← back

The SOC 2 Stamp Used to Mean Something

SOC 2 compliance used to require real pain. That pain was the point. You had to implement controls, collect evidence, hire an auditor, and sit through months of scrutiny. The overhead forced organizations to actually build security programs. If you survived the process, you probably had something real underneath.

That is no longer true. The stamp is becoming free, and the trust it once represented is collapsing.

The Old Way

Before 2018, SOC 2 was a manual process. Consultants built custom spreadsheets. Evidence meant screenshots, policy documents, and narrative descriptions authored by humans. A typical Type II engagement took 9 to 12 months end-to-end, consumed 400 to 600 hours of internal labor, and cost north of $100,000 when you added up audit fees, consultant time, and the organizational drag.

I saw this up close at Obsidian Security. When the company needed to scale its compliance program, our CISO Alfredo Hickman chose A-LIGN as the auditor and Drata as the GRC platform. The decision was deliberate. He evaluated large accounting firms and rejected them specifically because he was concerned about receiving a low-quality, rubber-stamp report that did not reflect our actual security posture. He wanted the report to mean something because Obsidian was a security company selling to Fortune 500 customers with complex security needs.

The friction was a feature. It forced you to stand up real controls, assign real owners, and operate them over a real observation period. The report was expensive to produce, which meant it was expensive to fake.

The Compression of SOC 2 Time, cost, and labor to achieve certification by era 9-12 months 4-6 months 4-8 weeks FRAUD Pre-2018 Traditional $100K+ · 400-600 hrs 2019-2024 · Vanta / Drata $30K-$75K · 100-200 hrs 2025 Accelerated $15K-$30K · 40-80 hrs Delve · 494 identical reports $6K · Days "Speed is not the problem. Removing the humans, the judgment, and the actual controls is."

Vanta Creates a Category

In 2018, Christina Cacioppo founded Vanta to automate SOC 2 compliance. When she pitched seed investors, they turned her down because "startups just don't get SOC 2s." That was accurate at the time.

Vanta proved them wrong by targeting YC startups, eventually becoming the default compliance tool for three-quarters of YC companies. The product connected to cloud APIs, pulled configuration data, flagged misconfigurations, and automated evidence collection. What used to take a year could now take weeks.

The effect was a snowball. More startups got SOC 2, which made buyers expect SOC 2, which drove more demand. Vanta hit $120M in ARR by mid-2025 with 12,000 customers and a $4.15 billion valuation.

Competitors followed. Drata was founded in 2020 and hit a billion-dollar valuation within 18 months. Secureframe, Sprinto, Thoropass, and others entered the market. The SOC 2 compliance automation market reached $850 million by 2025, projected to hit $1.7 billion by 2028.

These platforms genuinely reduced the burden. They automated the tedious evidence collection layer and made continuous monitoring possible. Vanta and Drata are not villains in this story. But they proved a concept that had consequences: compliance could be a software product. The market learned that the stamp was purchasable.

The Degradation Gradient

The slide from legitimate automation to outright fraud is not a cliff. It is a slope. Each level makes the next easier to rationalize.

The SOC 2 Degradation Spectrum Real Security Pure Theater Level 1 Legitimate Automation Real controls exist Evidence from live systems Independent auditors exercise judgment Vanta, Drata, done correctly Level 2 Template-Driven Compliance Policies adopted, never operationalized Dashboard half-full No control owners Access reviews overdue Most common failure mode Level 3 Auditor Incentive Rot Rubber-stamp firms maximize throughput Rigorous auditors are slower, costlier Nobody asks who audited you Market rewards cheapest path Level 4 Outright Fraud Pre-written auditor conclusions Shell CPA firms Auto-generated evidence 494 identical reports Delve $32M raised · $6K/report Key Insight "The jump from Level 1 to Level 4 is not a cliff. It is a slope. When nobody reads the report, why not template it? When the templates are identical, who notices? The system rewards the shortcut at every step."

Level 1 is where platforms like Vanta and Drata operate when used correctly. Real controls exist, evidence is pulled from live systems, and independent auditors exercise judgment. But roughly 40 to 60 percent of SOC 2 controls require human processes, ownership, and operational cadence that no platform handles. When that gap is not addressed, you slide into Level 2.

Level 2 is the most common failure mode. Six months after buying a platform, the dashboard is half-populated, three control owners have not logged in since onboarding, and the quarterly access review is overdue because nobody defined who runs it. The platform works as designed. The problem is nobody designed the program it was supposed to run.

Level 3 is where the auditor ecosystem breaks down. Firms that rubber-stamp reports process more engagements at higher margins. Firms that conduct rigorous audits are slower, more expensive, and less attractive to platforms selling on speed. Until enterprise buyers ask "who audited you, and what did they actually test?" instead of "do you have SOC 2?", the market rewards the cheapest path to a badge.

Level 4 is fraud. And in March 2026, we saw what that looks like at scale.

The Delve Scandal

Delve was a YC-backed compliance startup that raised $32 million from Insight Partners at a $300 million valuation. Both founders made Forbes 30 Under 30. Their pitch: AI agents could compress months of compliance work into days.

In December 2025, an internal Google Spreadsheet was accidentally shared publicly. It contained links to 575 confidential files, including 494 SOC 2 reports. An anonymous investigator called DeepDelver downloaded everything, compared the reports, and published a 10,000-word investigation in March 2026.

The findings were not subtle.

Auditor conclusions and test procedures were pre-populated in draft reports before clients had submitted their company descriptions. The auditor's opinion existed before there was anything to audit, directly violating AICPA AT-C Section 205. All 259 Type II reports claimed zero security incidents, zero personnel changes, and zero cybersecurity incidents across the observation period. Every one of them. The same typo appeared in 493 of 494 reports: "because there no security incidents reported." The word "is" was missing. Verbatim, across hundreds of companies.

The "US-based CPA firms" Delve advertised turned out to be Indian certification mills operating through shell entities with virtual office addresses. One auditor, Gradient Certification, was registered in Wyoming through a mailbox agent with its president listed at a Delhi address. Another, Glocert, claimed UK headquarters but had filed dormant company accounts with Companies House for four consecutive years with zero revenue.

The platform auto-generated passing evidence for employees who had not completed onboarding, pre-fabricated board meeting minutes and risk assessments, and published fully populated trust pages before any compliance work had been done. Their initial quote was $15,000 for SOC 2. If a customer mentioned a competitor, the price dropped to $6,000, including ISO 27001 and a claimed 200-hour penetration test. Economically impossible.

The Hacker News thread reached 835 points and 295 comments. Security researcher tptacek called the reputational damage to SOC 2 "incalculable" and characterized it as a "sales-enablement tool" where practically nobody reads the reports. Patrick McKenzie (patio11) described Delve's product as "Potemkin compliance" and called the behavior "fraud, not the sort of benign rule-breaking celebrated in startup culture."

Insight Partners quietly deleted its investment blog post about Delve. Lovable publicly disavowed: "Lovable is not a Delve customer." LiteLLM, which had obtained SOC 2 via Delve in under 60 days, announced it would redo all certifications with Vanta and an independent auditor.

The Real Problem: The Stamp Is Becoming Free

The Delve scandal is not an outlier. It is what happens when the marginal cost of producing compliance artifacts approaches zero.

SOC 2 was designed in an era where producing a report required work. The friction created a minimum bar. If you went through all that effort, you probably had something real. Automation platforms lowered the cost on the legitimate side. Now AI collapses it entirely.

An LLM can generate plausible security policies, risk assessments, board meeting minutes, and incident response plans in minutes. It can populate templates, write system descriptions, and produce documentation indistinguishable from the real thing. This is exactly what Delve did. When AI can generate a plausible SOC 2 report for $6,000 that looks identical to a legitimate one that cost $75,000, the report itself ceases to be a useful trust signal.

Meanwhile, SOC 2 has become a binary sales gate. Enterprise procurement treats it as a boolean: you have it or you do not. Nobody asks who the auditor was, what observation period was used, how many exceptions were found, or what the mean time to remediation is. The report lives in a PDF that nobody reads on a trust page that nobody visits. The buyer checks the box and moves on.

This is the structural failure. When the cost to fake a compliance artifact is lower than the cost to verify it, the artifact is no longer a trust signal. The stamp is free. So the stamp is worthless.

And the data supports this. Major certified companies get breached regularly. SOC 2 compliance and actual security posture have been decoupling for years. The Delve scandal just made the gap visible.

What Should Replace the Annual Stamp

If the stamp is free, you need something that cannot be faked. Three properties matter.

What Should Replace the Annual Stamp Shift 1 — Point-in-Time to Continuous Monitoring Today Annual audit windows. Controls tested once. Non-compliant the morning after. Future Real-time control telemetry from live systems. Drift detected in minutes. Audit becomes a formality. Shift 2 — Evidence Collection to Compliance as Code Today Screenshots. Manual uploads. Evidence collected after the fact. AI can author all of it. Future Policies in OPA/Rego enforced in CI/CD. Git repo = evidence. Versioned, immutable. Shift 3 — Binary Gate to Transparent Trust Today Yes/No SOC 2 checkbox. Nobody evaluates audit quality or reads the report. Future Live dashboards: control pass rate, exceptions, MTTR, auditor identity — queryable at point of sale. "The goal is not faster audits. It is making the audit a formality because the data already speaks for itself."

Shift 1: From Point-in-Time to Continuous Monitoring

SOC 2 Type II covers an observation window. Outside that window, the report says nothing. Organizations deploying infrastructure-as-code multiple times per day cannot meaningfully document their compliance posture on a single annual date. A misconfigured IAM role or unencrypted S3 bucket can appear and disappear between audits without ever being flagged. Point-in-time audits pass systems that are already non-compliant the next morning.

The audit should not be the moment of truth. It should be a formality that confirms what telemetry already shows.

This is where my time at Obsidian is instructive. Obsidian's product was built around real telemetry from live SaaS environments: posture scoring based on actual configurations, identity anomaly detection from real access patterns, configuration drift monitoring in real time. When Alfredo fed that data into Drata, the compliance evidence was a byproduct of actual security operations. Not a separate artifact someone created for the auditor.

That is the difference between compliance that reflects reality and compliance that describes a fantasy.

Shift 2: From Evidence Collection to Compliance as Code

The fundamental flaw in SOC 2 evidence is that it is authored. Humans write policies, take screenshots, describe controls in narrative form. AI is excellent at authoring. So authored evidence is now untrustworthy by default.

The replacement is evidence that is emitted by systems, not written by people. Compliance as code expresses security policies as machine-readable rules using tools like Open Policy Agent (OPA), HashiCorp Sentinel, or AWS Config Rules. These policies are versioned in source control, tested in CI/CD pipelines, and enforced at deploy time.

Instead of an auditor finding a public S3 bucket months later, the pipeline blocks the build instantly. The developer gets immediate feedback: deployment failed, public buckets are forbidden. The policy produces the same binary result every time. No auditor variance. No interpretation gaps.

Only 13 percent of organizations have adopted compliance as code today. But the direction is clear. Your code repository becomes the evidence. Version-controlled, immutable, auditable. You cannot fake a git commit history of OPA policy enforcement the same way you can fake a board meeting minutes PDF.

The current model treats compliance as documentation. The future model treats compliance as engineering.

Shift 3: From Binary Gate to Transparent Trust

Enterprise procurement needs to stop treating SOC 2 as a boolean. Instead of "do you have SOC 2?", buyers should have access to continuous, queryable trust signals.

The Drata-AWS Trust Center pilot from June 2025 is an early version of this. Obsidian Security was one of 50+ companies to embed their compliance posture directly into their AWS Marketplace listing, making certifications and security status visible where buyers are already making decisions.

But it needs to go further. Imagine a trust endpoint that any buyer can query in real time: current control pass rate, auditor identity and AICPA accreditation, observation period length, number of exceptions, mean time to remediate control failures, last vulnerability scan date, and whether evidence was system-generated or manually uploaded.

This turns compliance from a file to a feed. A live signal is harder to fake than a static document. Continuous telemetry from real systems, cryptographically signed and independently verifiable, creates a trust model that does not depend on a PDF that nobody reads.

Where This Goes

SOC 2 is not dead. The underlying Trust Services Criteria are sound. The idea that service organizations should demonstrate the security of their systems is correct. What is broken is the delivery mechanism: a point-in-time report, produced once a year, evaluated as a binary, and increasingly trivial to fabricate.

The Delve scandal should force a structural rethink. If it does not, the next breach that traces back to a fraudulent SOC 2 report will. The question is whether the industry moves proactively or waits for the inevitable.

The stamp used to mean something because it was hard to get. Now it is easy. In a world where AI makes compliance artifacts essentially free to produce, trust has to come from somewhere the AI cannot reach: live systems, real telemetry, continuous enforcement, and transparent verification.

The goal is not faster audits. It is making the audit unnecessary because the data already speaks for itself.

Sources

  1. DeepDelver, "Delve - Fake Compliance as a Service," Substack (March 2026) - deepdelver.substack.com
  2. Baguette News, "The Delve Scandal: 494 Fake Audits, Stolen Code, and $32M From Y Combinator" (April 2026) - baguette.news
  3. ComplianceHub.Wiki, "The Delve Scandal: When Your SOC 2 Report Is Just a Template" (March 2026) - compliancehub.wiki
  4. TopFlightApps, "The Delve Scandal: Why Your Compliance Badge Might Be Worthless" (March 2026) - topflightapps.com
  5. Systima.ai, "Delve Generated 494 Fake Compliance Reports. The EU AI Act Was Designed to Prevent Exactly This" (March 2026) - systima.ai
  6. ByteIota, "Delve Compliance Fraud: $32M Startup Faked 494 SOC 2 Audits" (March 2026) - byteiota.com
  7. Bellwether India, "How to Spot Fake SOC 2 Reports - Delve Scandal Explained" (March 2026) - bellwetherindia.com
  8. Delve, "Response to Misleading Claims" (March 2026) - delve.co
  9. ComplianceHub.Wiki, "The Illusion of Trust: How LiteLLM's Fake SOC 2 Exposed Compliance Theater" (2026) - compliancehub.wiki
  10. Truvo.ca, "SOC 2 Automation with Vanta, Drata, and Others: What the Platform Won't Do for You" (March 2026) - truvo.ca
  11. A-LIGN, "Obsidian Security Scales Compliance Program with A-LIGN and Drata" (May 2024) - a-lign.com
  12. Drata, "Drata + AWS: Making Trust Visible at the Point of Purchase Decision" (June 2025) - drata.com
  13. Sacra, "Vanta Revenue, Valuation & Funding" - sacra.com
  14. CompWorth, "Vanta Secures $150M Series D" (July 2025) - compworth.com
  15. Alexander Jarvis, "Vanta Doing Things That Don't Scale" (April 2025) - alexanderjarvis.com
  16. SaaStr, "The Early Days: 5 Things Vanta Got Right and 5 It Got Wrong" (June 2025) - saastr.com
  17. SOC2Auditors.org, "SOC 2 Audit Timeline: How Long Does It Really Take?" (January 2026) - soc2auditors.org
  18. Jones IT, "SOC 2 Compliance Timeline: Month-by-Month Roadmap" (April 2026) - itjones.com
  19. Brightdefense, "280+ Cybersecurity Compliance Statistics for 2026" - brightdefense.com
  20. Brightdefense, "10 Best SOC 2 Compliance Software for 2026" - brightdefense.com
  21. SecurityWeek, "Five Cybersecurity Predictions for 2026" (December 2025) - securityweek.com
  22. Orbiq, "Moving Beyond Point-in-Time Audits" (March 2026) - orbiqhq.com
  23. Wiz, "Compliance as Code Explained" (April 2026) - wiz.io
  24. OpsTree, "Compliance as a Code: The End of Audit Panic" (January 2026) - opstree.com
  25. HEXSSL, "Cybersecurity 2026: A Roadmap for Intelligent Trust" (January 2026) - hexssl.com
  26. Haverin Substack, "Your SOC2 Compliance Report Might Be Worthless" (March 2026) - haverin.substack.com
  27. DoControl, "The SOC 2 Fraud Scheme Everybody is Talking About" (January 2026) - docontrol.io
  28. Hacker News, "Delve - Fake Compliance as a Service" (March 2026) - news.ycombinator.com
  29. Hacker News, "We Indexed the Delve Audit Leak" (March 2026) - news.ycombinator.com