircuit

>The Biggest Compliance Fraud in SOC 2 History How is it bigger than the auditors that Delve was using. Surely Delve wasn't there only client. Delve is just a drop in the bucket.

preinheimer

Looking at our SOC 2 report (we don't use Delve, our auditor isn't on their list) I don't think this is quite the smoking gun it might look like if you're not reading SOC 2 reports for a living. There's a fair amount of boiler plate language in these reports, and a bunch of re-stating the SOC 2 controls. I'd expect two reports (same auditors, same platforms) to be nearly identical. If they're both using AWS, Github, Stripe, Vetty, they're subbing a lot of the exact same thing out to the same companies, referencing the same set of internal controls. Reading ours. There's a section titled $Company's Controls, followed by 20 pages listing the various SOC 2 controls. e.g. --- CC9.0 Common Criteria Related to Risk Mitigation CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. IR-01 A Security Incident Response Plan that outlines the process of identifying, prioritizing, communicating, assigning, and tracking confirmed incidents through to resolution is accessible to all relevant employees and contractors and is reviewed annually. --- Then there's another 20 pages of those same controls being listed, some language about how they tested the controls, and hopefully "No Exceptions Noted". That's not going to change much between companies.

bearjaws

SOC2 has been in trouble for a while now. Completely gamified. I was managing an acquisition of a healthtech company and asked if they did an internal risk assessment as part of their audit. Nope. SOC2 certified, has never actually put to paper "here's what we know we're doing wrong, here is how we plan to remediate it."

brcmthrowaway

What is SOC2 ? I studied hardware electronics engineering

mesmertech

" let r = ["Acme Corp", "CloudVault", "DataSync Pro", "NexGen AI", "SecureStack", "TrustLayer", "Vanta", "ComplianceIQ", "InfraSec", "ByteShield", "PipelineOps", "CyberNova", "TokenGuard", "ZeroTrust Labs", "Aether Security", "PrismData", "CloudArmor", "RiskLens", "AuditTrail", "ShieldIO"] , n = ["just checked", "searched for", "ran a scan on", "verified"] , a = ["San Francisco, CA", "New York, NY", "Austin, TX", "London, UK", "Berlin, DE", "Toronto, CA", "Seattle, WA", "Chicago, IL", "Denver, CO", "Boston, MA", "Singapore", "Sydney, AU"]; " fake popups, xyz domain, recent zeitgeist, 100% straight vibecoded. good hustle I have to say. a domain that'll now get ranked on google for SOC 2 compliance which likely has a high CPC and good DR to piggyback off.

hobofan

Delve's response blog post from two days ago: https://delve.co/blog/response-to-misleading-claims

mkl95

I've worked with SOC2-certified companies where employees would email each other plaintext credentials, publish them in Notion pages, etc. You cannot cure stupidity by "complying".

bunbun69

I don’t mind AI. I mind slop. This website is slop. There is so much wrong