You build something great and big corporation X wants to buy a subscription but you need to be certified.
Much of this is a good checklist but some of it is very european.
"Where is the risk register to track controls in your 7 person company?"
Now instead of doing what your team does best, you are doing paperwork theater for frameworks designed for a 100,000 employee enterprise.
You are documenting things nobody will read, making up processes that don't exist and translating the operations of a lean company into bureaucratic language.
What's needed is a variant of these standards for small teams, which is proportionate and pragmatic.
We've be able to use a lot of AI-assisted engineering and AI in the software to solve longstanding business challenges in this space.
I won't make assumptions about where you're located, but on the East Coast US it is big business among banks, utilities, healthcare, etc.
intermediaries like delve have only amplified this failure.
it was obvious to anyone who was involved in this industry that, all of this is just security theatre with nothing really to back it up.
We were actually looking at it as well recently (we're using Drata). I was thinking "Cool, this looks like the next cool step forward". The claims didn't sound out of the world in my ears.
Every time an issue like this appears I wonder how many more undiscovered frauds are out there.
I would have expected this to be somewhere at the top right now given how deep the article digs and evidence seems legit.
Regardless, it's been an ongoing issue. I know a few involved companies — it takes basically 5 days to get a SOC 2 Type 2 report through Delve. And, of course, they market this way too: "SOC 2 in days". Unbelievable.
(1) I had no idea this story existed and woke up to claims that I was obviously* suppressing it.
(2) I looked into it and found that no moderator had touched either of the two submissions of the story, but that both submissions had set off HN's voting ring detector. (Whether there was a voting ring or not, I don't know - that software isn't perfect. It has held up well over the years though.)
(3) We merged the two discussions and placed the merged thread on the front page.
(4) Why? Because we moderate HN less, not more, when YC or a YC startup is part of a story: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu.... This is literally the #1 principle of moderation in the sense that it was the very first thing that pg drilled into me: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que....
[1] No offense to MBA, just using it as a placeholder for: business stakeholder with no IT background.
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
I mean, just re-read this sentence:
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful
It makes no sense at all.
Someone implemented the code to automate this report mill, and didn't think to even smooth it out with an LLM! There was clear intent here.
To imagine that an auditor reviewed and stamped this as a coherent body of work beggars belief.
How did none of this come up during diligence? Feels like a prime example of too good to be true.
Fortunately, some of the old-YC spirit seems to be alive here on HN still.
The article states that, "Even though we knew we’d technically be lying about our security to anyone we sent these policies to for review ... we decided to adopt these policies because we simply didn’t have the bandwidth to rewrite them all manually."
Like no one characterizes it like that, but this is the same business where you can tell a story about hiring a bunch of college friends to pretend to be your employees so a client comes to your "office" and thinks you're a legitimate business. And instead of looking in horror at how casually you'll lie to get business it's seen as scrappy and whimsical.
Thus providing compliance is really just paying someone to shift responsibility.
The regulator can ask whether you are compliant. You can present certificate from Delve or someone else and that's the end of it.
I am a founder, and my ambition includes meeting the highest possible standards for my customers.
Some things just have to be done.
Wellll this is not always the case. I have moved from a shithole country to a nice one and oh boy I am crying in gratitude every month that I pay taxes. Because it is every day that I can see my money working for me in the environment.
But your point stands.
The same applies to all the audit and bureaucracy stuff. Does it do something? If you don't feel it does, does it mean it's not? I don't know really, but I hope somebody is rotating their key material as they provided in their security posture.
I love bringing Switzerland up to annoy most of western/northern Europeans since their success is so obvious and undeniable while going in very different direction than most of Europe. Low to low-medium taxes, yet state budgets are frequently in positive numbers, there is no end to money spend on infra projects, train infra, but also rather strong social programs (just not ridiculously bad as mentioned above), top notch free healthcare and education. VAT taxes are 2-8% instead of 20-23% in all countries around. Country simply works(TM) because population is not hard comfort-zone-addicted and entitled bunch of spoiled whiny kids, they work relatively hard and it brings results, consistently and long term. They don't work more than americans nor asians, but thats enough for their prosperity.
Do you think lets say a heavy tax burden in say Italy, or even France (not even going more into southern or eastern EU since that would be a small book) is really used well and efficiently? I visit those places frequently and it certainly doesn't seem that way. Random examples - Italy has garbage everywhere, people drive to highway stops to drop it there (so the wind blows it all around). Infrastructure seems like from 80s, with added age. From people dealing with bureaucracy there - its stuck in 19th century, direct approach will get you often nowhere. France - most communist state in western Europe, heck in all Europe, sans Belarus maybe. Yet if you talk to people, they are constantly pissed off at government, never happy with society or state they live in. I don't blame them, listening to French colleagues complain is often rather sad experience. Not something you read in travel guides, do you.
Somehow I doubt that you are in the B2B/Enterprise space. When you're pitching demos and you hear from people "we really wish we could buy your product but we can't because Finance won't approve the expenditure unless you get XYZ-123", and you hear that over and over again because that is the real-world industry that you live in, then you better believe that there are founders who wake up in the morning wishing that.
You clearly have no understanding of what compliance does. Compliance does not "shift responsibility". Compliance is you demonstrating to your customers that you give enough of a shit that you're willing to pay the table stakes to sit at the table. You can complain that the game has table stakes, but all worthwhile games have them.
That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later.
Companies do want to be secure. They try, and they often fail because it's hard.
They hire auditors to find problems and to shift blame. But since they only have 30 days to fix the problems that are found, it's going to see a lot like they only care about shifting the blame. Because at that point, they only care about passing that audit.
Right after that, though, they start caring about security again.
How do I know? 19 years experience going through those audits on the company side. For 11 months of the year, it was clear the boss cared about security. For that 1 month during the 'free retest' period, they only cared about passing that audit.
At some point I was asked to look over the documents for the compliance definition and it was really hilarious. I had to give my engineering perspective on which aspects of the requirements we were and weren't meeting.
But they were stuff like "you must have logs". "You must authenticate users". "You must log failed authentication attempts".
Did we fulfill these requirements? It's a meaningless question. Unless you were literally running an open door telnet service or something you could interpret the questions so as to support any answer you wanted to give.
So I just had to be like "do you want me to say yes?" and they did, so I said yes. Nothing productive was ever achieved during that engagement.
Then do not pass the responsibility. But here's the trick: the regulator would like to see an audit done by a firm and purchasing audit services is exactly that: passing responsibility. So legally you can't be compliant unless you passed responsibility.
SOC2 is as useful as a privacy policy at protecting your data. It’s all humans following human incentives.
But beyond that it's not worth a whole lot.
Like the best options in most categories, they don’t spend a bunch of money or time on brand presence, advertising.
You simply find them.
https://x.com/HotAisle/status/1946302651383329081
The whole thing is a racket.
What does that tell you about the scam that was unveiled?
Not good.
I hate that I've become this cynical, but it's gotten to the point where reading the "no x, no y, just z" construct makes me assume that writing is AI generated (and then I immediately stop caring about reading it)
We've restored it to the front page now.
What matters in this case is (1) it's a software penalty that has nothing to do with the content of a story, (2) moderators didn't touch the submissions or even know they existed, and (3) once we did know that they existed, we merged the threads and placed the story on the frontpage - that is, we went out of our way to give this story more attention, not less - in keeping with the principle explained here: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu....
I guess it is great if you're a grifter/scammer or looking to just sell off to a FANG.
Mods didn't touch either thread except (1) we merged the duplicate discussions and (2) we rolled back the voting ring penalty so that the story would be on the frontpage.
This is in keeping with the principle that we moderate stories less, not more, when YC or a YC startup is part of the story. That's been the case since the beginning, and I've posted about it dozens of times: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu....
I would imagine that's what happened here.
Edit: 10% of the votes came from resubmissions of the URL. The other 90% came from other sources.
Nobody believes that, HN does extensive damage control, banning, flagging with alt accounts, specific story suppression, propaganda, and outright censorship.
This comment itself will be censored for countering your narrative not because it’s too toxic for the precious eyes of readers or violates any generally accepted ethics, but because censorship and propaganda are weapons of choice for an abusive unintelligent maniac like yourself.
There are a number of reasons why this is the case. One is that it is true. Another is that we've always treated the good will of the community as by far the biggest asset—in fact, the only asset—that HN has.
Really great vetting there, guys.
Had you checked the other thread during that "good minute", you'd have seen that all the comments were intact.
Cluely did the ChatGPT wrapper to cheat on interviews then sold the customer data to recruiters. The whole company promise is a scam, and useless since we have LLMs.
HockeyStack held contests for people to win cars etc and never delivered. They also lied about having revenues and a product when they had nothing built. Along with Greptile they were doing 7day weeks of unpaid labor from “trial periods”.
Scams all around.
Also they were part of the cohort forcing workers to stay minimum until 9PM.
Like every AI company, their "product" is a Next.js website, OPENAI_API_KEY, and a Stripe checkout page.
> Two months ago, an email went out to a few hundred Delve clients informing them that Delve had leaked their audit reports, alongside other confidential information, through a Google spreadsheet that was publicly accessible.
Who leaked the audit reports? Who sent this email? Who is taking the time to write this analysis and kill the company?
In my opinion, the majority of the points in the article are no news. A compliance saas that offers templates for policies, all of them do. The AI is a chatbot, well who thought.
I think the main point is the collusion between delve and the auditors. Is the evidence for that clear?
SOC2 is supposed to give you an INDEPENDENT evaluation of the compliance of a company "are they doing what they say they are"
If the SOC2 report is just a pre-populated template, it is meaningless.
It doesn't really matter the motivation of the "DeepDelver" - this has implications across all companies that rely on these vendors that have been "assessed" by Delve.
And they didn't even try. Read this management assertion for one of the (known) affected companies:
> We have prepared the accompanying description of Cluely, Inc., system titled "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." throughout the period June 27, 2025 - September 27, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria).
> The description is intended to provide users with information about the "Cluely is a desktop AI assistant to give you answers in real-time, when you need it." that may be useful when assessing the risks arising from interactions with Cluely, Inc. system, particularly information about the suitability of design and operating effectiveness of Cluely, Inc. controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria).
It's a juicy story to talk about that hits a lot of checkboxes that make it viral --
1. the hustle culture they promoted online was gross
2. they followed the 30u30 Forbes pattern like Liz Holmes, FTX, etc.
3. they're a YC co, so their's plenty of popular voices supporting them
Finally, the security and compliance community is litigious by their nature and this startup, in general, was a net negative for a lot of people who do fractional / consulting work in security.
Insight Partners invested in a 32 MILLION DOLLAR ROUND without any apparent shred of due diligence. What does that say about the VC market writ large?