Fake SOC 2 and ISO 27001 Certifications Are Spreading Across Dev Tools

A detailed investigation published on Substack has alleged that Delve, a compliance automation platform, systematically manufactured false SOC 2 and ISO 27001 certifications for its clients. If the allegations hold up, it represents one of the largest compliance fraud operations in the startup ecosystem. For developers and engineering teams that rely on compliance certifications when evaluating tools, this is a wake-up call. What Happened with Delve According to the investigation, Delve operated by pre-populating audit evidence, generating test procedures and conclusions internally, and then routing the finished package to auditing firms that would rubber-stamp the results without conducting independent verification. The key allegations include: Fabricated audit evidence - Delve's platform allegedly generated compliance artifacts and pre-filled audit conclusions rather than requiring clients to demonstrate actual security controls Non-independent auditors - The auditing firms used were