HN

Need help?
<- Back
We indexed the Delve audit leak: 533 reports, 455 companies, 99.8% identical

We indexed the Delve audit leak: 533 reports, 455 companies, 99.8% identical

fadijob

Comments (68)

  • preinheimer
    Looking at our SOC 2 report (we don't use Delve, our auditor isn't on their list) I don't think this is quite the smoking gun it might look like if you're not reading SOC 2 reports for a living.There's a fair amount of boiler plate language in these reports, and a bunch of re-stating the SOC 2 controls. I'd expect two reports (same auditors, same platforms) to be nearly identical. If they're both using AWS, Github, Stripe, Vetty, they're subbing a lot of the exact same thing out to the same companies, referencing the same set of internal controls.Reading ours. There's a section titled $Company's Controls, followed by 20 pages listing the various SOC 2 controls. e.g.---CC9.0 Common Criteria Related to Risk MitigationCC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.IR-01 A Security Incident Response Plan that outlines the process of identifying, prioritizing, communicating, assigning, and tracking confirmed incidents through to resolution is accessible to all relevant employees and contractors and is reviewed annually.---Then there's another 20 pages of those same controls being listed, some language about how they tested the controls, and hopefully "No Exceptions Noted".That's not going to change much between companies.
  • jdns
    > "We may receive compensation from vendors listed below. All recommendations are based on independent research."this + new HN account? couldn't be more obviously a competitor. not to defend delve, but can’t be pushing this like some noble effort with the goal of transparencyalso lol @ the fake realtime "just searched for" toasts on a setInterval in the bottom left.
  • mesmertech
    " let r = ["Acme Corp", "CloudVault", "DataSync Pro", "NexGen AI", "SecureStack", "TrustLayer", "Vanta", "ComplianceIQ", "InfraSec", "ByteShield", "PipelineOps", "CyberNova", "TokenGuard", "ZeroTrust Labs", "Aether Security", "PrismData", "CloudArmor", "RiskLens", "AuditTrail", "ShieldIO"] , n = ["just checked", "searched for", "ran a scan on", "verified"] , a = ["San Francisco, CA", "New York, NY", "Austin, TX", "London, UK", "Berlin, DE", "Toronto, CA", "Seattle, WA", "Chicago, IL", "Denver, CO", "Boston, MA", "Singapore", "Sydney, AU"]; "fake popups, xyz domain, recent zeitgeist, 100% straight vibecoded. good hustle I have to say. a domain that'll now get ranked on google for SOC 2 compliance which likely has a high CPC and good DR to piggyback off.
  • mikert89
    Just know that alot of startups with all star founders are closer to delve than not.Its mostly marketing, "look at this MIT genius that noticed something about legacy xyz industry that no one else did"Truth is venture funds are allocating a limited pie of what is really societies capital to people that dont deserve it
  • tptacek
    The damage this will do to the reputation of the SOC2 Security Attestation is incalculable.
  • fadijob
    We analyzed the leaked Delve audit reports and found some wild patterns:- The same auditor license number (PAC-FIRM-LIC-47383) appears in 487 out of 494 reports- Every Type II report has identical page numbers: Section 4 at page 30, tests at page 59, Section 5 at page 82- 220+ "No exceptions noted" per report, across every single client- The system descriptions were copy-pasted from each company's marketing websiteWe built tools to check this data:- Search by company name to see if they're in the leaked database- Paste any SOC 2 report text to scan for 10 template fingerprints- A swipe game where you try to tell real audit excerpts from the fakes (harder than you'd think)455 companies indexed, all free, no signup needed.I'm also curious what the HN community thinks about the fingerprint detection approach, are there patterns we're missing?
  • ppqqrr
    what do you expect? if you’re “automating” an audit, it already means you don’t care. the LLM is there to blur the calculus of responsibility, take the blame if someone cares enough to look. happy customers, until someone “delves” a little too deep (like you did) and ruins the slumber party.
  • Barbing
    Thanks for compiling this. Will get used to every sufficiently-interesting data dump being beautifully analyzed shortly after release.
  • hobofan
    Delve's response blog post from two days ago: https://delve.co/blog/response-to-misleading-claims
  • mkl95
    I've worked with SOC2-certified companies where employees would email each other plaintext credentials, publish them in Notion pages, etc. You cannot cure stupidity by "complying".
  • adriand
    Is SOC 2 legit? I have this on my roadmap but now I’m wondering if it’s just security theatre?
  • bearjaws
    SOC2 has been in trouble for a while now. Completely gamified. I was managing an acquisition of a healthtech company and asked if they did an internal risk assessment as part of their audit. Nope.SOC2 certified, has never actually put to paper "here's what we know we're doing wrong, here is how we plan to remediate it."
  • bunbun69
    I don’t mind AI. I mind slop. This website is slop. There is so much wrong
  • brcmthrowaway
    What is SOC2 ? I studied hardware electronics engineering
  • charcircuit
    >The Biggest Compliance Fraud in SOC 2 HistoryHow is it bigger than the auditors that Delve was using. Surely Delve wasn't there only client. Delve is just a drop in the bucket.
  • nirushiv
    This has to result in jail time for multiple people… right?
  • Bengalilol
    [dead]