The Pressure
Zack Korman, cofounder of AI cybersecurity startup Embroidery and a sharp voice in the security community, recently published a video that connects two things the compliance industry has been discussing separately: Y Combinator’s growth culture and the Delve fraud scandal. His argument deserves more attention than a social media cycle gives it.
Korman starts with a Y Combinator partner’s post claiming that the lowest demo day revenue target is now $800,000 in annualized revenue, with most companies aiming for one to two million. As Korman puts it:
“Understand, Y Combinator is a 12-week program. So what he’s saying here is these startups should at the end of that 12-week program aim to be at 800,000 plus annualized revenue.”
For context: getting to $1 million ARR is hard. Doing it in 12 weeks through real enterprise contracts is not normal. Korman makes the point directly:
“If you’re a company attempting to scale from roughly zero dollars to a million plus in annual recurring revenue in 12 weeks, you’re a massive supply chain risk and most organizations should avoid you.”
That is not a hot take. That is a vendor risk assessment.
What Gets Skipped
Korman’s critique is not that fast growth is inherently bad. It is that compressing the entire journey from zero to scale into a 12-week window means critical organizational maturity never develops:
“If you’re 22 years old selling enterprise B2B SaaS, you do not understand your customer’s needs. You learn your customer’s needs over time as you sell to them, and you adapt based on that feedback. If all of that is compressed into a 12-week cycle, you’re going to miss some stuff. And I don’t just mean features. I mean you’re going to miss access control requirements and things of that nature.”
He is describing what we see in practice when we conduct security assessments and supply chain reviews: young companies that signed enterprise deals before they had managed devices, before they had granular access controls, before they had internal security posture that matched the maturity their customers assumed they had.
“Your organization is supposed to be maturing during that growth phase. You are supposed to be going from three founders on your personal laptops to having managed devices, granular access control. You’re supposed to be developing internal security posture and internal organizational maturity that you do not have when you are at zero dollars in revenue.”
When a YC partner responded to this critique with “skill issue,” the cultural problem came into focus.
How This Leads to Fraud
Korman connects the incentive structure directly to the Delve scandal. When 21-year-old founders are told that everyone else is hitting million-dollar milestones and that failing to do so is a personal deficiency, the pressure creates predictable outcomes:
“If you are a 20-year-old who has probably done very well in school and probably is very ambitious and then you try your hand at a startup and you find that you cannot scale to one million plus ARR in the matter of 12 weeks and then you read a partner of YC saying that means you have a skill issue — you can see why a 20-year-old’s undeveloped brain might go like, ‘Everyone else is hitting these really great milestones, but me, I don’t want to be a failure.’ And that might lead them to cutting corners. It might lead them to telling small lies. It might lead them to telling large lies. It might lead them to committing fraud.”
This is not hypothetical. We reported in early April that Delve allegedly fabricated 494 SOC 2 reports with pre-written auditor conclusions. The company raised $32 million at a $300 million valuation. Its founders, Karun Kaushik and Selin Kocalar, were MIT dropouts on the Forbes 30 Under 30 list. The auditors traced to offshore certification mills. The compliance reports were templates with client names swapped in.
And what is SOC 2 compliance other than, as Korman frames it, “an obstacle that’s in the way of a founder” who has been told to be formidable, to get what they want regardless of what stands in the way?
The Blast Radius Is Real
Korman’s supply chain risk framing has been validated by events. The chain reaction we documented across our March 2026 supply chain attacks and Mercor class action coverage played out exactly as his model predicts:
- Delve issued allegedly fraudulent SOC 2 certifications for LiteLLM
- LiteLLM, operating without real controls, was compromised by TeamPCP on PyPI — its publishing tokens were stored as plaintext environment variables, exactly the kind of gap a genuine SOC 2 audit should have flagged
- Mercor, a $10 billion AI staffing platform, lost 4 terabytes of data through the LiteLLM compromise, including Social Security numbers and biometric data for over 40,000 contractors
- Downstream exposure reached OpenAI, PayPal, Stripe, Amazon, Microsoft, and the U.S. Department of Veterans Affairs
Five class action lawsuits were filed in a single week. The multi-defendant suit (White and Beltran v. Mercor, Delve, Berrie AI, N.D. Tex., 6:26-CV-00143-H) names Delve directly, building a supply chain liability theory where fabricated compliance certifications contributed to downstream breaches.
Korman nails the accountability asymmetry:
“YC’s plan is brilliant. They big up expectations, set really ambitious targets. They don’t really talk much about the obligations placed on these companies and they’ve externalized the cost of the negative outcomes. They’ve said that’s on either the companies that used our portfolio companies or on those portfolio companies themselves.”
Y Combinator removed Delve from its directory on April 4. Insight Partners scrubbed its investment materials. But as Korman observes, YC already got a huge number of portfolio companies SOC 2 compliant through Delve ahead of schedule. The upside was captured. The downside was externalized.
The Demographic Shift Matters
One detail in Korman’s analysis deserves particular attention from a vendor risk perspective. The average age of YC founders has dropped from 29-30 to 25 over the past few years, with a growing cohort of 17-to-21-year-olds. At the same time, the performance expectations have increased dramatically.
“You’ve increased the pressure tremendously. And you’ve said, ‘And we’re going to use younger founders to do it.’ Founders that will get what they want regardless of the obstacle in the way, regardless of the law, regardless of compliance, regardless of the truth, regardless of ethics.”
This is not about whether young people can build great companies. They obviously can. It is about whether a 21-year-old founder has the organizational experience to build the internal controls, access management, incident response processes, and governance structures that enterprise customers assume exist when they see a SOC 2 report. The answer, overwhelmingly, is no — not because they are not talented, but because those capabilities develop through operational experience that a 12-week program cannot provide.
What Enterprise Buyers Should Do
Korman’s video is addressed partly to young founders and partly to the ecosystem. But the most actionable audience is enterprise procurement and vendor risk teams. Here is what changes:
Treat accelerator-stage companies as elevated vendor risk. A company that has existed for 12 weeks does not have mature security controls regardless of what its trust page says. Adjust your review process accordingly. Require evidence of controls, not just reports about controls.
Ask how old the company is, not just how fast it is growing. Rapid growth from a near-zero baseline is a risk signal, not just an achievement signal. A company that went from $0 to $1 million ARR in 12 weeks has not had time to build the organizational maturity that $1 million ARR customers should expect.
Verify compliance certifications independently. We said this after the Delve reporting and it bears repeating: check the AICPA peer review public file, verify the engagement partner’s CPA license, and look for company-specific detail in the report. If Section 3 reads like boilerplate, it probably is.
Understand the incentive structure your vendor operates under. If your vendor’s accelerator is publicly telling founders that anything less than a million dollars in 12 weeks is a “skill issue,” factor that into your risk assessment. Pressure to grow at any cost does not stop at the compliance boundary.
The Uncomfortable Conclusion
Korman ends by speaking directly to young founders:
“Don’t believe that everyone in your cohort is hitting a million ARR in 12 weeks. And don’t believe that you’re not doing a good job because you don’t. And don’t trust the adults in the room that they would stop you if you were going too far.”
That last line is the one that should concern enterprise buyers most. If the accelerator’s business model depends on portfolio companies hitting extraordinary growth targets, and the cost of fraud is borne primarily by downstream customers and the founders themselves rather than the accelerator, then the adults in the room have no structural incentive to slow things down.
The compliance industry exists because trust needs verification. When the verification is fabricated and the incentive structure rewards the fabrication, the trust chain breaks. We have five federal lawsuits proving it.
We help organizations verify their vendors’ security posture, assess supply chain risk, and build governance frameworks that do not depend on taking a 12-week-old company’s word for it. Because when the next Delve surfaces — and the incentive structure guarantees there will be a next one — the question will be whether your vendor risk process caught it or relied on a report that was written before anyone looked.
Related posts
Five Lawsuits in One Week: The Legal Fallout from the Mercor Data Breach
Five class action lawsuits filed against Mercor in a single week trace a direct line from a supply chain compromise through fake compliance certifications to 4 terabytes of stolen contractor data.
Read moreDelve and the 494 Fake SOC 2 Reports: What the Compliance Industry Should Learn
A Y Combinator-backed compliance startup allegedly fabricated 494 SOC 2 reports with auditor conclusions pre-written before clients submitted any evidence.
Read moreFive Supply Chain Attacks in Twelve Days: March 2026 Broke Open Source Trust
In twelve days, attackers compromised Trivy, Checkmarx, LiteLLM, Telnyx, and Axios — and the supply chain security model most organizations rely on did not survive.
Read more