This is getting messy. Really messy.
Yesterday, Karun Kaushik, the 21-year-old founder and CEO of Delve, published a lengthy denial on X about allegations that his company was helping customers fabricate compliance evidence. Today, his accuser came back swinging with receipts: videos, Slack messages, the whole package. And DeepDelver, the anonymous whistleblower, promised this was just the beginning.
For those unfamiliar, Delve is a startup that automates the tedious work of obtaining security certifications and proving compliance with regulations like GDPR. It’s the kind of problem that actually deserves solving. Companies hate compliance work. It’s expensive, time-consuming, and mind-numbingly bureaucratic. Delve raised a $32 million Series A just last summer, fresh off a $3 million seed round. Y Combinator pedigree. MIT founder credentials. The whole startup narrative.
Now it’s imploding in real time on social media.
The Certification Shell Game Nobody Talks About
Here’s the uncomfortable truth that’s been lurking in the technology and compliance world for years: a lot of people don’t actually believe these certifications mean anything. SOC 2, ISO 27001, all those fancy letters companies slap on their websites? Many security professionals treat them as security theater. Checkbox compliance. A way for enterprises to say they did their due diligence when something inevitably goes wrong.
But there’s a difference between the system being imperfect and actively gaming it.
The timing here is particularly damaging because LiteLLM, one of Delve’s high-profile customers, became the subject of its own viral incident last week when malware infected its open-source project. LiteLLM had obtained two security certifications through Delve. When you’re the poster child for the service right as the service gets accused of faking evidence, well, that’s just bad luck layered on top of potential fraud.
What Actually Happened (Or Allegedly Did)
DeepDelver’s allegations are specific enough to move beyond vague whistleblowing. Video evidence. Slack conversations. The accuser is making claims that Delve didn’t just have lax processes or cut corners, but actively helped customers generate false compliance documents.
That’s not a process problem. That’s illegal.
Kaushik’s response was predictable founder-in-crisis mode: detailed denial, appeal to his team’s integrity, suggestion that things are being taken out of context. The standard playbook. But when your accuser comes back with documented evidence and announces there’s more coming, the playbook stops working.
The real question now is whether this is a coordinated campaign against Delve or if there’s genuine substance here. DeepDelver claims inside knowledge. If that’s credible, then Insight Partners and every other investor who wrote checks needs to start asking very uncomfortable questions.
The Bigger Picture Nobody Wants to Admit
This whole situation exposes something business leaders and security teams quietly acknowledge behind closed doors: compliance has become disconnected from actual security. You can pass a SOC 2 audit and still get hacked. You can be ISO certified and still have your infrastructure compromised.
Delve’s entire value proposition depends on this being true. They make compliance easier because compliance is annoying bureaucracy, not real security. But if they’re faking the evidence? If they’re helping companies check boxes without doing the actual work? Then they’re not just committing fraud. They’re actively making the internet less secure.
The startup funding environment might have contributed to this. Two 21-year-old MIT dropouts raising $32 million to solve a problem in an industry they probably didn’t fully understand yet. Growth at all costs mentality. Pressure to retain customers and show success. These aren’t excuses, but they’re context.
Where This Ends
Delve will either prove these allegations false with absolute transparency, or this becomes another cautionary tale about how venture capital can fund companies into existential crises faster than anyone can control.
The really interesting question is what happens to the compliance industry afterward. Because if people stop trusting these certifications, and the alternative is actual security audits that cost millions and take months, then enterprises are stuck. They need some way to prove they’re serious about security without bankrupting themselves.
Maybe that’s when they finally start taking actual security seriously instead of just the appearance of it.
