Delve.co Case Study - aleksandar.app

# Delve.co: The Agentic Wedge **The Thesis:** Compliance used to be a consulting gig. Now it’s a compute problem. I’ve spent time on both sides of this wall. At Kaiser, compliance was the product. If you messed up a HIPAA control, it's a break-glass, all hands on deck crisis. At Datadog, security is about scale. Think enterprise customers asking, "Can you prove you're secure without slowing down my 5,000 devs?" The gap between those two worlds is massive. Delve.co is capitalizing on that gap by betting that the only way to solve it is to stop monitoring the work and start doing it. ### 1. The Wedge: "Get In Early, Make It Easy" Legacy players like Vanta and Drata built the "dashboard" era. They hook into APIs and scream at you when a light turns red. But you still have to fix it. Delve’s wedge is **Speed + Agency**. - **The Pitch:** "SOC 2 in days, not months." - **The Growth Hack:** They didn't just send cold emails. They sent **10,000 donuts** to SF founders with the tagline _"The only hole in your security we approve of."_ It sounds gimmicky, but it worked because it targeted the emotional state of a founder: _I hate compliance, please just make it go away._ - **The Result:** They went from YC W24 to 500+ customers and a $300M valuation before Series A. They realized the market wasn't just startups; even 10,000-person companies are tired of the "compliance tax." ### 2. The "Agentic" Shift (The Real Product) This is where it gets interesting for a product person. Delve isn't just checking `GET /config`. They built **Agents** that use "Computer Use" concepts. - **Screenshots:** If an evidence artifact doesn't have an API (like some legacy on-prem firewall setting), a human usually has to screenshot it. Delve’s agents log in, navigate the UI, take the screenshot, and upload it. - **Questionnaires:** They ingest your entire policy stack. When a vendor sends a security questionnaire, their AI drafts the answers based on your _actual_ config, not just a static knowledge base. ### 3. The "Secure Variable" Parallel (Kaiser vs. Datadog) This ties back to the "Secure Variables" PRD. **HIPAA/Privacy:**** At Kaiser, we couldn't just "monitor" data; we had to prove custody. If Delve’s agent takes a screenshot of a database console to prove "Encrypted at Rest," and that console accidentally shows a patient's name... that’s a breach. - **The Need:** Just like your "write-only" variables, Delve needs **"Write-Only Evidence."** The agent captures the proof, locally redacts PII/PHI via computer vision, hashes it, and _then_ stores it. If the platform stores the raw screenshot, they are a liability. **Scale/Trust:** Enterprise customers don't trust "black boxes." They want verification. - **The Friction:** If I’m a CISO at a Fortune 500 buying software, A PDF report is nice for collecting digital dust, a dynamic Trust Center grants confidence against real-time data. Delve built a public-facing page that shows live control status. - **The Risk:** If the agent hallucinates and says "MFA is on" when it’s not, the liability is massive. The architecture has to be Deterministic Verification, not just LLM summarization. ### 4. Why It Works Delve effectively productized the "Junior Security Analyst." - **Old Way:** Hire a consultant ($50k) + Wait 3 months + Nag engineers for screenshots. - **Delve Way:** Connect Agents ($) + Wait 3 days + Agents take screenshots. They realized that for the "Datadog" persona, is the sheer volume of manual labor required to prove you did it. While I've enjoyed reading through the NIST SP 800-53, for the organizational challenge it addressed, by offloading that labor to agents, they turned compliance from a services business into a software business. **Key Takeaway:** The "Secure Variables" mantra - Store it once. Secure it everywhere. Use it without seeing it - is the exact philosophy needed for Agentic Compliance. The agent sees the secret (the evidence), verifies it, and locks it away. Reminds me of how fun it was digging into Zero-knowledge proofs in college.