The Delve Scandal: How a $300M Compliance Startup Sold Fake SOC 2 Reports and Got Expelled from YC

TL;DR

Delve, a YC W24 compliance automation startup valued at $300 million after a $32M Series A, was expelled from Y Combinator on April 3, 2026 after an anonymous investigator revealed that nearly 500 of its SOC 2 reports were 99.8% identical boilerplate. A second investigation alleged that Delve's enterprise product was a stripped-attribution fork of a fellow YC company's open-source tool. The fallout raises hard questions about the compliance industry's trust model and whether "automation" can become a euphemism for fabrication.

The Rise

Two 21-year-old MIT dropouts, Karun Kaushik (CEO) and Selin Kocalar (COO), founded Delve in late 2023. The pitch was compelling: use AI to compress months-long compliance certification processes into days. SOC 2, HIPAA, ISO 27001, GDPR. Delve promised to automate the painful parts for $6,000 to $15,000, a fraction of traditional audit costs.

It worked, at least on paper. Delve entered Y Combinator's Winter 2024 batch, raised a $3.3 million seed round in January 2025, and by July 2025 had closed a $32 million Series A led by Insight Partners at a $300 million post-money valuation. The founders landed on Forbes 30 Under 30 in AI for 2026. Customer count reportedly grew from roughly 100 in early 2025 to over 1,500 by the time everything unraveled.

The growth trajectory looked like a YC success story. It wasn't.

The DeepDelver Investigation

On March 19, 2026, an anonymous Substack author writing under the handle "DeepDelver", claiming to be a former client employee, published the first of two posts that would unravel the company.

Part I: 493 Out of 494 Reports Were Identical

The first post landed with a simple but damning finding: a publicly accessible Google Spreadsheet containing what appeared to be Delve's confidential draft reports.

The analysis was systematic:

• 493 out of 494 SOC 2 reports examined were 99.8% identical. Same boilerplate paragraphs, same grammatical errors, same conclusions. Only the company name and logo changed.
• 259 Type II reports, which are supposed to evaluate controls over an observation period, every single one claimed zero incidents, zero personnel changes, and zero terminations. Statistically, this is near-impossible across hundreds of different companies.
• Evidence documents that should have been unique to each client (board minutes, risk assessments, training records) appeared to be auto-generated from templates.
• Auditor conclusions appeared to be pre-written before any client evidence was submitted.

The vast majority of reports were funneled through two audit firms: Accorp and Gradient Certification. DeepDelver traced both to questionable origins:

• Accorp operated out of India using virtual office addresses in the US and UAE.
• Gradient Certification was registered in Wyoming through a registered agent popular with shell companies. Its listed president shared an address in Delhi with Accorp's Indian entity.

DeepDelver characterized both firms as "certification mills." A handful of higher-profile clients were routed through legitimate US firms like Prescient and Aprio, but the bulk of Delve's output ran through these two entities.

Part II: The Open-Source Code Theft Allegation

Starting March 28 and continuing through March 31, DeepDelver published a second investigation alleging something arguably worse: that Delve had stolen code from a fellow YC company.

The allegation: Delve's enterprise product "Pathways", a no-code workflow builder priced at $50,000 to $200,000+, was a lightly modified fork of SimStudio, an Apache 2.0 licensed open-source tool built by Sim.ai (YC X25 batch).

The alleged sequence:

1. In April 2025, Sim.ai signed up as a Delve customer for compliance certification, paying $15,000. Kaushik personally handled the onboarding.
2. Internal Delve documents allegedly flagged SimStudio as "UI inspo for Pathways."
3. Delve forked the repository, stripped all attribution, and contracted an outside development shop to maintain it.
4. Pathways was then sold as proprietary software to enterprise clients.

If accurate, this violated the Apache 2.0 license, which explicitly requires attribution to be preserved. More broadly, it meant a YC company was allegedly strip-mining another YC company's open-source work and selling it back to the ecosystem at a 100x markup.

Delve's Response: Three Acts of Damage Control

Delve's public response came in waves, each escalating in defensiveness.

Act 1, Deflection (March 20). Delve published "Response to Misleading Claims" on its blog. The core argument: "Delve does not issue compliance reports. Delve is an automation platform." Templates were described as "starting points only" that customers were responsible for reviewing and finalizing. Reports and opinions were "issued solely by independent, licensed auditors, not Delve."

Act 2, Counterattack (April 3). As the open-source allegations piled on, Delve published a second blog post framing the entire investigation as a "coordinated, targeted cyberattack." The company claimed an attacker "purchased Delve under false pretenses, maliciously exfiltrated data... and used it to launch a coordinated smear campaign."

On the Pathways allegations, Delve admitted building on an Apache 2.0 repository but claimed it "significantly rebuilt it," a characterization that didn't address the stripped attribution.

Delve announced it had hired an unnamed cybersecurity firm, halted audit workflow automation, was rebuilding its auditor network by removing "underperforming firms," and would offer complimentary re-audits and penetration tests to all active customers.

Act 3, Apology (April 3). Kaushik posted on X: "[W]e grew too fast and fell short of our own standard. To our customers, we deeply apologize for the inconveniences caused."

"Inconveniences" is doing a lot of work in that sentence when your customers may be holding worthless compliance certifications.

YC Pulls the Ejection Seat

On April 3, Y Combinator took the rare step of asking Delve to leave the program. YC CEO Garry Tan reportedly wrote on Bookface, YC's internal forum:

"We have asked Delve to leave YC. YC is a community, not just an accelerator. The founders in our community have to trust each other, and we have to trust them. When that trust breaks down, there's really only one thing to do."

Note: This quote is sourced from leaked internal communications, not a public statement from Tan.

The next day, Selin Kocalar posted on X:

"YC and Delve have parted ways. I still remember the day we took our YC interview at MIT. We're so grateful to the community and every founder friend we've made."

Delve was removed from YC's company directory. Its YC profile now returns a 404.

This is a rare and significant action. YC has backed over 5,000 companies and almost never publicly severs ties with a portfolio company. YC typically lets underperforming companies fade quietly. An active expulsion signals something more fundamental than a startup struggling to find product-market fit.

The Downstream Damage

The people most exposed aren't Delve's founders or investors. They're Delve's customers.

If those SOC 2 and HIPAA certifications are indeed worthless, companies that relied on them face real legal exposure:

• HIPAA violations carry criminal liability. Organizations that represented themselves as HIPAA-compliant based on a Delve-facilitated certification could face penalties if they can't demonstrate genuine compliance.
• GDPR fines scale up to 4% of global annual revenue. EU-facing companies that used Delve certifications as evidence of compliance are in a precarious position.
• Contractual obligations. Enterprise customers that required SOC 2 compliance from their vendors, vendors who used Delve, may now have grounds for breach-of-contract claims.

DeepDelver's investigation identified 58 companies by name, including startups like Lovable, Bland, 11x, Incorta, WisprFlow, Greptile, micro1, and Sentra. Some may have genuine compliance programs that happened to use Delve as tooling. Others may have leaned heavily on Delve's "compliance in days" promise without building real internal controls.

Notably, Lovable, featured prominently on Delve's site as a success story, had already switched to Vanta in late 2025 before the scandal broke. That alone might have been a signal.

What This Actually Reveals

The Delve scandal is infuriating, but it's not surprising. It exposes structural weaknesses in the compliance industry that existed long before Delve. As we've covered in our analysis of what $10.77 billion in hacks reveals about audit effectiveness, the gap between certification and actual security is often wider than anyone wants to admit.

SOC 2 has a trust problem. The entire framework relies on independent auditors exercising professional judgment. When the auditor is incentivized by the platform that feeds them deal flow, and when the platform's entire value proposition is speed and cost reduction, independence becomes fiction. Delve didn't invent this misalignment. It automated it.

"Compliance as code" is not the same as "compliance." The promise of automating compliance is real and valuable. But there's a critical line between automating evidence collection (legitimate) and automating evidence fabrication (fraud). Delve appears to have blurred this line, and the compliance industry's own lack of oversight let it happen at scale.

Due diligence failed at every level. Insight Partners led a $32M round. YC accepted them into W24. Forbes put them on 30 Under 30. Customers signed up by the hundreds. At no point did anyone apparently look at the output, the actual reports, and notice that they were copy-pasted templates from questionable audit firms. The warning signs were sitting in a publicly accessible spreadsheet. This is exactly the kind of human-factor failure that enables the largest losses in the industry.

Apache 2.0 is not "take whatever you want." The open-source theft allegation is particularly galling in the YC context, where companies routinely build on each other's open-source work. The license permits commercial use, but requires attribution. Stripping attribution and selling a fork as proprietary is a violation, and doing it to a fellow YC company corrodes the exact trust network that makes YC valuable.

What Happens Next

As of April 9, 2026, several threads remain unresolved:

• Regulatory action. No U.S. regulator has publicly commented. If Delve's reports were used to satisfy regulatory requirements (particularly HIPAA), federal enforcement is possible.
• Insight Partners' position. The lead Series A investor deleted a LinkedIn post about its Delve investment, then deleted and later restored a blog post titled "Scaling AI-native compliance." No public statement has been made about the fund's stance on the allegations.
• Customer remediation. Delve offered complimentary re-audits, but it's unclear how many customers will trust the company that sold them potentially fraudulent certifications to fix the problem.
• Legal exposure. Neither DeepDelver's identity nor Delve's "cyberattack" claim has been substantiated. If Delve pursues legal action against the anonymous investigator, it could trigger discovery that either vindicates or further implicates the company.
• The auditors. Accorp and Gradient Certification, the firms that actually signed off on these reports, have been largely absent from public discussion. Their professional liability may exceed Delve's.

The compliance automation space itself will survive this. Companies like Vanta, Drata, and Secureframe have built real audit infrastructure with credible auditor networks. But the Delve scandal will make every buyer ask harder questions, which is exactly what should have been happening all along.

Sources

1. Anthony Ha, "Embattled startup Delve has 'parted ways' with Y Combinator," TechCrunch, April 4, 2026.
2. Julie Bort, "The reputation of troubled YC startup Delve has gotten even worse," TechCrunch, April 1, 2026.
3. Anthony Ha, "Delve accused of misleading customers with 'fake compliance'," TechCrunch, March 22, 2026.
4. Tage Kene-Okafor, "21-year-old MIT dropouts raise $32M at $300M valuation," TechCrunch, July 22, 2025.
5. Ben Sherry, "The Delve Scandal: A Y Combinator Darling Just Got Hit With a Bombshell Fraud Accusation," Inc.
6. Kevin Haynes, "Defiant Delve Lashes Out Against Fraud Allegations," Inc.
7. DeepDelver, "Delve: Fake Compliance as a Service, Part I," Substack, March 19, 2026.
8. Delve, "Response to Misleading Claims," March 20, 2026.
9. Delve, "Delve sets the record straight on anonymous attacks," April 3, 2026.

Disclosure: SigIntZero has no commercial relationship with Delve, Sim.ai, or any compliance automation vendor mentioned in this article.