Trust is Dead: on Delve’s ‘Fake Compliance’ Accusations
3–23–2026 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, March 23, 2026. Spring feels like it’s finally maybe possibly here, the war in Iran continues, and we’ve got both some follow-up and some new items to discuss.
Let’s start with the follow-up.
Stryker Still Struggling
In an update posted this morning, Stryker notes that they’re still working on restoration efforts:
Our internal teams continue to work around the clock with external partners to make meaningful progress on our restoration efforts. We are grateful for the partnership and collaboration with government agencies and industry partners.
We believe the incident is contained, and we are prioritizing restoration of systems that directly support customers, ordering and shipping. Our internal teams, in partnership with third-party experts, reacted quickly to not only regain access but to remove the unauthorized party from our environment.
They also posted a letter from Palo Alto Networks’ Unit 42 team, who did the Digital Forensics and Incident Response (DFIR), that says they don’t see any persistence or remaining Indicators of Compromise.
This is, I assume, small comfort to those who are impacted, but worth giving the Stryker folks some credit for trying to be on the front foot of this whole thing.
End result, however, is that they’re still mostly down now almost 2 weeks into their incident.
Meanwhile, the US has formally “accused Iran’s government of being behind the hacktivist group Handala,” through a Department of Justice press release.
At the same time, the FBI has reportedly seized two websites that the Handala group uses to coordinate and disseminate information.
So - best case - nobody else is wiped by this particular group, but the pain is very real and very persistent for Stryker and their customers.
Trust is Dead: on Delve’s ‘Fake Compliance’ Accusations
In another corner of the internet, an anonymous SubStack article was posted that accused compliance acceleration startup Delve of faking results and churning out SOC 2 and ISO 27001 reports for customers via Indian audit mills and materially misrepresenting the actual security controls of many customers.
The post claims that Delve “achieves its claim of being the fastest platform by producing fake evidence, generating auditor conclusions on behalf of certification mills that rubber stamp reports, and skipping major framework requirements while telling clients they have achieved 100% compliance.”
Delve, for their part, responded to the accusations with a blog post, which doesn’t exactly inspire confidence, noting that the actual audit is done by independent auditors.
One of those auditors, Accorp Partners, recently failed their AICPA Peer Review Program. The letter that notes this failure is short, but pretty damning that the firm’s policies and procedures were not designed or operating effectively, and they did not provide reasonable assurance that engagement teams acted appropriately.
The problem, of course, is that this entire mechanic around SOC 2 is supposed to be the trust broker that clients can rely on. If these auditors, and the systems behind them, can’t be trusted, then neither can the reports.
SOC 2 reports have long been a bit of a dark art, but this peek behind the curtain certainly doesn’t inspire any additional confidence, even if it’s not entirely as bad as it seems on the surface (with the caveat that it could also just as likely be even worse).
At the end of the day, you’re responsible for the third parties you share data or access to. Perform a level of diligence you’re comfortable with given the relationship you have. That should likely take into account the type of data, amount of data, access levels, and/or annual spend with a vendor.
It’s not reasonable or possible to treat every vendor the same from a due diligence / third-party risk management (TPRM) perspective. You need to build a framework that helps you triage these vendors in context with your own business, then manage the risk accordingly.
It’s also worth reviewing the issuing firm of the SOC 2 provided by your vendors. If they’re any of the ones who work with Delve (Accorp, Glocert, DKPC (Diwakar Kamath Professional Corporation), Accorian, Gradient Certification, Prudence Advisors, and BQC Assessment), might be worth a second look.
Fundraising
From a fundraising perspective, I remain surprised at the volume of newly committed capital, given the macro volatility, but we saw more than $20B last week, led by:
Blackstone raised $12b for its third Asia-Pacific buyout fund; and
Triton Partners raised €5.5b for its sixth flagship midmarket PE fund.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html
https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service
https://www.linkedin.com/feed/update/urn:li:activity:7441765745136619520/