The Compliance Industry Has a Trust Problem. Here's How We Fix It.
A major compliance platform was just exposed for fabricating SOC 2 evidence at scale. The co-founders of YSecurity and Cyberbase (Sasha Sinkevich and Jon McLachlan) break down what went wrong, why it matters for every security leader, and 5 questions to ask your compliance vendor today.
March 26, 2026
4 min read
Share this post:
A joint statement from the co-founders of YSecurity and Cyberbase
This past week, the cybersecurity and compliance community was shaken by a deeply troubling investigation. A detailed exposé published by DeepDelver, and subsequently covered by TechCrunch, Inc., and Yahoo Finance, revealed allegations that a well-funded compliance automation startup had been systematically delivering fabricated audit evidence, routing clients through uncredentialed certification mills, and generating SOC 2 reports so identical that 493 out of 494 contained the same grammatical error.
We want to be clear: this article is not about casting stones at any single company. The allegations, if proven true, will be dealt with through the proper legal and regulatory channels. What concerns us, and what should concern every CISO, CTO, VP of Sales, and compliance leader reading this, is what the scandal reveals about a systemic vulnerability in how businesses approach security compliance today.
The promise of getting compliant in days instead of months was always too good to be true. And now, hundreds of companies may be discovering that their SOC 2 reports, ISO 27001 certifications, and HIPAA attestations aren't worth the PDFs they're printed on.
The real cost of checkbox compliance
Let's talk plainly about what's at stake.
Under HIPAA, willful neglect of compliance obligations carries mandatory penalties starting at $50,000 per violation and can scale to $1.9 million per violation category per year — plus potential criminal prosecution. Under GDPR, fines can reach 4% of global annual revenue or €20 million, whichever is higher. And these aren't theoretical risks. Regulators have made it abundantly clear that relying on a vendor's assurance without performing your own due diligence does not shield you from liability.
When a company publishes a trust page claiming completed penetration tests, implemented encryption controls, and verified access management — and none of those things actually exist — it's not just a compliance gap. It's a misrepresentation to every customer, partner, and investor who relied on that information to make a decision.
The DeepDelver investigation described a world in which 259 separate Type II audit reports claimed zero security incidents, zero personnel changes, and zero cyber events across every single company's observation period. That's not compliance. That's a statistical impossibility dressed up as assurance.
Why this keeps happening
The compliance-as-a-service model grew out of a genuine and understandable pain point. Traditional compliance is slow, expensive, and often disconnected from the actual security posture of a business. Startups racing to close enterprise deals don't have twelve months and six figures to spend getting audit-ready. We get it — we built our companies precisely because we understand that frustration.
But the answer to slow compliance was never supposed to be fake compliance.
The Delve investigation exposed a specific failure pattern: a platform that pre-wrote auditor conclusions before evidence existed, generated passing results before a single control was tested, and relied on audit firms that operated through shell entities rather than performing independent reviews. The structural problem is clear: when the same entity that helps you implement controls also produces the audit conclusions about those controls, the independence that gives compliance frameworks their value evaporates entirely.
AICPA standards — AT-C Section 205 on independence and AT-C Section 315 on reasonable assurance — exist for exactly this reason. The separation between implementer and examiner isn't bureaucratic overhead. It's the foundation of trust.
What we believe — and what we've built
At YSecurity and Cyberbase, we've always operated from a simple conviction: compliance should accelerate your business, not expose it to risk. But speed without substance is worse than no compliance at all, because it creates a false sense of security that makes you more vulnerable, not less.
YSecurity exists as a cybersecurity services company because we believe that expert human guidance remains essential in the compliance journey. Our consultants and virtual CISOs work alongside your team — not to rubber-stamp templates, but to understand your actual architecture, identify real gaps, and build controls that reflect how your business truly operates. When we help a client prepare for a SOC 2 audit, we make sure the evidence is real, the controls are implemented, and the audit firm performing the examination is genuinely independent.
Cyberbase exists as a product because we also believe that technology should make compliance faster and more transparent — without cutting corners on integrity. Our platform automates the tedious parts of compliance: evidence collection from your playbooks, security questionnaire responses grounded in your real controls, contract redlining that catches risk before it becomes liability, and a Trust Center that reflects your genuine security posture. When Cyberbase says a control is in place, it's because our integrations verified it against your live environment — not because someone clicked "save" on a pre-populated template.
Together, YSecurity's expert services and Cyberbase's AI-powered platform deliver compliance that's real, defensible, and ready for scrutiny.
A moment of reckoning — and an opportunity
We believe this moment, as uncomfortable as it is for our industry, is ultimately healthy. It forces an honest conversation about what compliance actually means and what businesses should demand from the vendors they trust with their security posture.
If you're a security or compliance leader, here are the questions we'd encourage you to ask — of any vendor, including us:
About independence:
Does the vendor that helps you implement controls also produce or influence the audit conclusions? If yes, how is auditor independence maintained?
About evidence:
Is the compliance evidence generated from your actual systems and processes, or is it templated content that you adopt with a click? Can you trace every piece of evidence back to a real event, configuration, or action in your environment?
About your auditor:
Where is your audit firm physically located? Are the individuals signing your reports licensed CPAs in good standing? Can you verify their credentials independently?
About your trust page:
Does every claim on your public-facing trust page correspond to a control that has been implemented, tested, and verified? Or are there items listed that haven't been completed yet?
About transparency:
When you ask your vendor hard questions, do they answer in writing? Or do they deflect to calls, charm offensives, and promises?
These aren't gotcha questions. They're the minimum standard that any serious compliance program should be able to meet.
Our commitment
We founded YSecurity and built Cyberbase because we believe that trust is the most valuable asset in business — and that genuine security compliance is how technology companies earn and keep that trust. Every service engagement we deliver and every feature we build is designed to make compliance real, not just fast.
If the events of this past week have prompted you to take a closer look at your compliance program — whether you're a current client, a prospective one, or someone who simply wants a second opinion — we welcome that conversation. We'd rather help you find and fix a real gap than help you paper over one.
Because in the end, the only compliance that matters is the kind that holds up when someone actually checks.
YSecurity is a cybersecurity services firm providing expert-led compliance consulting, virtual CISO services, and security assessments. Cyberbase is an AI-powered compliance and trust management platform that automates evidence collection, security questionnaires, contract redlining, and trust portal management. Together, they help businesses achieve compliance that's built on substance, not shortcuts.
To learn more, visit cyberbase.ai and ysecurity.io
Frequently Asked Questions
What is checkbox compliance, and why is it dangerous?
Essentially, "checkbox compliance" is when you just look as if you’re following a security standard like SOC 2, ISO 27001 or HIPAA, but haven’ and don't actually put the security measures in place. It’s dangerous because it creates a false sense of security: your organization appears compliant on paper, but your systems, data, and customers remain unprotected. If a breach occurs or a regulator investigates, checkbox compliance offers no legal defense and can result in penalties up to $1.9 million per violation category under HIPAA or 4% of global annual revenue under GDPR.
How do I know if my SOC 2 report is legitimate?
A legitimate SOC 2 report should be issued by an independent CPA firm that is not affiliated with the platform that helped you implement controls. You can verify this by confirming that the signing auditors are licensed CPAs in good standing, that the audit firm operates independently from your compliance vendor, and that the evidence cited in the report corresponds to real configurations, events, and actions in your environment — not pre-populated templates. If your report looks identical to reports issued to other companies, or if it claims zero incidents across the entire observation period, those are red flags.
What is auditor independence, and why does it matter for SOC 2?
An auditor being independent means the firm checking your security has no financial, practical or structural ties to the company that put the security in. The AICPA AT-C Section 205 rule insists on this separation, and for good reason; without it the audit isn't a useful, unbiased judgment. If the same company both creates your security system and then says it’s all okay, there is no one checking independently, and the report is really a self-assessment, not a true audit.
What are the penalties for non-compliant SOC 2 or HIPAA certifications?
Under HIPAA, if you carelessly ignore the rules, you will be facing fines of $50,000 at a minimum for each issue, and that can go up to $1.9 million for each rule category, each year, and you could even be prosecuted. With GDPR, the maximum penalty is 4% of your global income or 20 million euros (whatever is the greater amount). But most importantly, just because you paid someone else to make sure you’re compliant doesn’t mean you aren’t liable. The authorities will hold the organisation that controls the data to account, regardless of which third party did the work.
What questions should I ask my compliance automation vendor?
Ask five questions: (1) Does the vendor that helps you implement controls also produce or influence the audit conclusions? (2) Is the compliance evidence generated from your actual systems, or is it templated content you adopt with a click? (3) Are the individuals signing your audit reports licensed CPAs in good standing? (4) Does every claim on your public-facing trust page correspond to a control that’s been implemented, tested, and verified? (5) When you ask your vendor hard questions, do they answer in writing — or deflect to calls? These aren’t gotcha questions. They’re the minimum standard any serious compliance program should meet.
What’s the difference between real compliance evidence and templated evidence?
Real compliance evidence is pulled directly from your infrastructure — cloud configuration snapshots from AWS, Azure, or GCP, access control logs from your identity provider, deployment records from your CI/CD pipeline, and encryption configurations verified against your live environment. Templated evidence is pre-written documentation that a user clicks “Accept” on without any validation against their actual systems. Real evidence is traceable and auditable. Templated evidence is not.
How do I verify that my trust page claims are accurate?
Every claim on your public-facing trust page should map to a specific control that has been implemented, tested, and verified in your environment. Ask your compliance vendor or internal team to show you the evidence artifact behind each claim — a configuration snapshot, an access log, a test result. If a trust page lists penetration testing, encryption, or access management as complete but lacks corresponding evidence, those claims are a liability, not an asset.
How does Cyberbase verify compliance evidence?
Cyberbase connects directly to your infrastructure through native integrations and pulls evidence from your live environment. When Cyberbase reports that a control is in place, it’s because an integration verified it against your actual cloud configurations, identity provider settings, and deployment pipelines — not because someone populated a template. This approach ensures that every piece of evidence in your compliance program is traceable back to a real event, configuration, or action.
What is a Trust Center, and why do companies need one?
A trust center is a public-facing page where a company presents its security posture, certifications, and compliance status to customers, partners, and prospects. It’s increasingly the first thing a buyer’s security team reviews before engaging with sales. An effective trust center reflects verified, implemented controls that stay synchronized with your environment — not static claims that may become outdated. Cyberbase offers a free Trust Center that surfaces your real security posture, while competitors typically charge $6,000 to $15,000 or more for similar functionality.
What is the difference between Cyberbase and other compliance automation platforms?
Cyberbase differs from traditional compliance automation in three ways: it operates as a unified workspace covering trust portal, security questionnaires, and contract redlining in a single platform; it uses agentic AI that verifies controls against your live environment rather than a copilot model that relies on human template completion; and it offers a free Trust Center, compared to competitors charging $6,000 to $15,000+. Paired with YSecurity’s expert-led consulting and virtual CISO services, the combination delivers compliance that’s both technology-accelerated and human-verified.
Share this post:
