The controversy around Delve appears to have cost the compliance startup its relationship with accelerator Y Combinator.
Delve is no longer listed on YC’s portfolio company directory, and the delve page It appears to have been removed from the YC website. Additionally, the startup’s chief operating officer, Selin Kocalar published in X that “YC and Delve have separated.”
“I still remember the day we did our YC interview at MIT,” Kocalar said. “We are very grateful to the community and all the founding friends we have made.”
YC is not the first investor to distance itself from Delve. Insight Partners also appears to have Deleted posts about your investment in the companyalthough its main blog post was later restored.
Meanwhile, Delve continues to fight against anonymous claims that he misled customers telling them they met privacy and security standards while allegedly bypassing important requirements and automatically generating reports for “certification factories that approve reports.”
These statements were first published in an anonymous Substack post attributed to “DeepDelver,” who described themselves as a former Delve customer who became suspicious after receiving leaked data about the startup’s customers.
DeepDelver published subsequent posts sharing what they said were Slack posts and video of the company, as well as accusing Delve of passing off an open source tool as its ownwithout giving credit or reaching an agreement with the developer. A security researcher also said he could access sensitive Delve data.
Technology event
San Francisco, CA
|
October 13-15, 2026
Meanwhile, Delve became part of a controversy related when malware was discovered in an open source project developed by Delve customer LiteLLM.
In the company’s latest blog postDelve’s COO Kocalar and CEO Karun Kaushik declared their intention to set “the record straight on anonymous attacks.” Among other things, they claimed that the company hired a cybersecurity firm “to help us understand what happened” and said that “the evidence points to a malicious attack rather than a true whistleblower.”
“It appears that an attacker purchased Delve under false pretenses, maliciously exfiltrated data, including internal Delve company data, and used it to launch a coordinated smear campaign against us,” they said. The blog post also includes a screenshot that they said “shows the attacker extracting our audit trail spreadsheet through file.io.”
Beyond this accusation, Delve also described DeepDelver’s criticism as “a mix of made-up claims, cherry-picked screenshots, and data taken out of context.” For example, they said that DeepDelver “dismisses our AI but acknowledges that it has automated 70% of a security questionnaire.”
On the question of using open source tools, Delve said it “built on an Apache 2.0 open source repository, which explicitly allows commercial use, and significantly rebuilt it for compliance use cases.”
However, executives also said they have been taking steps to ensure customers “feel confident in our platform and compliance results.”
Those steps supposedly include cleaning up the company’s network to remove audit signatures “that do not meet our standards,” “offering complimentary re-audits and penetration tests to all active customers,” and making it “unequivocally clear” that Delve’s templates for things like board meeting notes “are designed to be just starting points.”
In a post on XKaushik made many of the same points, but also said, “We grew too fast and fell short of our own standard. To our customers, we deeply apologize for the inconvenience caused.”
TechCrunch has reached out to Y Combinator and DeepDelver for any response to Delve’s comments.
