Discussion

DeepDelver

moomoo11: I miss 2010s YC until like 2017 ish when crypto sort of just caused a massive decline across the board.I guess it is great if you're a grifter/scammer or looking to just sell off to a FANG.

srikar_alter: agreed

gsibble: How does this not reach the front page?

nedwin: It's on the front page for me?

fantasizr: there needs to be a fund with an ethos of "move slowly and do things accurately"

LambdaComplex: > No custom tailoring, no AI guidance, no real automation. Just pre-populated forms that required you to click “save”.I hate that I've become this cynical, but it's gotten to the point where reading the "no x, no y, just z" construct makes me assume that writing is AI generated (and then I immediately stop caring about reading it)

gmerc: Well now we know how Cluely and friends can claim to be SOC2 compliant.

slackfan: It does, but it's also a takedown of a YC-backed company.Really great vetting there, guys.

stuckkeys: LOL -For a good minute the comments were not visible. Someone is playing RR.

rvz: Notice how none of Delve's affiliates on X are posting anything after that Substack post. Probably their lawyers told them not to say anything further.What does that tell you about the scam that was unveiled?Not good.

JimDabell: The only thing it tells us is that they have received competent legal advice. Any counsel is going to tell you to shut up regardless of whether you are in the right or wrong.

dang: We just found out about this story and the submissions of it. It looks like it didn't make the front page because it set off HN's voting ring detector.Mods didn't touch either thread except (1) we merged the duplicate discussions and (2) we rolled back the voting ring penalty so that the story would be on the frontpage.This is in keeping with the principle that we moderate stories less, not more, when YC or a YC startup is part of the story. That's been the case since the beginning, and I've posted about it dozens of times: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu....

bigballsack: > we moderate stories less, not more, when YC or a YC startup is part of the storyNobody believes that, HN does extensive damage control, banning, flagging with alt accounts, specific story suppression, propaganda, and outright censorship.This comment itself will be censored for countering your narrative not because it’s too toxic for the precious eyes of readers or violates any generally accepted ethics, but because censorship and propaganda are weapons of choice for an abusive unintelligent maniac like yourself.

DANmode: There are a few, roughly.Like the best options in most categories, they don’t spend a bunch of money or time on brand presence, advertising.You simply find them.

sunir: The fund is called customers. The independent regulator is called the AICPA. It really comes down to who is paying attentionSOC2 is as useful as a privacy policy at protecting your data. It’s all humans following human incentives.

biggletiddies: Cluely and HockeyStack are scam companies too.Cluely did the ChatGPT wrapper to cheat on interviews then sold the customer data to recruiters. The whole company promise is a scam, and useless since we have LLMs.HockeyStack held contests for people to win cars etc and never delivered. They also lied about having revenues and a product when they had nothing built. Along with Greptile they were doing 7day weeks of unpaid labor from “trial periods”.Scams all around.

porridgeraisin: Wait what's the greptile story?

ohyoutravel: All this evidence seems pretty legit. I found this on LinkedIn and came here to post, but noticed it had already been posted. Surprised I didn’t see it on HN front page.

sebmellen: It is being suppressed by @dang, I believe they may have a policy that allows suppression for bad YC-related news.

tomhow: Moderators didn't see it, and our policy is 100% the opposite of this – see https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu... or, for more color, https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que....We've restored it to the front page now.

sebmellen: Yes, but your team claimed this set off "voting ring" behavior [0] and it was suppressed for nearly a day because of that. I am very curious how you determine what is, or is not, "voting ring" behavior. I believe Dang is responding in another thread about that.[0]: https://news.ycombinator.com/item?id=47457689

frenchie4111: wow you guys really delved into this

halamadrid: This was such as interesting read, but I found this link via LinkedIn rather than hackernews.I would have expected this to be somewhere at the top right now given how deep the article digs and evidence seems legit.

sebmellen: I think it may be getting (intentionally?) suppressed from the homepage. Given this is a YCombinator website, I wouldn't rule that out.Regardless, it's been an ongoing issue. I know a few involved companies — it takes basically 5 days to get a SOC 2 Type 2 report through Delve. And, of course, they market this way too: "SOC 2 in days". Unbelievable.

andrewflnr: I see the submission time as an hour ago, so it actually looks like it got a second-chanced, i.e. boosted by the site admins.

dang: That's correct - you can see from https://news.ycombinator.com/submitted?id=freddykruger that this post was actually submitted 23 hours ago. The timestamp at the top of the thread is relativized to fit the second-chance pool (https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...).

stringtoint: Love the depth of this post.We were actually looking at it as well recently (we're using Drata). I was thinking "Cool, this looks like the next cool step forward". The claims didn't sound out of the world in my ears.Every time an issue like this appears I wonder how many more undiscovered frauds are out there.

resiros: This seems like a hit job by a competitor. Really ruthless.> Two months ago, an email went out to a few hundred Delve clients informing them that Delve had leaked their audit reports, alongside other confidential information, through a Google spreadsheet that was publicly accessible.Who leaked the audit reports? Who sent this email? Who is taking the time to write this analysis and kill the company?In my opinion, the majority of the points in the article are no news. A compliance saas that offers templates for policies, all of them do. The AI is a chatbot, well who thought.I think the main point is the collusion between delve and the auditors. Is the evidence for that clear?

emilycg: The key problem is the audits and the auditors. I have independently verified for our vendors that they have the same templated SOC2 as all of the leaked reports, which is concerning because that shows the auditors did not actually validate the controls.SOC2 is supposed to give you an INDEPENDENT evaluation of the compliance of a company "are they doing what they say they are"If the SOC2 report is just a pre-populated template, it is meaningless.It doesn't really matter the motivation of the "DeepDelver" - this has implications across all companies that rely on these vendors that have been "assessed" by Delve.

ersshh: Forbes 30u30 pipeline remains undefeated.How did none of this come up during diligence? Feels like a prime example of too good to be true.

latchkey: This is the next one...https://x.com/HotAisle/status/2035024494663016532

egorfine: Compliance is something that no one ever wants and everybody hates. Not a single founder wakes up in the morning thinking to themselves: "oh I wish I could make my company XYZ-123 compliant!"Thus providing compliance is really just paying someone to shift responsibility.The regulator can ask whether you are compliant. You can present certificate from Delve or someone else and that's the end of it.

Duhck: When I worked in cybersecurity I had a similar realization. No one cared about security posture. They cared about insurance policies. People hired us to shift blame instead of improve security posture. this is not terribly different

latchkey: I've been talking about this for a while now. For those of you thinking... Oh, I use a "good" company... think otherwise.https://x.com/HotAisle/status/1946302651383329081The whole thing is a racket.

tfrancisl: Maybe no one wakes up wanting to deal with compliance, but it you found a company that has legal or moral obligations to be compliant with these standards, you sure have signed yourself up for it. Passing the responsibility off to some other company is, quite simply, irresponsible.

bjackman: One of my FAANG security projects incidentally helped with some compliance efforts (I made very sure it was incidental, constantly said things like "I am thrilled that I can help you guys achieve your goals but I wanna be clear that I don't give a shit about compliance and I won't be allowing it to influence the direction of my product" in meetings, it must have been extremely annoying to work with me).At some point I was asked to look over the documents for the compliance definition and it was really hilarious. I had to give my engineering perspective on which aspects of the requirements we were and weren't meeting.But they were stuff like "you must have logs". "You must authenticate users". "You must log failed authentication attempts".Did we fulfill these requirements? It's a meaningless question. Unless you were literally running an open door telnet service or something you could interpret the questions so as to support any answer you wanted to give.So I just had to be like "do you want me to say yes?" and they did, so I said yes. Nothing productive was ever achieved during that engagement.

Muromec: Not a single person wakes up in the morning thinking they wish to pay taxes and rent and do the laundry the other stuff that has to be done. I would be nice to smoke weed and play video games all day and order the deliveries.Some things just have to be done.

Spivak: The value of SOC2 is that it does take some experience to be able to plausibly fake the evidence which weeds out people that truly have no idea what they're doing. It also provides a blueprint of the stuff you should be doing if you actually care.But beyond that it's not worth a whole lot.

fantasizr: yeah it's funny to see some defense of this practice as "well the whole thing is pointless anyway so nothing is lost by defrauding folks". Pretty hollow argument

egorfine: > Passing the responsibility off to some other company is, quite simply, irresponsible.Then do not pass the responsibility. But here's the trick: the regulator would like to see an audit done by a firm and purchasing audit services is exactly that: passing responsibility. So legally you can't be compliant unless you passed responsibility.

tfrancisl: These compliance companies are not primarily tasked with auditing, as this article makes very clear. Delve is in control of the auditing process in a way that is inappropriate and unusual for this industry. The work that the company with these obligations should be doing themselves is generating the Section 3 description and the controls. The auditor then independently verifies their compliance with the controls. Thats a clear delineation of responsibilty, IMO

hintymad: Question: how likely is it that a number of 20-year olds have the passion of solving the problem of compliance auditing? I can hardly imagine that I'd even be interested in taking a look at the domain. It's just... so mundane. Or maybe the alpha-type overachievers don't care about the domain but the opportunity?

egorfine: > thinking they wish to pay taxesWellll this is not always the case. I have moved from a shithole country to a nice one and oh boy I am crying in gratitude every month that I pay taxes. Because it is every day that I can see my money working for me in the environment.But your point stands.

Muromec: As a person who moved to a high-tax country I understand the sentiment. It's usually lost on the people who were always there paying those taxes. Somehow it often doesn't click that they get something in return.The same applies to all the audit and bureaucracy stuff. Does it do something? If you don't feel it does, does it mean it's not? I don't know really, but I hope somebody is rotating their key material as they provided in their security posture.

leeter: This is why I've said for years: If you want to drive best practices and policy with companies you can only do it with liability. Particularly non-insurable and non-tax deductible liability. If a company can't offload civil or criminal penalties to their insurance company and take the tax write down, they suddenly start caring about it.That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later.