Y Combinator Drops Delve After Fake Compliance Report Allegations Surface

The compliance economy has a trust problem, and Delve has become its most explosive case study. Y Combinator removed the San Francisco startup from its portfolio directory and asked its founders to leave the program after allegations emerged that Delve had systematically fabricated or templated SOC 2 reports for nearly 500 clients, potentially leaving companies exposed across sales contracts, vendor risk frameworks, and regulatory obligations.

Delve was founded in 2023 by MIT dropouts Karun Kaushik and Selin Kocalar, who positioned the company as an AI-native solution to one of enterprise software's most tedious requirements: compliance certification. Packages ran as low as $6,000 to $15,000 for SOC 2 Type II, ISO 27001, and HIPAA certifications, well below the cost of traditional Big 4 auditors, and the pitch landed. By January 2026, Kocalar was telling reporters the company served more than 1,000 customers across 50 countries and had helped clients secure "nine-figure deals and federal contracts." Insight Partners led a $32 million Series A at a $300 million valuation. Both founders earned Forbes 30 Under 30 recognition in the AI category for 2026.

The story unraveled through an anonymous Substack writer operating under the name DeepDelver, whose first installment, published around March 18, alleged that Delve had pre-generated auditor conclusions, circulated near-identical SOC 2 reports across roughly 494 clients, and routed compliance work through overseas contractors misrepresented as U.S.-based CPAs. A subsequent investigation alleged that the company's ISO 27001 certificates lacked accreditation from government-recognized bodies and that in at least one instance, Delve repackaged open-source code under the name "Pathways" and sold it to enterprise clients, including Notion, Brex, Anthropic, and Gusto, without proper attribution.

On approximately April 3, YC CEO Garry Tan sent a message to the accelerator's internal Bookface network confirming that Delve had been asked to leave the program. Kocalar confirmed the split publicly on X, writing, "YC and Delve have parted ways." Insight Partners also quietly deleted posts referencing its investment. At least one customer, Lovable, publicly announced it had already migrated to a competitor.

Kaushik and Kocalar pushed back hard. In a video statement posted to X, Kaushik acknowledged the company "grew too fast and fell short" but denied any fraud, arguing that two independent cybersecurity forensic experts determined that "a malicious actor, not a whistleblower or a customer," purchased a Delve account and extracted data in what he called "a coordinated, targeted cyberattack" engineered to manufacture the damaging reports. The company characterized much of the reporting as taken "out of context" while promising a fuller public response.

The damage already radiating through the market carries a different character than a typical startup scandal. When a company's product is an attestation, every client that relied on Delve's reports for vendor due diligence, contract procurement, or regulatory standing now faces a credibility gap. Fintech and health-tech buyers in particular depend on SOC 2 assurances to satisfy their own downstream obligations, and contract rescissions, vendor liability claims, and procurement failures represent the realistic range of consequences for organizations that signed agreements on the basis of Delve-issued certifications.

The episode points to a structural vulnerability the fast-compliance market has largely ignored: the same trust model that let a startup undersell traditional auditors by tens of thousands of dollars per engagement also meant no regulator flagged 494 supposedly distinct reports with identical negative controls. State attorneys general, federal consumer protection regulators, and enterprise procurement officers are now watching. What comes next will likely determine whether "instant SOC 2" remains a viable product category or becomes a cautionary footnote in the governance of AI-produced attestations.