what do you expect? if you’re “automating” an audit, it already means you don’t care. the LLM is there to blur the calculus of responsibility, take the blame if someone cares enough to look. happy customers, until someone “delves” a little too deep (like you did) and ruins the slumber party.
> "We may receive compensation from vendors listed below. All recommendations are based on independent research."
this + new HN account? couldn't be more obviously a competitor. not to defend delve, but can’t be pushing this like some noble effort with the goal of transparency
also lol @ the fake realtime "just searched for" toasts on a setInterval in the bottom left.
Looking at our SOC 2 report (we don't use Delve, our auditor isn't on their list) I don't think this is quite the smoking gun it might look like if you're not reading SOC 2 reports for a living.
There's a fair amount of boiler plate language in these reports, and a bunch of re-stating the SOC 2 controls. I'd expect two reports (same auditors, same platforms) to be nearly identical. If they're both using AWS, Github, Stripe, Vetty, they're subbing a lot of the exact same thing out to the same companies, referencing the same set of internal controls.
Reading ours. There's a section titled $Company's Controls, followed by 20 pages listing the various SOC 2 controls. e.g.
---
CC9.0 Common Criteria Related to Risk Mitigation
CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential
business disruptions.
IR-01 A Security Incident Response Plan that outlines the process of identifying, prioritizing, communicating, assigning, and tracking confirmed incidents through to resolution is accessible to all relevant employees and contractors and is reviewed annually.
---
Then there's another 20 pages of those same controls being listed, some language about how they tested the controls, and hopefully "No Exceptions Noted".
That's not going to change much between companies.
SOC2 has been in trouble for a while now. Completely gamified. I was managing an acquisition of a healthtech company and asked if they did an internal risk assessment as part of their audit. Nope.
SOC2 certified, has never actually put to paper "here's what we know we're doing wrong, here is how we plan to remediate it."
" let r = ["Acme Corp", "CloudVault", "DataSync Pro", "NexGen AI", "SecureStack", "TrustLayer", "Vanta", "ComplianceIQ", "InfraSec", "ByteShield", "PipelineOps", "CyberNova", "TokenGuard", "ZeroTrust Labs", "Aether Security", "PrismData", "CloudArmor", "RiskLens", "AuditTrail", "ShieldIO"]
, n = ["just checked", "searched for", "ran a scan on", "verified"]
, a = ["San Francisco, CA", "New York, NY", "Austin, TX", "London, UK", "Berlin, DE", "Toronto, CA", "Seattle, WA", "Chicago, IL", "Denver, CO", "Boston, MA", "Singapore", "Sydney, AU"];
"
fake popups, xyz domain, recent zeitgeist, 100% straight vibecoded. good hustle I have to say. a domain that'll now get ranked on google for SOC 2 compliance which likely has a high CPC and good DR to piggyback off.
I've worked with SOC2-certified companies where employees would email each other plaintext credentials, publish them in Notion pages, etc. You cannot cure stupidity by "complying".
18 comments
[ 2.6 ms ] story [ 29.5 ms ] thread- The same auditor license number (PAC-FIRM-LIC-47383) appears in 487 out of 494 reports
- Every Type II report has identical page numbers: Section 4 at page 30, tests at page 59, Section 5 at page 82
- 220+ "No exceptions noted" per report, across every single client
- The system descriptions were copy-pasted from each company's marketing website
We built tools to check this data:
- Search by company name to see if they're in the leaked database
- Paste any SOC 2 report text to scan for 10 template fingerprints
- A swipe game where you try to tell real audit excerpts from the fakes (harder than you'd think)
455 companies indexed, all free, no signup needed.
I'm also curious what the HN community thinks about the fingerprint detection approach, are there patterns we're missing?
Its mostly marketing, "look at this MIT genius that noticed something about legacy xyz industry that no one else did"
Truth is venture funds are allocating a limited pie of what is really societies capital to people that dont deserve it
this + new HN account? couldn't be more obviously a competitor. not to defend delve, but can’t be pushing this like some noble effort with the goal of transparency
also lol @ the fake realtime "just searched for" toasts on a setInterval in the bottom left.
How is it bigger than the auditors that Delve was using. Surely Delve wasn't there only client. Delve is just a drop in the bucket.
There's a fair amount of boiler plate language in these reports, and a bunch of re-stating the SOC 2 controls. I'd expect two reports (same auditors, same platforms) to be nearly identical. If they're both using AWS, Github, Stripe, Vetty, they're subbing a lot of the exact same thing out to the same companies, referencing the same set of internal controls.
Reading ours. There's a section titled $Company's Controls, followed by 20 pages listing the various SOC 2 controls. e.g.
---
CC9.0 Common Criteria Related to Risk Mitigation
CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
IR-01 A Security Incident Response Plan that outlines the process of identifying, prioritizing, communicating, assigning, and tracking confirmed incidents through to resolution is accessible to all relevant employees and contractors and is reviewed annually.
---
Then there's another 20 pages of those same controls being listed, some language about how they tested the controls, and hopefully "No Exceptions Noted".
That's not going to change much between companies.
SOC2 certified, has never actually put to paper "here's what we know we're doing wrong, here is how we plan to remediate it."
fake popups, xyz domain, recent zeitgeist, 100% straight vibecoded. good hustle I have to say. a domain that'll now get ranked on google for SOC 2 compliance which likely has a high CPC and good DR to piggyback off.