Max Clark

After 20+ years in IT, I’ve learned this: The most expensive mistakes aren’t picking the wrong tool - they’re signing the wrong contract, trusting the wrong vendor, or skipping the hard questions because everyone’s in a hurry. I share what I’ve seen go wrong so others don’t have to learn the hard way.

@Cleo_Compliance compliance theater is a perfect phrase

this is exactly why "compliance theater" is the biggest risk in the industry right now. 493 out of 494 SOC 2 reports with identical boilerplate. zero incidents across ALL clients. that's not auditing, that's a copy-paste factory. the GDPR angle is terrifying: companies that relied on these fake reports are sitting on Art. 83 liability (up to 4% global revenue) for violations they genuinely believed were handled. "we had a SOC 2" won't save you when the DPA comes knocking. this is why we built automated compliance monitoring at Cleo Labs. the audit report should be the OUTPUT of real controls, not a template you buy for $6K.

A scathing takedown on Delve has been posted online. The accusations are wild, but for me the more significant issue is how misunderstood and abused SOC 2, HIPAA, GDPR, etc... have become. - Trusting a SOC 2 logo as proof your vendor is secure is a guarantee of a bad time. - Assuming a BAA covers your HIPAA obligations is a ticking time bomb. I'd hate to be a Delve customer right now, #hugops for everyone who just lost their weekends Summary and link below: Delve, a YC-backed compliance startup that raised $32 million, has been accused of systematically faking SOC 2, ISO 27001, HIPAA, and GDPR compliance reports for hundreds of clients. According to a detailed Substack investigation by DeepDelver, a leaked Google spreadsheet containing links to hundreds of confidential draft audit reports revealed that Delve generates auditor conclusions before any auditor reviews evidence, uses the same template across 99.8% of reports, and relies on Indian certification mills operating through empty US shells instead of the "US-based CPA firms" they advertise. Here's the breakdown: > 493 out of 494 leaked SOC 2 reports allegedly contain identical boilerplate text, including the same grammatical errors and nonsensical sentences, with only a company name, logo, org chart, and signature swapped in > Auditor conclusions and test procedures are reportedly pre-written in draft reports before clients even provide their company description, which would violate AICPA independence rules requiring auditors to independently design tests and form conclusions > All 259 Type II reports claim zero security incidents, zero personnel changes, zero customer terminations, and zero cyber incidents during the observation period, with identical "unable to test" conclusions across every client > Delve's "US-based auditors" are actually Accorp and Gradient, described as Indian certification mills operating through US shell entities. 99%+ of clients reportedly went through one of these two firms over the past 6 months > The platform allegedly publishes fully populated trust pages claiming vulnerability scanning, pentesting, and data recovery simulations before any compliance work has been done > Delve pre-fabricates board meeting minutes, risk assessments, security incident simulations, and employee evidence that clients can adopt with a single click, according to the author > Most "integrations" are just containers for manual screenshots with no actual API connections. The author describes the platform as a "SOC 2 template pack with a thin SaaS wrapper" > When the leak was exposed, CEO Karun Kaushik emailed clients calling the allegations "falsified claims" from an "AI-generated email" and stated no sensitive data was accessed, while the reports themselves contained private signatures and confidential architecture diagrams > Companies relying on these reports could face criminal liability under HIPAA and fines up to 4% of global revenue under GDPR for compliance violations they believed were resolved > When clients threaten to leave, Delve reportedly pairs them with an external vCISO for manual off-platform work, which the author argues proves their own platform can't deliver real compliance > Delve's sales price dropped from $15,000 to $6,000 with ISO 27001 and a penetration test thrown in when a client mentioned considering a competitor substack.com/home/post/p-19…

“Proactively moved” the Delve fallout in full force

Chuck Norris didn't join the Marine Corps...the Marine Corps applied to him. Heaven’s streets have always been guarded by Marines. Today, Chuck Norris reported for duty. We mourn the passing of Chuck Norris, a @usairforce veteran, who also became an honorary Marine in 2007 when awarded the title by then Commandant of the Marine Corps, Gen. James T. Conway. Chuck Norris is one of just over 100 individuals to be awarded the title of Honorary Marine in the entire 250-year history of the Corps. Some missions may require a battalion, but this one just requires an Honorary Marine. #USMCHistory #USMC #SemperFidelis

@robbyrussell Turned down a Cisco console server with almost 2,000 day uptime I almost cried

Everyone learning tmux so they can reconnect to their Claude session... is basically how so many of us were keeping our IRC sessions connected to Dalnet in the late 90s...freenode in the early 2000s. Was using screen + bitchx back then. Remember how we used to brag about our Linux boxes' uptime? Fun memories.

@JustinHallTech thats sooo anoying

@maxclark Calling the service line is about thebonky other one I got

Is there a worse way to "prospect" than spamming company's contact forms?

@AirspeedParker I was able to create a filter for that in Gmail and auto delete

@maxclark Yes. Direct email cold contact with an Outlook calendar invite.

@chrisworden @baldridgecpa And somewhere between 50-999 employees depending on the industry lol

@baldridgecpa It's the dumbest metric imaginable: between $10 million and $1 billion in annual revenue.

Okay I'll bite.. What is a medium sized business?

@techspence Isn't this an argument for SCA/SAST/DAST and not Vulnerability Management?

If you don’t have a strong vulnerability management program by now you’re behind the 8-ball. Forget about prompt injection for a minute and really nail this…

@allenwalton When can I pre-order your book?

Sounds like we will be maxing out our policy limits on the housefire claim. Everyone, check your insurance policies now! You do NOT want to be policymaxxing!

@drgurner Wired headphones is easy, but what are you doing for a wired headphone + mic?

I know a lot of people love their ear buds, but choose to look like a dork & save your brain. Use wired, over-the-ear headphones, save your hearing, & save your brain. Early hearing loss is one of the top preventable factors in developing later dementia.

The dirty secret to SOC II compliance is you get to pick your controls. Companies get boxed in when they pick controls around a specific vendor feature, only for that feature to be depreciated, or a new vendor brought in. Use this information as you will.

@mikejulian Lol I'm right there with you - just trying to grow as a person

@maxclark but maaaax I want to be petty over piddly shit 😤

Why in the world are all these status page apps so expensive? Hard to see what makes them worth the money they're asking 🤔

@mikejulian I've moved from monthly to annual subscriptions to force me to let go and move on from things like this

@maxclark totally, just feeling indignant about it 😂

@fortworthchris @DudeWhoInvests I’m on spring break, and my teams remote Does that count?

@DudeWhoInvests Met a guy on the chairlift today. Asked him if he was on spring break. He said, “nope, my wife and I both work remote.”

Remote workers all across the globe crawling out of their beds to log on at 9:29 AM send a couple emails and say “nothing else from my end” in a meeting then go back to bed…

@awwstn Yeah encryption is faster lol Are standalone AI note takers really moats? Love Granola but if they go user hostile I’m out

@levelsio Everything is insecure You will lose data (drive failure, accidental delete, malicious act) Find the right balance that works for you and the risks Oh and zero trust is awesome

If your Tailscale is hacked The hacker now has direct access to your server But now he still needs to get into your SSH with an SSH key So to get in two extremely rare things have to happen: 1) Tailscale is hacked 2) There's an SSH 0-day that they can use to hack into your server That's still superior to NOT using Tailscale where they'd only need: 1) There's an SSH 0-day that they can use to hack into your server It's like saying "why do you use an alarm system for your house, what if it breaks?"

@awwstn bestbuy.com/product/apple-…

@maxclark keeping 3 sets charged is too much, we keep trying to have usb c ones but somehow often find ourselves with a 3.5mm set

considering that the only actual use case for ipads is kids watching movies on airplanes, it’s really dumb they don’t have headphone jacks