freddykrugerMar 19

Delve – Fake Compliance as a Service

https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service

Delve - Fake Compliance as a Service - Part I

How Delve managed to falsely convince hundreds of customers they were compliant and then lied about it when exposed and called out

DeepDelver
Show threadtremarley

Delve has released a response

https://delve.co/blog/response-to-misleading-claims

Response to Misleading Claims | Delve

Setting the record straight on recent misleading claims about our compliance platform.

Mar 20 at 8:54pmWeb
Show threadfrankfrank13Mar 20

> These are starting points only: customers are responsible for reviewing, modifying, and finalizing their own materials. Draft templates are not the same as “pre-filled evidence.”

Yeah, ok. BRB to start a bank where I template everyone a billion dollars, its up to you to be honest with how much money you have.

Show threadsvatMar 20

> “Non-denial denial” is a term of art in PR. Never read one? They’re fun.

— patio11 about this response (https://x.com/patio11/status/2035115379169677717)

Patrick McKenzie (@patio11) on X

“Non-denial denial” is a term of art in PR. Never read one? They’re fun. https://t.co/sfTjyjzi6J

X (formerly Twitter)
Show threadotterleyMar 20
*Actual fun may vary.
Show threadraverbashingMar 21

To me this is the money shot (but it takes a couple of passes to understand):

> No small amount of criticism of LLMs is downstream of past decisions to reify form over function, resulting in the substance having been optimized out. Now the LLM threatens to make the form available in seconds

Show threadctxcMar 21
Had to do a double take, but true
Show threadQasaurMar 20

They’ve possibly dug an even deeper hole now.

None of their ISO 27001 certificates, aside from the premium one-offs with the vCISO, are accredited by any reputable ISO accreditation body. I would even argue that IAS, who accredited Prescient Security (mentioned as a reputable body in the article), has a questionable reputation and certainly gives off a pay-to-play impression.

You can look up the names of their partners below. The one body I found that is on the register (Accorp) is accredited by UAF, a known cert-mill accreditation body, and I’m not even sure it’s the same Accorp that Delve has partnered with.

For reference, you want a ISO certificate issued by a body accredited by UKAS (UK gov. adjacent non-profit), ANAB (ANSI), or equivalent, all government-recognised. This is normally the first thing I check whenever someone claims ISO 27001 certification and it is a great heuristic to validate certification rigour.

https://www.iafcertsearch.org/search/certification-bodies

Shockingly low levels of DD by everyone involved here.

IAF Certification Validation - IAF CertSearch

IAF CertSearch is the exclusive global database for accredited management system certifications allowing users to validate an organization's certification(s).

Show threadmizzaoMar 20

> "If there are more attacks to respond to we will do so."

Wow, what a way to end the document.

Show threadadgjlsfhk1Mar 21
wow! they confirmed it in the last paragraph. "we are investigating possible leaks", not "we have filed a libel suit". A leak means an insider spilled the beans