Mycroft

There’s been a lot of allegations against Delve. But we haven’t been able to share our side of the story until today due to ongoing cybersecurity and forensics investigations. Maintaining customer trust is central to everything we do. That said, we grew too fast and fell short of our own standard. To our customers, we deeply apologize for the inconveniences caused. We take these allegations seriously and have made changes: a new auditor network, free re-audits and pentests for all customers, enhanced transparency in audit communications, and more. However, we also want to set the record straight on the anonymous attacks. The evidence we have points to a targeted cyberattack from a malicious actor, not a “whistleblower.” We believe the attacker purchased Delve under false pretenses, exfiltrated internal company data, and used it to launch a coordinated smear campaign. The posts rely on a mix of fabricated claims, cherry-picked screenshots, and stolen data taken out of context. See the link in the comments for more details. Delve was built to modernize compliance. We are not going anywhere and are committed to building what's next.

We hired a pentesting firm to tell us if our systems were secure. They sent three guys who looked like they hadn't slept since 2019. They spent six hours running automated tools we already owned. Then they sent us a 147-page PDF with red text everywhere. They charged us $85K for this privilege. During the readout, one of them said "your employee clicky-linky" with complete seriousness. I looked around the conference room. Our CISO was taking notes like it was gospel. The grand conclusion was that we should enforce MFA and update our patches. I'd been saying both for years. But nobody listens to the security engineer. You only listen to the guy who shows up with a hoodie and a laptop sticker. I'm printing the PDF as a doorstop. At least it'll be useful.

Over the past week, you may have seen an anonymous post about Delve. While we responded to it in a day, we want to provide more details about what’s true, what's not, and some changes we’ve made. There’s one question behind everything: did Delve fabricate compliance evidence or issue fraudulent audit reports? No. We did not. → Delve is an AI compliance platform that connects customers with independent auditors. We are not an auditor, just as tax preparation software is not an accountant. We have never signed an audit report. → Using default templates for our customers, just like any other compliance platform, is not “faking evidence.” These are meant to serve as a starting point for customers. → Delve does have automation in the platform, with 600+ automated integration tests, an AI Copilot to guide customers through compliance, AI code scanning, and more. -- We built Delve to accelerate innovation by bringing AI to compliance. In doing that, we pushed hard on automation. However, we now realize we didn’t provide enough clarity about what is automated, what is customer-provided, and what is independently audited. We have been working relentlessly to make improvements over the last week. -- On our auditor network: Delve connects customers with independent auditors. Some customers choose their own auditors, but many use firms in our network. Questions have been raised about some of those firms, including ones used by other platforms. Going forward we will set a higher bar in how our auditor relationships are structured and how the process is experienced by customers. Delve is rebuilding our auditor network, removing firms that don’t meet our standards, and offering complimentary re-audits and penetration tests to every customer. On platform templates for our customers: Delve provides default templates, just like many other platforms, for policies, board meetings, risk assessments, and more. These are designed to be starting points only. We should have been more explicit about how they are meant to be reviewed and customized by customers. We are making that indisputably clearer within the platform. On draft audit reports: Third-party auditors are responsible for independently reviewing all evidence and issuing final reports. We built automation that interacts closely with independent audit workflows to help expedite the process on behalf of our customers. However, this contributed to confusion about where automation ends and independent judgment begins. From now on, Delve will no longer automate these parts of the process. Furthermore, customers have a direct line of communication with their auditor to enhance transparency in any audit communications. -- We started Delve because we went through compliance ourselves and saw how slow, expensive, and manual it was. To anyone that wants to sit down and discuss our product philosophy and improvements, please reach out and let’s chat about it.

I'm about to book a sales call and negotiate the next 5 years of compliance for free. Zig while others zag

Oh this story goes way back. Blood was first drawn well over a year ago now.