Delve Part II: Delve and the Deathly Hollows
The fraud deepens. A whistleblower arrives. Somehow, it gets worse.
In last week’s piece, I covered how Delve — YC-backed, Forbes 30u30, Insight Partners-funded — got exposed for allegedly running a fake compliance machine.
Story’s over, right?
Nope. Since then, DeepDelver published Part II of a five-part series. A whistleblower materialized with a data dump. And the Delve saga officially graduated from “embarrassing startup scandal” to something considerably more sinister.
🏃 The Generational Run: A Recap
For anyone just joining us, here is the complete Delve mixtape:
Delve has been on a generational run.
Got into YC
Onboarded Lovable, Cluely, and other unsuspecting companies
Allegedly faked hundreds of SOC 2 & ISO 27001 audits
Spammed a “wall of love” with logos they claimed to have “helped close”
Got caught
Made employees delete all the old posts
Put out an explanation — with replies turned off
Allegedly stole a fellow YC company’s open-source IP (Sim.ai / SimStudio)
Rebadged it as a standalone product called “Pathways”
Sold it to Brex, Anthropic, Gusto, and Notion — one deal was $50k+
Got caught again
Want the full pre-scandal arc — the billboards, the Forbes 30u30, the Garry Tan tweet? Read Part I. Then come back.
The Delve Scandal: Compliance as a Grift
Silicon Valley loves a great founding story. MIT dropouts. YC batch. Insight Partners. Forbes 30u30. Billboards on every San Francisco Muni bus you can see. It’s the kind of narrative arc that makes VCs who missed the Series A jealous with envy.
📬 Part II: The Whistleblower Enters the Chat
After DeepDelver’s first article went viral, CEO Karun Kaushik issued a denial on X and LinkedIn — reportedly with YC backing. Standard playbook: automation platform, independent auditors, industry-standard templates. Nothing to see here.
DeepDelver’s response was to go bigger. Part II isn’t a single article — it’s five consecutive days of drops, fueled by a Delve employee who came forward with a cache of internal data, screenshots, and videos. He brought the receipts.
The most damning revelations:
Fake reports. A screenshot shows internal engineer Sazzad Islam writing on August 9, 2025 that “v0 of Delve AI was live” — after the Series A. Internal staff were actively participating in something called “Project Audit Automation.” Delve claimed they don’t generate reports. The internal receipts say otherwise.
Services company, not AI platform. One internal note reads: “To supplement, we’ve asked vCISOs to support them off-platform, and in effect become exactly what we didn’t want to be: a services company. This presents a large problem for us.” Services. Not AI. Services.
Auditor swap. Delve quietly migrated clients to a new auditor — Ezzy & Associates — while telling them they wouldn’t need to restart their SOC 2 Type 2 observation periods. The founder of Ezzy? A Certified Fraud Examiner. You genuinely cannot make this up.
If you’re having a bad week, just remember — Delve is having a worse one.
🕵️ Hold Up: How Is DeepDelver Getting This?
Let’s slow down, because the sourcing here deserves serious scrutiny.
Think about what DeepDelver has produced across two articles: internal Linear tickets, Notion documents, AI call-notetaker logs from private sales calls, pitch decks, employee DMs, full database access, and now an internal whistleblower dump. This is not what an angry ex-customer does. A former customer doesn’t have timestamped Slack conversations between engineers captured during an active sales call.
My read: DeepDelver is almost certainly a disgruntled ex-employee — or a competitor who planted a spy inside the company.
The latter has Silicon Valley precedent. In 2025, Rippling alleged — and eventually proved via bank records — that Deel had planted a mole inside the company to exfiltrate trade secrets. The full story is here and is worth reading.
None of this discredits what DeepDelver is publishing. The allegations are specific, evidence-backed, and increasingly corroborated by third parties. But the source matters — for understanding motivation, and for any downstream legal proceedings.
🧑💻Day 2: The Sim.ai Swindle
Sim.ai (SimStudio) is a fellow YC company. In April 2025, CEO Emir Karabeg got on a sales call with Karun Kaushik to purchase compliance services — a $15,000 SOC 2 package. Karun promised personal attention, great service, and threw in Arcteryx jackets and a box of donuts.
Here’s what was happening on Karun’s end of that call.
From the timestamps: Karun posted about SimStudio internally while still on the call. Delve’s Linear shows the first mention of Sim Studio under the Pathways project appeared in April 2025. A Notion page in the whistleblower dump — titled “Sim Studio Port Plan” — lists exactly which folders to copy from SimStudio’s codebase.
He was selling them compliance services and stealing their product. Quite the multi-tasker.
When Emir later tried to sell Delve a licensing deal, Karun said the ROI “wasn’t there” and went silent — while Delve was closing Pathways deals with Brex, Anthropic, Gusto, and Notion using SimStudio’s code.
DeepDelver calls this “stealing IP” which is a bit dramatic, since open source tools are freely available to use. But only if proper credit is given, hence the problem.
When DeepDelver reached out to Sim.ai directly, the team confirmed: no white-label agreement was in place, and they had no idea Delve was selling Pathways as a standalone enterprise product until DeepDelver’s first article published.
🤔 Can We Still Trust the Trust Industry? A Much Needed Wake-Up Call
The recent allegations surrounding Delve should make every SaaS founder, CTO, and security leader stop and ask a difficult question:
Are we building trust — or just engaging in Compliance Theater?
Recent reporting from popular tech outlets have served as a major wakeup call to the industry. Whenever a company gets caught with blantantly fake evidence of meetings, reports and tests that never occurred - it makes you wonder how many other compliance startups are doing the same. Delve is not the only bad apple.
This is the moment many of us in security and compliance have been expecting. What comes next is anyone’s guess.x
🔥The Bigger Picture: 7 Incidents. 10 Days.
Let’s zoom out: March was NOT a good month for governance and security.
LiteLLM. Axios. Railway. OpenAI Codex. Mercor. Claude Code. And right there in the middle: Delve. 494 fake compliance reports.
Delve didn’t create this problem — they just found the most cynical possible way to profit from it. The AI wave is moving faster than security infrastructure can keep up, and a generation of startups has learned that looking compliant is often good enough to close a deal, land a customer, and raise a Series A.
The shortcuts compound. A fake SOC 2 cascades into a LiteLLM breach. A rubber-stamped ISO 27001 becomes a HIPAA liability. The trust page listing controls that were never implemented becomes evidence in a lawsuit. Compliance isn’t a box-checking exercise — it’s the load-bearing wall of enterprise software. And right now, too many teams are building on a foundation of drywall and donuts.
⌚More to Come?
What’s crazy is that DeepDelver series isn’t done. Parts 3, 4, and 5 are coming. Part 4 or 5 reportedly contains what the author called “quite the nuclear bomb.”
We’ll be watching.
Disclaimer: The information contained in this article is not investment advice and should not be used as such. Views expressed are my own and are not the views of NextEra Energy Investments (NEI) or NextEra Energy (NEE: NYSE).










