Carbon Black XDR licensing post Broadcom. Real SKU pricing, the bundle traps that catch buyers, and the renewal moves that recover 15 to 35 percent against an unsoftened Broadcom quote.
When Broadcom closed the VMware acquisition in November 2023, it absorbed the Carbon Black product line and pulled it onto the Broadcom Master Agreement. What looked like a routine vendor change became a structural pricing reset. List prices climbed 30 to 60 percent depending on tier, the SKU shelf collapsed into three core endpoint bundles, and standalone product purchases that buyers had relied on for years quietly disappeared. This article unpacks the new Carbon Black licensing model, the bundle traps that catch unprepared buyers at renewal, and the moves that recover 15 to 35 percent against the first Broadcom quote. For surrounding context read the Broadcom practice, the VMware Negotiation Playbook, the Broadcom audit defense guide, and the VMware alternatives 2026 guide.
Carbon Black sits inside the Broadcom Symantec Enterprise Security Group and is sold under three product family banners. Endpoint protection covers laptops, desktops, and servers running Windows, macOS, and Linux. Cloud workload protection covers Linux servers, virtual machines, and containers in AWS, Azure, GCP, and on prem hypervisors. App Control is the application allowlisting product that locks down fixed function workloads such as point of sale, ATMs, industrial systems, and regulated kiosk endpoints. The XDR layer ties detection signal across these three families into a single response console. Buyers should treat XDR as an architectural overlay, not a separate license. The cost sits in the underlying endpoint, server, and App Control tiers.
The endpoint bundles are the largest cost driver in nearly every Carbon Black estate. Three tiers carry the catalog; everything that used to ship as a separate add on is now folded into one of them.
| Bundle | What it covers | Indicative list per endpoint per year | Realistic enterprise net |
|---|---|---|---|
| Endpoint Standard | Next generation antivirus, behavioral prevention, basic EDR | $40 to $50 | $28 to $36 |
| Endpoint Advanced | Standard plus EDR with full telemetry retention, threat hunting | $60 to $75 | $42 to $54 |
| Endpoint Enterprise | Advanced plus managed detection and response, XDR data lake | $90 to $115 | $60 to $80 |
The realistic net column reflects deals we have priced for buyers running 5,000 to 50,000 endpoints with a credible competitive process in market. Smaller estates without alternatives in play sit closer to list. Larger estates with a real CrowdStrike or SentinelOne paper bid in hand can push 5 to 10 points further than the table.
Server and cloud workload SKUs sit outside the endpoint bundles. Carbon Black Cloud Workload starts around $90 per server per year for the lower tier and runs to $160 per server per year for the equivalent of the Enterprise bundle. Container protection bills per CPU core or per pod count depending on contract vintage.
Two pitfalls live here:
App Control is the highest margin product in the Carbon Black portfolio and the one most often overprovisioned. List price runs $130 to $180 per protected endpoint per year. The buyer side move is to audit the deployment against actual fixed function devices. We routinely find App Control entitlements deployed to general purpose workstations that should sit on Endpoint Standard at one third the cost. A clean rightsizing exercise across an App Control estate of 5,000 endpoints typically reclaims $300,000 to $450,000 per year before any pricing negotiation begins.
Carbon Black no longer competes on a feature gap. CrowdStrike Falcon, SentinelOne Singularity, and Microsoft Defender for Endpoint are all credible enterprise EDR platforms with comparable detection efficacy in MITRE ATT&CK evaluations. The competitive math has shifted to commercial structure and ecosystem fit.
| Vendor | Equivalent tier | Typical net price per endpoint per year | Best fit when |
|---|---|---|---|
| Broadcom Carbon Black Enterprise | EDR plus MDR plus XDR | $60 to $80 | Existing VMware estate, App Control already deployed, mature SOC tooling |
| CrowdStrike Falcon Complete | EDR plus 24x7 managed | $70 to $95 | No internal SOC, want fully outsourced detection and response |
| SentinelOne Singularity Complete | EDR plus full data lake | $45 to $65 | Cost sensitive, autonomous response a priority, multi cloud heavy |
| Microsoft Defender for Endpoint P2 | EDR plus Defender XDR | $36 to $50 | Already on E5, Azure heavy, want consolidated identity and endpoint signal |
Microsoft Defender is the most common competitive lever in 2026 because most Carbon Black customers already pay for it inside an E5 entitlement and run it as a complementary control. Whether or not Defender is the long term answer, putting it on the table reframes the Broadcom discussion.
A North American industrial manufacturer with 18,000 endpoints, 1,200 servers, and 600 App Control devices arrived at first Broadcom renewal post acquisition. The opening Broadcom quote came in at $2.4M per year on a three year term, a 47 percent uplift over their last VMware era price. Three moves brought the deal to settlement at $1.55M per year, a 35 percent reduction from the first quote and a 5 percent net reduction from the prior contract.
For renewal modeling against your own Carbon Black estate, the indicative anchors below reflect what we see on enterprise deals in 2026 across Endpoint Enterprise plus Cloud Workload Advanced plus App Control coverage on a three year commit.
Redress runs a four phase Carbon Black renewal process. We sit on the buyer side from kickoff to signature.
Read the Vendor Shield program for always on advisory across the renewal cycle and the VMware negotiation playbook for the surrounding Broadcom estate.
Redress is independent and 100 percent buyer side. Industry recognized, 500 plus enterprise clients, $2B plus under advisory across 11 vendor practices. Read the Broadcom services practice, the Broadcom audit defense playbook, and the case studies library for representative engagements, or contact us to scope a Carbon Black renewal review.
A buyer side framework for the Broadcom renewal cycle covering Carbon Black, VMware Cloud Foundation, NSX, vSAN, and the Tanzu portfolio. Real benchmark numbers, real bundle traps, real concession patterns.
Independent. Buyer side. Built for Broadcom customers running the next renewal cycle.
Open the white paper in your browser. Corporate email only.
Open the Paper →The first Broadcom renewal quote came in 47 percent above where we had been. By the time Redress had finished the deployment audit, retired the App Control sprawl, and put a Defender pilot on the table, we landed 5 percent below our prior contract. That paid for the engagement many times over.
Vendor management, contract negotiation, audit defense, renewal strategy. One firm. Eleven practices.
Vendor signals, pricing benchmarks, settlement patterns, and competitive leverage notes across all eleven vendor practices.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
