Alexandre SieiraJan 9

To be clear, I don't have direct evidence or public reporting to corroborate what Troy is saying. I'll keep an eye out and share if and when more information comes to light.

But if you listened to this podcast episode @sawaba and I did on the subject 5 months ago with AJ Yawn, you won't be surprised that what Troy describes has probably been happening to various degrees for a while now: https://www.tenchisecurity.com/en/alice-in-supply-chains/episode-7-hoxz2

It is worth understanding that "independent" audit reports like SOC 2, even more so than security certifications, have very important economic incentive issues. They give auditees too much control over the process, and are most likely severely overrepresenting how secure third-parties are.

The auditors are chosen and paid for by the third-party, so their economic incentive is not to be thorough, truthful and provide those companies with tough love that leads them to be transparent about (and hopefully improve) their security posture.

The selling pitch and criteria for the auditor and compliance automation vendor selection by a third-party is, overwhelmingly, "we'll make you look good with your customers and close more deals, faster". As the podcast episode makes clear, there are little to no effective processes to desincentivize or punish those providers from misbehaving giving their customers an undeserved clean bill of health.

First parties I talk to give less and less weight to self-assessment questionnaires, trust centers and "independent" audits paid for by the third-party because of that. So the compliance automation and security audit and certification industry is destroying the very value it is promising to provide.

Original LinkedIN post: https://www.linkedin.com/posts/sieira_details-have-emerged-regarding-a-widespread-activity-7415394996184424449-CSzO

UPDATE: https://www.reddit.com/r/soc2/comments/1q7u90o/real_or_fake_the_delve_scandal_or_conspiracy/

Show threadAlexandre SieiraJan 9
Hey @jerry and @lerg ... seems like an interesting topic to discuss on the Defensive Security podcast! I know I would love to hear your thoughts on this.
Show threadAlexandre SieiraJan 29
@jerry @lerg this is the discussion @sawaba and I had on the topic: https://youtu.be/2-o78Xt7GAw?si=TLxhYYJwK8YGAVZr
Episode #13, January 2026 - Alice in Supply Chains Podcast

YouTube
Show threadAdrian SanabriaJan 29

@AlexandreSieira @jerry @lerg I've been asking around on how people use SOC 2s, as I've noticed the latest trend is having AI analyze them.

The question I've been asking is "how often does a SOC 2 kill a deal or contribute to killing a deal" and the answer seems to be "never".

So, what are we doing here? Where's the value aside from some imperceptible, unmeasurable, slight increase in confidence in the SOC 2 holder?

Show threadAdrian SanabriaJan 29

@AlexandreSieira @jerry @lerg I remember working for a vendor once, when one prospect on a sales call proudly stated that "all their vendors had SOC 2s - no exceptions"

We refused to go through SOC 2 but we're happy to share our standard packet of documentation on how we did security.

They bought anyway. It was all a bluff.

Show threadJerry 🦙💝🦙Jan 30
@sawaba @AlexandreSieira @lerg Speaking only from my experience, they were helpful in staving off client demands for contractual audit rights. I am pretty convinced few, if any, customers actually read the report. Most that did were mainly focused on the section covering the user entity controls, and the rest used it to look for anything in the report they could use as bargaining power or an excuse to terminate the contract. It's a big kabuki dance, and it's not terribly surprising to see shenanigans, though I haven't seen the bottom of this particular controversy - last I saw, it looked like it might still be a misunderstanding or has it been confirmed to be shenanigans?
Show threadAlexandre SieiraJan 30

@jerry @sawaba @lerg no smoking gun, except for leaders from a couple of competitors saying they called some of the companies in the list and confirmed the rubber stamping.

The lack of public discussions about this from the company alleged of having misbehaved, and also the lack of coverage in industry news, are a bit weird. But the latter could be explained by this being a very unsexy niche issue, combined with possible aggressive lawyering by the company in question. 🤷‍♂️

Show threadAlexandre SieiraJan 30
@jerry @sawaba @lerg there is also a Slack group that was created to discuss some form of "SOC 2 reliability rubric" which I joined but haven't really followed up with intensely so far: https://www.linkedin.com/posts/activity-7420838393133166592-1bgk
Show threadAlexandre Sieira

@jerry @sawaba @lerg I think you've probably seen this by now, but just in case:

https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service

https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service-61d

https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service-98a

Delve - Fake Compliance as a Service - Part I

How Delve managed to falsely convince hundreds of customers they were compliant and then lied about it when exposed and called out

DeepDelver
Mar 31 at 12:18pmWeb
Show threadAlexandre Sieira4d ago

@jerry @sawaba @lerg Tony Martin-Vegue is spot-on as usual... this is not an outlier, this is a consequence of a deeply flawed system and "nearly every actor in the compliance ecosystem behaving rationally given the incentives in front of them."

https://www.linkedin.com/posts/tonymartinvegue_i-know-youre-tired-of-the-delve-discourse-activity-7441294170406891520-UtGg

Fake SOC 2 reports expose flawed compliance system | Tony Martin-Vegue posted on the topic | LinkedIn

I know you're tired of the Delve discourse. I'm not here to pile on. But this story is a symptom of something I've been writing about for a while, and it's worth talking about the system that produced it. A detailed investigation dropped this week alleging that a compliance startup was generating fake SOC 2 reports at scale: https://lnkd.in/gmfNNQcK Here's my take: nearly every actor in the compliance ecosystem is behaving rationally given the incentives in front of them. Enterprise buyers require SOC 2 reports because procurement policies and industry convention demand them. Vendors pursue certification because deals depend on it. Boards want it done fast because compliance isn't a revenue driver. Platforms compete on speed and price because that's what the market rewards. Auditors work within the constraints their clients bring them. TPRM teams collect the reports because their process says to. None of that is irrational, but the system those incentives create is. It rewards the existence of an artifact over the substance behind it, and it has for a very long time. Push that logic far enough, and someone will take the shortcut the system is practically begging them to take. A well-run SOC 2 with a reputable firm has real value. Good auditors, good platforms, and good TPRM programs exist. The problem is that at the point where it matters most, the checkpoint where a deal moves forward or stalls, the market often can't tell the difference between rigorous work and paper that looks the same because both check the same box. I've run a few TPRM programs over the years, and the pattern is remarkably consistent. We collected SOC 2 reports because we had to, but a 10-minute conversation about how a vendor thinks about risk told me more about their security maturity than the report ever did. That's not an indictment of SOC 2; it's an indictment of a system that treats the report as the endpoint rather than one input among many. I wrote about this cycle of perverse incentives almost a year ago, well before this story broke, comparing it to the Great Hanoi Rat Massacre of 1902, where a bounty designed to reduce rats ended up incentivizing people to breed them. That essay is expanded in my book From Heatmaps to Histograms. https://lnkd.in/dT8hPT7e Until the incentives change, this will keep happening. | 36 comments on LinkedIn

LinkedIn
Show threadJerry 🦙💝🦙4d ago
@AlexandreSieira @sawaba @lerg I hadn’t seen parts 2 and 3 yet. Thank you!