Dave Kennedy

Delve, a YC-backed compliance startup that raised $32 million, has been accused of systematically faking SOC 2, ISO 27001, HIPAA, and GDPR compliance reports for hundreds of clients. According to a detailed Substack investigation by DeepDelver, a leaked Google spreadsheet containing links to hundreds of confidential draft audit reports revealed that Delve generates auditor conclusions before any auditor reviews evidence, uses the same template across 99.8% of reports, and relies on Indian certification mills operating through empty US shells instead of the "US-based CPA firms" they advertise. Here's the breakdown: > 493 out of 494 leaked SOC 2 reports allegedly contain identical boilerplate text, including the same grammatical errors and nonsensical sentences, with only a company name, logo, org chart, and signature swapped in > Auditor conclusions and test procedures are reportedly pre-written in draft reports before clients even provide their company description, which would violate AICPA independence rules requiring auditors to independently design tests and form conclusions > All 259 Type II reports claim zero security incidents, zero personnel changes, zero customer terminations, and zero cyber incidents during the observation period, with identical "unable to test" conclusions across every client > Delve's "US-based auditors" are actually Accorp and Gradient, described as Indian certification mills operating through US shell entities. 99%+ of clients reportedly went through one of these two firms over the past 6 months > The platform allegedly publishes fully populated trust pages claiming vulnerability scanning, pentesting, and data recovery simulations before any compliance work has been done > Delve pre-fabricates board meeting minutes, risk assessments, security incident simulations, and employee evidence that clients can adopt with a single click, according to the author > Most "integrations" are just containers for manual screenshots with no actual API connections. The author describes the platform as a "SOC 2 template pack with a thin SaaS wrapper" > When the leak was exposed, CEO Karun Kaushik emailed clients calling the allegations "falsified claims" from an "AI-generated email" and stated no sensitive data was accessed, while the reports themselves contained private signatures and confidential architecture diagrams > Companies relying on these reports could face criminal liability under HIPAA and fines up to 4% of global revenue under GDPR for compliance violations they believed were resolved > When clients threaten to leave, Delve reportedly pairs them with an external vCISO for manual off-platform work, which the author argues proves their own platform can't deliver real compliance > Delve's sales price dropped from $15,000 to $6,000 with ISO 27001 and a penetration test thrown in when a client mentioned considering a competitor

😂😂

@DeanLo66 Erin has a heated bed so I can actually survive with cool bedrooms 😂 usually at 68-70

@HackingDave And what do you have the thermostats set at. 😂🤣😂🤣😂🤣

Car rides with my wife are such polar differences on temperature lol. Her side 78 with heat blaring, my side 62. Its like a wall of heat and cold battling each other in the car 😂

@Timon_j_s @Binary_Defense Working on it

@Binary_Defense Real shame this isn't offered as a product separately from the MDR service

Yesterday we made NightBeacon official. This isn’t another AI announcement. It’s a new way to operate a modern SOC. Security teams today see an abundance of alerts while adversaries move faster than ever. NightBeacon was built to change that. It accelerates analysis, cuts through noise, and helps analysts move from investigation to decision faster than ever before. But the most important part? This isn’t AI replacing analysts. It’s AI amplifying them. NightBeacon learns from the people who defend our customers every day. Every investigation, every escalation, every decision makes the platform smarter. This is what happens when AI speed meets human expertise. The future of MDR just got a lot faster. binarydefense.com/nightbeacon

We would like to send out a big THANK YOU to a NEW sponsor - @Binary_Defense - #BSidesCharm 2026 Gold sponsor!

How many sign-in logging bypasses can Azure Entra ID contain? At least 4.

@Jogenfors 😂😂🥵🥵🔥

@HackingDave So you are saying you're the hot one? 😅

⚠️ CISA Urges Securing Microsoft Intune Following Stryker Breach Source: cybersecuritynews.com/secure-microso… CISA has issued an urgent alert urging organizations to harden their endpoint management system configurations following a cyberattack on Stryker Corporation, a U.S.-based medical technology firm, on March 11, 2026. The cyberattack against Stryker Corporation highlights a growing trend of threat actors targeting endpoint management platforms, particularly Microsoft Intune, to gain privileged access across enterprise environments. In response to the breach, CISA is urging all organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune. #cybersecuritynews

@iScottCarr 😂😂

@HackingDave That battle ground line creates tornados in the wild.

@Ron_Dilley 😂😂

@HackingDave When I drive, I get to declare the the heat is drying out my eyes, impacting my ability to drive, thereby forcing a reduction in the passenger side flame thrower vortex of doom . . .

🚨‼️ CRITICAL: Ubiquiti UniFi Network Application vulnerabilities were just disclosed CVE-2026-22557 CVSS 10.0 Remote path traversal vulnerability allowing an attacker to access and manipulate files, leading to account takeover. No authentication required. CVE-2026-22558 — CVSS 7.7 Authenticated NoSQL Injection allowing privilege escalation.

One of our own is taking the stage at @OneRSAC! Next Thursday, don't miss Identity Security Architect @PyroTek3's talk, "Entra the Dragon—Entra ID Attack & Defense". Be sure to reserve your seat if you're attending! hubs.la/Q047BdRS0

Who knew a really long string could make an Entra ID login disappear from the logs entirely? In our #blog, @nyxgeek breaks down how overflowing #Azure's sign-in logging mechanism allowed access tokens to be issued without a single log entry. Read it now! hubs.la/Q047xTVc0

Join us today at 11am ET on Discord: discord.gg/8mW5QG9r?event… or on YouTube: youtube.com/live/3HHDr91-e…

@Trece30y7 Not necessarily more - faster yes for sure

@HackingDave Dave, serious question. Do you expect more from your Engineering team now that agentic AI development is available? Do engineers have to ship more code now that it’s easier to produce?

Here's why I think software engineering is safe, but different. I'm seeing so much stuff being created from folks that haven't been developers - don't understand programming nor architecture/infrastructure deployment. It's usually really rough, riddled with bugs, barely works - usually very basic. Software engineering - AI will become a massive force amplifier - having 15 developers or more working for you real time and being able to get stuff out much faster. For me, it's sped up my development to 200% or more. Example, the social engineer toolkit, I spent 10 years of my life coding that thing virtually everyday for hours and hours at a time. Sometimes not sleeping for 2-3 days because I was coding. End of 10 years, 59K lines of code written. Project I'm working on right now, 9 months worth of work, 159K lines of code. It's amazing, but software engineering, understanding underlying technologies and infrastructure, being able to articulate exact specs on what it should do, how it should work, the coding structure around it is something I don't see changing with AI. It'll get better, you will always need software engineers. I think the statement that SE are dead is highly inaccurate.

Don't let scammers ruin your #MarchMadness 🏀 Advisory Solutions Director @infosecdoc shares practical tips with fans on how to keep their brackets—and banking info—safe this tournament season. Watch now! hubs.la/Q047rBGB0

Did an episode on DE&TH Diaries with some great folks! Awesome interview on the changing times of AI, career advice, how to focus on modernizing your SOC and more. youtube.com/watch?v=BaNdk1…

@CavsCare @CleFoodBank We had a great time working together for a good cause 😁🤝😀

We had a great time teaming up with our friends at @TrustedSec to pack nutritious food as part of the Cavs Food Drive to benefit @CleFoodBank's Harvest for Hunger Campaign! ✨ Support the Cavs Food Drive here: tinyurl.com/ynj9f2an