Overview of VMware NSX and Carbon Black under Broadcom
VMware’s networking and security portfolio – notably NSX (software-defined networking and security platform) and Carbon Black (endpoint and workload protection platform) – has entered a new chapter under Broadcom’s ownership.
Broadcom’s acquisition of VMware (closed in late 2023) folded these product lines into a broader enterprise portfolio that already included Symantec’s security products. T
His convergence is strategically significant for CIOs, as Broadcom is reshaping licensing models, bundling, and product roadmaps to maximize value from the $61B+ VMware deal.
Key points for CIOs include:
- VMware NSX: Historically a leading network virtualization and micro-segmentation solution for data centers and clouds. NSX enables virtualized networking, including overlay networks and distributed firewalls, tightly integrated with vSphere. Under Broadcom, NSX is no longer sold as a standalone product; it is now bundled within larger offerings, such as VMware Cloud Foundation or new security suites. Broadcom is positioning NSX as part of a broader “full-stack” solution (even referring to an emerging “VMware Firewall” offering that packages NSX’s security capabilities with advanced threat protection). This means customers must subscribe to a bigger bundle to get NSX, potentially paying for extra components they might not need.
- VMware Carbon Black: A cloud-native endpoint detection and response (EDR) and workload protection platform acquired by VMware in 2019. It provides next-gen antivirus, behavioral monitoring, and threat hunting across endpoints and servers. Now under Broadcom, Carbon Black is being merged with Broadcom’s Symantec enterprise security unit. Broadcom has formed a new Enterprise Security Group to fuse Carbon Black’s EDR capabilities with Symantec’s endpoint and network security portfolio. In the near term, both the Carbon Black Cloud platform and Symantec Endpoint tools will remain available, but integration is underway to create a unified security platform that leverages the strengths of both. CIOs should expect tighter bundling of endpoint security offerings and possibly new licensing models that combine these products.
- Broadcom’s Licensing and Pricing Approach: Broadcom is known for its rigid, high-margin licensing strategy, and it is applying this to VMware’s products. Perpetual licenses are being phased out in favor of subscriptions. Broadcom has drastically simplified VMware’s SKU lineup, focusing on a few bundles, such as the full VMware Cloud Foundation stack for enterprises and a slimmed-down vSphere + vSAN Foundation bundle for smaller setups. A notable change is Broadcom’s core-based licensing, which has steep minimums: even small deployments require a high core count (discussed in the next section). Broadcom’s philosophy is to prioritize large enterprise customers – this translates to less flexibility and higher entry costs for smaller deployments. For CIOs, the strategic context is clear: Broadcom aims to increase recurring revenue per customer, potentially at the expense of smaller use cases or niche needs. This calls for proactive planning by IT leaders to manage costs, consider alternatives, and maximize value from any required VMware or Broadcom investments.
Strategic Context for CIOs: Broadcom’s stewardship of VMware NSX and Carbon Black presents both challenges and opportunities. On the one hand, Broadcom’s financial strength and focus on core customers could ensure continued investment, such as improving product integration and stability.
On the other hand, license cost hikes, bundle-centric sales, and potential changes to support may strain budgets and flexibility. CIOs should treat this as a turning point – re-evaluate the role of NSX and Carbon Black in their strategy, ensure they understand the new licensing constructs, and prepare to negotiate hard or explore alternatives if the value proposition diminishes. The following sections of this playbook explore specific changes and recommendations for navigating them.
NSX Licensing Shifts and Impacts
Broadcom has implemented significant shifts in how VMware NSX (and related infrastructure software) is licensed. These changes can have major budgetary and architectural impacts, especially for distributed environments and smaller deployments.
Key changes and their impacts include:
- Per-Core Licensing with 72-Core Minimums: Under Broadcom, NSX (as part of VMware’s stack) moved to a per-CPU core licensing model. Previously, VMware often licensed per CPU socket, with up to 32 cores per CPU typically covered by a single license in many cases. Now, every core counts toward licensing. Moreover, Broadcom introduced a 72-core minimum purchase for VMware software orders. In practice, the smallest NSX (or VMware) subscription you can buy covers 72 cores, regardless of actual needs. For example, a remote site with a single 8-core server still must purchase 72 cores of licensing. This is a dramatic increase in minimum spend for small environments. A site that previously needed perhaps 2 CPU licenses (covering ~16 cores) now must subscribe to 72 cores, potentially 4-5× the cost for the same usage.
- Edge and Remote Site Impact: These licensing shifts particularly hurt edge cases. Remote offices, small clusters, or edge deployments that only require NSX on a few low-core hosts are forced into oversizing their licenses. CIOs planning SDN and security at remote sites face a dilemma: either absorb a much higher cost per host or forego NSX at those locations. For example, an edge cluster with two 6-core hosts (12 cores total) would be compelled to license 72 cores under current rules, effectively paying for 60 unused cores. This makes NSX economically impractical for many small sites, potentially forcing organizations to simpler alternatives or leaving those sites without the advanced networking security that NSX would have provided. CIOs must weigh the value of NSX at the edge against its new cost and consider other solutions for smaller environments if necessary.
- Over-Licensing on Shared Hosts: NSX’s licensing is tied to the host or cores, not the specific VMs that use its features. This means if NSX is enabled on a host, all cores of that host must be licensed for NSX, even if some VMs on it don’t use NSX’s networking features. In shared clusters, this can lead to paying for NSX on workloads that derive no benefit from it. For instance, if 50% of the VMs on a host use NSX micro-segmentation, but the rest are plain, you’re still licensing 100% of that host’s cores. The risk is over-licensing “idle” capacity: organizations might be forced to cover cores that aren’t driving NSX’s value. This could significantly inflate costs unless architecture is adjusted (e.g., dedicating NSX-exclusive clusters). CIOs should identify where NSX is truly needed and consider isolating NSX-enabled workloads to specific hosts or clusters to contain licensing scope.
- Enforcement and Compliance Risks: With Broadcom’s stricter stance, the risk of non-compliance is heightened. NSX in the Broadcom era will likely come with closer compliance monitoring. Customers have reported Broadcom being aggressive in auditing license usage. There is a risk that if NSX is deployed beyond the purchased core counts (even unintentionally, such as adding hosts to an NSX cluster without increasing licenses), Broadcom could levy substantial backcharges or penalties. Additionally, the new subscription model may introduce technical enforcement, for example, requiring license activation per host or reporting usage data, which increases the chance that unlicensed use will be detected. CIOs should treat NSX licensing as a compliance priority, similar to how they handle Oracle or Microsoft licenses, to avoid licensing pitfalls that could result in unexpected fees or even the shutdown of support.
Implications & Recommendations: The NSX licensing changes call for a proactive response:
- Evaluate Deployment Footprint: Review where NSX is deployed across your environment. For each cluster or site, assess if NSX’s benefits (micro-segmentation, overlay networking, etc.) justify the new higher cost. Particularly scrutinize small clusters and edge sites – you may decide to limit NSX to larger central environments and use alternative networking solutions at the edge to avoid excessive cost.
- Architect for License Efficiency: Consider reorganizing workloads so that NSX is used in a more contained way. For example, create dedicated clusters for NSX-protected VMs (so you only license those hosts) and keep NSX off clusters that don’t require those features. This prevents accidental expansion of NSX licensing to every ESXi host. Also, right-size hardware: if using very high-core-count servers, note that the cost scales linearly with cores. It might be cost-effective to use more moderately specced servers if that yields fewer total cores to license, depending on the workload versus license trade-off.
- Engage Broadcom Early for Edge Use Cases: If NSX at remote sites is a key requirement (e.g., for security compliance), engage Broadcom or VMware reps to discuss options. In some cases, vendors offered specialized bundles or concessions for edge use, such as ROBO (Remote Office/Branch Office) licenses in the past. Broadcom’s standard stance is a minimum of 72 cores, but large customers pushing back might negotiate exceptions. Document your edge requirements and costs to build a case for a tailored licensing approach. If Broadcom cannot accommodate, that’s a signal to explore alternative lightweight SDN solutions for those cases.
- Budget for Higher Costs & Monitor Usage: Update your IT budget forecasts to reflect the new NSX licensing model. Expect higher run-rate costs for NSX in upcoming renewals. Put monitoring in place (using tools or processes) to track NSX-enabled core counts continuously. Maintain compliance by ensuring you have subscriptions for every host where NSX is deployed if you plan to expand an NSX cluster, factor in the licensing cost first. It’s prudent to keep a small buffer of licensed cores if you anticipate growth, to avoid scrambling mid-year for additional budget due to an unplanned host addition.
- Plan for License Audits: Given Broadcom’s reputation, prepare for potential audits focused on NSX/vSphere usage. Conduct internal self-audits periodically. If NSX is part of a broader VMware Enterprise License Agreement (ELA), ensure you understand the terms, such as whether all hosts are in scope. Identifying compliance gaps yourself allows for remediation (or a license true-up) on your terms, rather than under audit pressure. We cover audit readiness in more detail later, but in short: treat NSX licensing with the same diligence as any mission-critical software in terms of tracking and governance.
Security Portfolio Integration: Carbon Black and Symantec
One of the major shifts under Broadcom is the integration of VMware’s Carbon Black security products with Broadcom’s existing Symantec security portfolio.
This has important implications for how enterprises approach endpoint and workload protection:
- Broadcom’s Unified Security Strategy: In 2024, Broadcom merged Carbon Black’s business unit with Symantec into a single Enterprise Security Group. The goal is to fuse Carbon Black’s EDR (Endpoint Detection & Response) and cloud workload protection capabilities with Symantec’s strengths in threat prevention, data loss prevention, and network security. For customers, this likely means that future offerings will be more tightly integrated – for example, a single agent or console that combines Symantec Endpoint Protection (SEP) features, such as malware protection and device control, with Carbon Black’s behavioral analytics and incident response tools. In the short term, Broadcom has stated that both product lines will continue “as-is.” However, CIOs can expect bundled deals and cross-selling, for example, Broadcom might offer Carbon Black Cloud licenses packaged with Symantec endpoint suites, or vice versa, as part of renewal proposals.
- Overlap and Redundant Agents: Many enterprises deploy Carbon Black alongside existing antivirus or endpoint solutions (often Symantec or others) to bolster endpoint security. Now that Carbon Black and Symantec are under one roof, CIOs should re-examine whether running both agents is necessary. Carbon Black Cloud’s agent provides next-gen AV and EDR, potentially covering what Symantec’s agent does, and Symantec’s latest endpoint suite also has EDR-like capabilities. Running two agents on the same endpoint can consume extra resources and double administrative effort (two consoles, two policies to manage). It also means paying for two products where one might suffice. Redundant functionality is a real risk; for example, if you have Symantec Endpoint Protection for malware scanning and Carbon Black for behavior detection, there is an overlap in malware detection capabilities. Broadcom’s integration may eventually unify these, but in the interim, organizations might be overspending and overloading devices with duplicative solutions.
- Potential Bundling and Licensing Changes: Broadcom could introduce new bundles that combine Symantec and Carbon Black features under a single license. This could be an opportunity or a risk. On one hand, a unified license might simplify procurement and potentially be cost-effective if you need both sets of capabilities. On the other hand, if you only need one of the two, you might be forced into a pricier bundle, similar to how NSX is bundled into larger suites. Watch for Broadcom’s licensing announcements, such as an “Endpoint Security Suite” that includes Carbon Black and Symantec DLP, among others. Also, pay attention to whether Broadcom eventually sunsets either brand in favor of a unified product. It’s conceivable that in a couple of years, one agent (maybe under the Symantec name or a new brand) will replace the separate Carbon Black Cloud and Symantec agents. CIOs should be prepared for a migration, ensuring their teams are ready to shift policies, integrations, and other elements to a new platform.
- Opportunities for Vendor Consolidation: If approached strategically, this integration can help CIOs streamline their security vendor landscape. With one company, Broadcom, providing both a leading EDR and a full suite of endpoint and network security tools, enterprises might be able to negotiate a consolidated deal. For example, an organization using Carbon Black for endpoint detection and another vendor for anti-virus could consider moving that AV to Symantec under a single contract. Fewer vendors can mean volume discounts and simpler management. Broadcom will surely pitch this as a benefit – a “one-stop shop” for security. However, consolidation should only be pursued if the combined solution meets your needs; avoid consolidating just for convenience if it means giving up a superior point solution elsewhere. Evaluate whether Carbon Black + Symantec together can meet or exceed what you get from alternative combinations (like Carbon Black + Microsoft Defender, or Symantec + CrowdStrike, etc.).
- Evaluating Carbon Black’s Future Fit: The uncertainty around product direction means CIOs must continually assess Carbon Black’s fit in their security architecture. Suppose your organization has invested heavily in Carbon Black (for instance, by integrating it into your SIEM, building playbooks around it, and training your SOC on it). In that case, you’ll want to stay informed about how it evolves under Broadcom. It’s a positive sign that Broadcom is investing in it (not shelving it), but there could be shifts – e.g., changes in roadmap priorities or support. Conversely, if you haven’t yet adopted Carbon Black but are entitled via a VMware suite, now is the time to evaluate it against leading competitors (we’ll cover alternatives in a later section). Broadcom’s emphasis on large accounts suggests they will try to keep Carbon Black competitive, but if you feel innovation might slow during the integration, you may look at other EDR options.
Recommendations for CIOs on Security Integration:
- Audit Your Endpoint Security Stack: Take inventory of all endpoint agents and tools in use, including Carbon Black, Symantec, and any others such as Microsoft Defender and McAfee. Identify overlaps in functionality. Determine if you can reduce agents per endpoint without sacrificing security – for example, can Carbon Black alone handle both malware prevention and detection, so that Symantec (or another antivirus) can be retired? Or, vice versa, if Symantec’s latest suite has a robust EDR, it might be able to replace Carbon Black. Reducing duplicate agents will save costs on licensing and maintenance and reduce endpoint performance overhead.
- Engage Vendors for Roadmap Clarity: Open a dialogue with Broadcom’s security product team or your account manager about the combined Symantec-Carbon Black roadmap. Specifically ask about agent unification plans, timeline for any new integrated platform, and support plans for existing products. Understanding Broadcom’s direction will help you decide whether to stick with your current tools or begin planning for a transition. For example, if Broadcom hints at a new “unified agent” coming next year, you might delay any major re-deployment and instead plan for that convergence. Ensure you have this in writing or official documentation if possible, in case you need to justify decisions internally.
- Consider Consolidated Deals (But Compare Options): When renewal time comes, expect Broadcom to offer bundled pricing if you use both Symantec and Carbon Black. Leverage this for cost savings, but also benchmark against independent solutions. For instance, if Broadcom offers a bundle for both products, also get quotes for keeping one and dropping the other, or replacing one with a competitor, to see which is most cost-effective. Use the fact that Broadcom now has overlapping products as a negotiation point – e.g., “We don’t need to pay double for similar capabilities; give us a better price to consolidate on your portfolio.” However, be wary of long-term lock-in; ensure any deal gives you flexibility if the integrated product strategy changes.
- Avoid Knee-Jerk Replacement, but Have Plan B: Some organizations consider immediately dropping Carbon Black due to uncertainty. Our advice: don’t make hasty moves purely out of fear. Carbon Black is still a strong security platform, and a forced swap could introduce new risks. Instead, maintain your current defenses, but develop a contingency plan. Evaluate at least one alternative EDR solution (pilot CrowdStrike or SentinelOne, for example) so you understand the effort and impact to switch, should Broadcom’s direction not align with your needs in the future. This way, you’re not caught off guard – you’ll have criteria ready for when to switch (e.g., if support falters or if pricing becomes untenable at renewal).
- Integrate and Streamline Management: If you currently use both Symantec and Carbon Black, look for any available integrations to make operations easier. For example, are there connectors to feed Carbon Black alerts into the Symantec management console or vice versa? Broadcom has touted combining “network and data telemetry” from Symantec with Carbon Black’s endpoint data. Ask if there are portal integrations or unified support channels yet. Even before the products fully merge, your security team should start thinking of these two tools as part of a whole, aligning their policies and incident response processes. This will smooth the path if/when a unified platform emerges.
Negotiation and Procurement Strategies
Broadcom’s acquisition of VMware has fundamentally changed the dynamics of vendor relationships. CIOs must be prepared to negotiate with a very different VMware (Broadcom) organization – one known for hardline tactics, fewer discounts, and strict terms.
Here’s how to adapt your procurement strategy in this new era:
- Understand Broadcom’s Stance: Broadcom’s business model focuses on high-margin deals with large enterprises. Historically, after acquiring companies like CA and Symantec, Broadcom drastically increased prices and simplified product offerings. Many customers have reported renewal quotes that are multiples of their previous spend (2 times, 3 times, even higher), with minimal wiggle room. Broadcom often takes a “take-it-or-leave-it” approach, especially if they perceive you have limited alternatives. The sales teams are incentivized to hold prices and push multi-year commitments. Set expectations internally that your VMware renewals may come back significantly higher, and that negotiations could be tougher than in the past.
- Leverage Volume and Scope: One way to get Broadcom’s attention is by consolidating your purchases into a single negotiation event. Rather than doing piecemeal renewals of NSX, vSphere, and Carbon Black at different times, try to co-term them or negotiate an enterprise agreement covering all. Broadcom is more likely to give concessions on a big deal, where a lot of revenue is at stake, than on many small ones. Use this to create a “large leverage point” – for instance, negotiate NSX and Carbon Black together if both are up for renewal, or include other VMware products you use, to increase the deal size. However, be cautious: bundling everything means you also must commit to Broadcom across the board. Only aggregate licenses if you are reasonably sure you will stick with them; otherwise, keep some deals separate to preserve flexibility to switch one product without affecting others.
- Aim for Pricing Protections: Given Broadcom’s tendency to raise prices, consider incorporating pricing caps or locks into your agreement. For example, if signing a 3-year or 5-year subscription term, negotiate a cap on annual price increases (or even fixed renewal rates). If you agree to expand usage, pre-negotiate the unit price for additional cores or endpoints so you’re not surprised later. Some enterprises have had success capping renewal uplifts (e.g., “any renewal will not exceed X% of the current price”). You might also negotiate a price hold for a transition period if you plan to migrate some workloads off VMware, ensuring you don’t pay more in the interim. Broadcom may resist, but if you’re a significant customer, pushing for predictable costs is essential. It’s easier to justify continuing with VMware internally if you can assure your CFO that there won’t be another huge spike in two years.
- Tighten Audit and Compliance Terms: Broadcom is known for strict enforcement, so pay close attention to the audit clause and license usage definitions in your contracts. Whenever possible, negotiate for reasonable audit rights – e.g., at most one audit per year (or per 2 years), X days’ notice, and no “fishing expeditions.” Try to include a clause that gives you the right to remediate any compliance shortfall within a grace period before penalties kick in. Also, clarify ambiguous areas: for example, define how disaster recovery sites or non-production labs count toward licensing to avoid surprises. If your contract includes cloud usage, ensure that the metrics (such as vCPU or core counts in the cloud) are clearly defined. The goal is to prevent Broadcom from leveraging any gray areas to claim you are out of compliance. A well-defined contract can save huge headaches later.
- Insist on Scope Clarity: Ensure your agreements explicitly list the entities and environments they cover. If your company has subsidiaries or an affiliate structure, ensure that those entities are named in the license to cover their usage. Broadcom might otherwise require separate deals for each entity. Likewise, if you have a global operation, ensure the contract is global or covers all the geographies you operate in (to avoid, for example, a separate EMEA license compliance issue). If you use VMware in the cloud (through VMware Cloud on AWS or others), confirm that your subscription can be applied there (Broadcom has introduced BYOS – Bring Your Own Subscription capabilities; have that in writing so you can port licenses to the cloud if needed without additional cost).
- Start Renewal Prep Early: Begin your internal process 12 to 18 months before your renewal. This includes conducting a full inventory and usage audit of your VMware products, such as NSX, Carbon Black, and vSphere. Identify what you are actually using and what could potentially be shed. If certain features or products are now bundled and you don’t need them, you might be able to negotiate to drop them (or at least not pay for them). Simultaneously, research alternative solutions (more on that in the next section) to gauge your options. By the time you sit down with Broadcom’s sales team, you should have: a clear picture of your needs, a target price based on value and competitive benchmarks, and ideally a credible fallback plan if negotiations fail.
- Engage Third-Party Licensing Advisors: If the stakes are high (e.g., a multi-million-dollar renewal) or if your team lacks in-depth expertise in VMware’s new licensing model, consider bringing in independent software licensing advisors. Firms like Redress Compliance and others specialize in negotiating VMware and Broadcom contracts and ensuring compliance. They can provide insights into what discounts or terms others are getting, identify hidden gotchas in contract language, and help craft a negotiation strategy. These advisors often have former vendor auditors or licensing experts on staff who know Broadcom’s playbook. Engaging them early (well before final negotiations) can arm you with data and negotiation tactics. Note: Ensure that any advisor is truly independent (not financially tied to Broadcom) and sign NDAs as needed, as you may share sensitive deployment data. Their fees can often be offset by the savings gained in a successful negotiation.
- Consider Timing and Leverage: Broadcom’s financial quarters and sales targets might influence flexibility. If possible, schedule major negotiations toward the end of Broadcom’s fiscal quarter or year, when sales teams may be more motivated to close deals and are thus more likely to grant concessions. Also, keep an eye on industry developments – for instance, if Broadcom faces pressure (like customer backlash or regulatory scrutiny), they might temporarily soften their stance to repair relationships. Leverage public benchmarks: many user groups and forums are sharing experiences with Broadcom’s quotes. If you can anonymize, use those figures in negotiations (e.g., “We’re aware that some customers received a X% discount for a similar volume – we expect comparable treatment.”). Broadcom won’t want negative PR for being seen as gouging a major customer, so subtle reminders of fairness and your willingness to escalate can be helpful.
- Escalate if Necessary: Don’t hesitate to escalate negotiations to higher management at Broadcom if you reach a dead end with the account representatives. Broadcom’s CEO, Hock Tan, has publicly emphasized focusing on strategic customers – if you are a Fortune 500 or otherwise significant account, higher-ups might intervene to preserve the relationship. We’ve seen instances where C-level or VP-level discussions yielded more palatable terms after initial sales conversations were unfruitful. Craft a compelling business case for why a bit of flexibility now will lead to a long-term partnership (versus pushing you to a competitor). While you should try to keep negotiations cordial and data-driven, know that walking away is also an option – but only if you truly have a plan to replace what you’re giving up. Always coordinate with your legal and procurement teams to maintain a united front in these discussions.
- Plan for Renewals and Exits: Include potential exit windows in your broader IT strategy. If you sign a 3-year deal, note when you’d need to start evaluating alternatives for a smooth transition at the end. Avoid contract clauses that automatically renew you or lock you in without notice. Also, if you are unsure about long-term alignment with Broadcom’s direction, avoid very long terms. It might be tempting to sign a 5-year agreement to get a bigger discount now, but that could leave you stuck if, after 2 years, you decide to pivot away (unless the savings are so great that it’s worth it, or you have termination clauses for rare convenience). Strive for a balance: long enough to ride out the immediate turmoil (perhaps giving time for Broadcom’s pricing to stabilize or for you to implement alternatives), but with checkpoints where you can re-evaluate.
In summary, enter Broadcom negotiations armed with data, alternative options, and a firm understanding of your requirements. Be assertive in protecting your organization’s interests – Broadcom might not offer flexibility upfront. Still, a savvy CIO can approach it to secure better terms or at least clarity and protection against the most onerous conditions.
SDN and Endpoint Security Alternatives
Given the changes in VMware NSX and Carbon Black, CIOs should benchmark these solutions against market alternatives. Whether as leverage in negotiations or as genuine contingency plans, understanding alternative options is prudent.
Below, we outline some notable alternatives in both the software-defined networking (SDN) domain (for NSX) and the endpoint security domain (for Carbon Black), along with considerations of TCO (total cost of ownership), performance, and integration.
Alternatives to NSX (Software-Defined Networking & Network Security):
- Cisco ACI (Application Centric Infrastructure): Cisco ACI is a leading competitor to NSX for data center SDN. It combines hardware (Cisco Nexus switches) with a policy-driven software controller (APIC) to provide network virtualization, segmentation (including micro-segmentation via endpoint groups), and automation. Key strengths: If your environment already relies on Cisco networking gear, ACI can seamlessly integrate physical and virtual networks under a single policy model. It’s known for its high performance throughput, as it leverages hardware for some tasks, and Cisco’s support is robust for large enterprises. Considerations: ACI typically requires investment in Cisco switches and the APIC controller, which can be a significant capital expense if you don’t already own them. It’s best suited for Cisco-centric shops. If you have a heterogeneous network, integrating ACI can be complex. Also, migrating from an existing NSX deployment to ACI would involve re-architecting network configurations and retraining staff on Cisco’s model. In terms of licensing, Cisco ACI can be cost-competitive at scale (and doesn’t have the 72-core concept), but you’ll need to compare hardware and software subscription costs vs. NSX’s purely software cost. When to consider: If NSX costs become prohibitive and you have a strategic partnership with Cisco (or were already evaluating modernizing your network hardware), ACI is a viable path. It often shines in environments where network hardware refresh and SDN adoption can happen together.
- Juniper Contrail (Tungsten Fabric): Juniper’s Contrail Networking is an SDN solution that originated in cloud and telco use cases. It focuses on overlay networks using protocols like VXLAN, and can manage connectivity across VMs, containers, and bare metal. Key strengths: Contrail is multi-environment – it can span private data centers and public clouds – and is also known for its strong integration with OpenStack and Kubernetes. It has advanced features for network slicing and service chaining that appeal in NFV (Network Functions Virtualization) contexts. Juniper has also positioned Contrail as part of multicloud networking solutions. Considerations: In a primarily VMware/vSphere environment, Contrail is less common. Integration with vCenter is possible, but it’s not as native as NSX’s. It may require Juniper hardware for underlay optimization, although it can work over any IP network for overlay. The learning curve for teams used to VMware might be steep, and Juniper’s ecosystem is different. Contrail could be cheaper for large-scale deployments if you’re avoiding per-core licensing, but factor in support costs and any needed hardware or professional services for deployment. When to consider: If your organization is already using Juniper switches or routers, or if you aim for a unified SDN across cloud, container, and VM environments beyond just VMware, Contrail is worth considering. It’s also a candidate if you’re exploring open-source-based solutions, as Contrail has roots in open-source Tungsten Fabric.
- Arista CloudVision and Macro-Segmentation: Arista Networks offers CloudVision for network orchestration and visibility, and has capabilities for network segmentation and control in data centers. While not an exact one-to-one replacement for NSX’s full feature set, Arista’s approach uses programmable switches and a centralized controller to achieve network virtualization goals. Key strengths: If you use Arista switches, CloudVision can provide software-driven control, including automation of VLANs, VXLANs, segmentation, and telemetry, across your fabric. Arista’s macro-segmentation service (MSS) also allows integration of third-party security appliances to enforce policies between workloads. Performance is high due to Arista’s efficient hardware and EOS operating system. CloudVision also provides excellent telemetry, which is useful for both NetOps and SecOps. Considerations: Arista’s solution tends to be hardware-dependent (on Arista gear), so it’s mainly appealing if you either have or plan to invest in Arista for your data center network. It addresses segmentation at the network level but does not provide a distributed virtual firewall inside the hypervisor like NSX does. You might still need host-based firewalls or cloud-native controls for equivalent micro-segmentation. Cost-wise, Arista sells software licenses for CloudVision per device, as well as the switches themselves. You would compare that against NSX’s software licenses plus commodity hardware. When to consider: If your priority is network automation and you’re refreshing data center switches, Arista is a strong player. Some companies choose Arista for a simplified, hardware-accelerated overlay, accepting the trade-off of less granular hypervisor-level control. It’s a strategic alternative if you decide to move network security back into the network fabric (using access control lists on switches) rather than in the hypervisor as NSX does.
- Alternative Approaches (Open Source and Cloud-Native): Depending on your needs, you might also consider more niche or emerging alternatives:
- Open vSwitch (OVS) with custom orchestration: NSX itself is built on concepts similar to OVS. It’s possible to design a custom SDN using OVS and controllers like OVN (OVS Gateway) or open-source OpenDaylight, but this is typically only feasible for organizations with significant in-house networking expertise, such as large cloud providers or research networks. Kubernetes + CNI plugins (for containerized environments): If a lot of your workloads are moving to Kubernetes, you could invest in container networking solutions (like Calico, which provides networking and network policy that can extend to VMs) instead of NSX. Calico and others can enforce micro-segmentation at the workload level. This is a specialized case, but for some, it reduces reliance on VMware-specific networking by moving up the stack. Other SDN solutions: VMware NSX and Cisco ACI are the big names, but there are others like VMware’s own NSX ALB (Avi Networks) for load balancing (complementary to NSX), or SD-WAN solutions for branch connectivity (if your main need at remote sites was NSX for connectivity, an SD-WAN appliance might suffice). Each alternative comes with trade-offs in features and complexity.
Alternatives to Carbon Black (Endpoint Detection & Response and Endpoint Protection):
- CrowdStrike Falcon: CrowdStrike is a market leader in endpoint security. Falcon is a cloud-native platform that offers endpoint protection (NGAV), EDR, and threat intelligence in one agent. Key strengths: Excellent detection capabilities (frequently top-rated in independent tests), a lightweight agent, and a very rich cloud-based analytics backend. CrowdStrike’s threat intelligence is highly regarded, providing insights into adversaries and proactive threat hunting. It also offers managed detection services (CrowdStrike OverWatch) if you need an expert eye on alerts. Integration-wise, CrowdStrike has a broad ecosystem, including APIs that integrate with SIEM/SOAR tools, etc. Considerations: Cost is typically premium – CrowdStrike can be expensive on a per-endpoint basis, especially when additional modules are added (they offer modules for device control, IT hygiene, identity protection, etc.). However, many security leaders feel the efficacy justifies the cost in high-risk environments. TCO should factor in the potential reduction of breach costs due to better protection. Also, switching to CrowdStrike means deploying a new agent and migrating any playbooks from Carbon Black to the Falcon platform. Plan for a thorough pilot to tune it for your environment. When to consider: If you feel Carbon Black’s innovation is lagging or Broadcom’s support is not up to par, and you need top-tier endpoint security, CrowdStrike is often the first alternative to evaluate. It’s also a strong negotiating lever: Broadcom knows CrowdStrike is a fierce competitor; showing that you’re willing to go to Falcon can pressure them to price Carbon Black reasonably.
- SentinelOne is another leading EDR/EPP provider, known for its autonomous endpoint protection, which utilizes AI-driven detection and response. Key strengths: SentinelOne’s agent can automatically mitigate threats (e.g., killing or quarantining processes) without human intervention, which is a significant selling point for lean IT and security teams. It has robust offline protection, using on-agent AI models, in case endpoints are temporarily offline. SentinelOne has been rated highly in MITRE ATT&CK evaluations and offers features like rollback, which allows you to recover files after ransomware, for example. Considerations: SentinelOne, like CrowdStrike, is a separate platform – switching would mean a new agent, console, and retraining analysts. Cost-wise, SentinelOne’s pricing is competitive with CrowdStrike, sometimes slightly lower, but still in the upper tier of costs. Evaluate the performance impact: Some users report that the agent can be resource-intensive during scans. Test it on a subset of machines to determine its impact. Integration: it offers APIs and some out-of-the-box integrations, but you’d need to ensure it fits into your SOC workflows that currently involve Carbon Black. When to consider: If you want an alternative to CrowdStrike (to compare pricing or features) or prefer an option that emphasizes automated remediation, SentinelOne is a great choice. It’s often neck-and-neck with CrowdStrike in capabilities. Use it as part of a dual-vendor comparison to get the best of breed. Also, if you prefer on-premises management (CrowdStrike is cloud-only), SentinelOne offers an on-premises management option for certain versions, which may suit organizations with strict data requirements.
- Microsoft Defender for Endpoint: Microsoft’s endpoint security suite (formerly known as ATP) has evolved into a formidable contender, especially in Windows-centric environments. It provides anti-malware, EDR, and threat hunting, and is deeply integrated into the Microsoft 365 ecosystem. Key strengths: For organizations already invested in Microsoft 365 E5 or similar licensing, Defender for Endpoint often comes at a little incremental cost, as it is included in E5 licenses and some other bundles. Integration with Active Directory, Azure AD, Office 365, and other Microsoft services is a significant advantage – it can correlate signals across email (Defender for Office), identity (Azure AD Identity Protection), and endpoints for a more comprehensive defense (the XDR approach through the Microsoft 365 Defender suite). Its detection capabilities have improved drastically, frequently catching up with or even exceeding those of some third-party vendors in tests. Considerations: If your environment includes many non-Windows devices (such as Linux servers and macOS clients), check that Defender’s support meets your needs. It does support these devices, but the capabilities may be less comprehensive than on Windows. The product works best if you are already using Azure and Office 365 security. If you’re not leveraging these, some of its value is lost. Another consideration is that while you “get it for free” with certain licenses, you’ll need to invest in properly setting it up and potentially in staff training or additional tools for analysis, such as using Microsoft’s security center portals. Performance is generally good, as it’s built into the OS on Windows 10 and 11, but you should still test for any potential conflicts.
- When to consider: If cost optimization is a priority and you have Microsoft 365 E5 licenses (or are considering upgrading to E5), Defender for Endpoint can significantly reduce your endpoint security spend by replacing separate EDR and AV agents. It’s also attractive if you’re looking for a more unified security platform under Microsoft (for example, if you use Azure Sentinel as your SIEM, Defender data flows seamlessly right in). Be mindful, however, that “free” doesn’t mean “no effort” – treat it like any enterprise platform with proper evaluations.
- Other alternatives include Trellix (a combination of McAfee and FireEye), Trend Micro, Palo Alto Cortex XDR, and others. Each has its niche strengths. For example, Cortex XDR by Palo Alto can integrate endpoint data with network and cloud data if you use their firewalls, providing a broader XDR. Trend Micro has a strong suite for data center workloads (Deep Security) and cloud workloads, which could be relevant if Carbon Black were used heavily for server protection. When comparing alternatives:
- Look at feature parity (does the alternative cover what Carbon Black was doing for you – e.g., device control, vulnerability visibility, etc., in addition to threat detection?).
- Consider ecosystem fit (how will it integrate with your other security tools or IT management systems?).
- Calculate TCO over 3-5 years, including license, support, cloud-hosting fees if any, and manpower for managing another console.
- Assess migration effort – switching endpoint protection for tens of thousands of devices is non-trivial. It might be worth it if the strategic benefits (cost savings, better security, vendor alignment) are clear, but plan it like a project: pilot, stage rollout, dual-running if needed, etc.
When to Switch vs. When to Hold: The decision to switch from NSX or Carbon Black to an alternative – or to hold onto them under Broadcom – hinges on several factors:
- Financial Viability: If Broadcom’s licensing changes make the cost unsustainable (e.g., a 3× increase that busts your budget and alternatives are cheaper), that’s a strong impetus to switch. Always compare the cost of staying (including any necessary upgrades or additional Broadcom bundles) vs. the cost of moving to a competitor (including migration costs). If alternatives show clear long-term savings or value, it strengthens the case to switch.
- Strategic Alignment: Consider your organization’s broader strategy. Are you trying to reduce vendor lock-in and reliance on VMware? If you’re moving workloads to the cloud or containers, NSX’s role may diminish over time. Switching to a cloud-native networking approach could align with your strategy similarly if your company is standardizing on a particular security ecosystem (say, going “all-in” with Microsoft or consolidating on Cisco security products), then phasing out Carbon Black in favor of that ecosystem might make sense strategically. If, however, your strategy is to stay with VMware’s ecosystem (perhaps for a private cloud approach), then holding onto NSX and working within Broadcom’s model might be inevitable for now.
- Technical Requirements and Maturity: Evaluate whether alternatives can truly meet your technical needs. NSX, for instance, has very mature microsegmentation and Layer 7 distributed firewall capabilities. Cisco ACI or other alternatives might not provide the same level of granularity inside a virtual host – if that granular security is a hard requirement (e.g., in highly regulated environments), ripping out NSX might lower your security posture unless you compensate with something else. Carbon Black’s threat hunting might have unique advantages in your SOC – ensure that its capabilities are on par or better. Do not switch solely for cost, at the expense of core requirements. A breach or major outage caused by an immature replacement will far outweigh license savings.
- Migration Complexity & Risk: Switching network virtualization in a running data center (for example, migrating from NSX to Cisco ACI) is a complex endeavor that can introduce the risk of downtime or misconfiguration. If your VMware NSX deployment is deeply ingrained (with many scripts and integrated with CI/CD, for example), the cost and risk of changing might outweigh the benefits, at least in the short term. In such cases, a “hold” strategy is advisable: continue with NSX, consider negotiating a shorter-term renewal, and reevaluate later. Similarly, switching endpoint security across thousands of endpoints must be done carefully to avoid gaps in protection. If your security team is currently effective with Carbon Black, switching would require retraining and tuning time, during which detection efficiency might dip. You might choose to hold off on switching until the new integrated Broadcom solution materializes or until your next hardware or OS refresh cycle, to minimize disruption.
- Timing: Align any major change with a suitable opportunity. For NSX alternatives, maybe consider switching during a data center refresh or consolidation project. For Carbon Black, consider aligning with an OS upgrade, such as Windows 10 to 11. This might be a good time to swap endpoint agents when devices are being updated anyway. If your contract renewal is imminent and Broadcom is demanding a significant increase, that might force you to consider an alternative sooner. On the other hand, if you’re mid-term in a contract and reasonably satisfied, you have time to methodically test alternatives and can take a “wait-and-see” approach on Broadcom’s next moves.
Bottom Line: Always have an exit strategy for critical vendor products, even if you don’t execute it. By knowing your alternatives and their pros and cons, you can make an informed decision about staying versus switching.
Even if you decide to stay with NSX and Carbon Black under Broadcom, evaluating alternatives is a valuable leverage point. It gives you peace of mind that you’re choosing the best option, not just sticking with the default.
Governance and Optimization Recommendations
With the new licensing constraints and product overlaps, strong governance of your NSX and Carbon Black deployments is vital. CIOs should implement practices to optimize usage, control costs, and ensure that these tools deliver value commensurate with their expense.
Here are governance and optimization steps to consider:
- Establish a License Governance Team: Form a cross-functional team (including IT operations, security, asset management, and finance) to oversee VMware/Broadcom license compliance and optimization. This team should meet regularly to review the usage of NSX and Carbon Black relative to entitlements. Having a focused group creates accountability. They can also liaise with the vendor on any ambiguities. For example, ensure someone “owns” NSX licensing tracking – often this falls through the cracks between network and virtualization teams. Assign responsibility to track Carbon Black endpoint counts – perhaps within the security team or IT asset management.
- Implement Continuous Usage Monitoring: Use available tools to track your license consumption. VMware provides some tools and dashboards (e.g., vCenter/LM tools can report on the number of CPUs/cores running NSX, and the Carbon Black Cloud console displays active endpoint counts). If those are insufficient, consider third-party Software Asset Management (SAM) tools that support VMware products. Set up alerts internally for triggers like “a new host added to NSX domain” or “endpoint count exceeds X% of licenses” so that you catch changes in near real-time. The goal is to avoid end-of-period surprises by catching growth or over-deployment early.
- Rightsize NSX Deployment: Analyze whether NSX is deployed in areas where it’s underutilized. It’s possible that over time, NSX crept into environments out of convenience but isn’t providing substantial value there. For example, perhaps a development cluster has NSX enabled, but the dev workloads don’t need micro-segmentation. If so, you could remove NSX from that cluster to free up licenses (or avoid renewing them for that cluster). Also, review the feature usage within NSX: if you’re only using a subset of NSX capabilities (like just the distributed switch, but not the firewall or VPN features), note that in negotiation – maybe Broadcom has a lower-cost tier, or you can justify paying less. Align your NSX footprint strictly with where it adds strategic value or mitigates risk (production environments, critical systems), and trim it elsewhere.
- Optimize Carbon Black Agent Deployment: Similar logic applies to Carbon Black. Ensure that only devices that truly need the advanced EDR are running the agent. If you have segments of your device population that are very low risk, such as kiosk machines or lab systems, and currently use Carbon Black, evaluate whether a standard antivirus might suffice there. Most organizations will want broad coverage, but sometimes legacy systems or special cases might use a different solution – ensure you’re not double covering those. Also, remove any agents from decommissioned systems promptly. It’s easy to spin up trial servers with Carbon Black agents and forget to remove them, wasting license count. Monthly reconciliations of active endpoints vs. known inventory can catch stragglers. Carbon Black Cloud allows filtering endpoints that haven’t checked in recently – use that to clean up unused agents.
- Avoid Agent and Tool Sprawl: Develop an endpoint agent policy that defines which security agent(s) are standard. If Broadcom is integrating Symantec and Carbon Black, plan to converge to one agent over time. In the meantime, if you still run both, categorize which endpoints go with which and eliminate any unplanned overlap. Similarly, avoid overlapping SDN solutions: if you decide to introduce an alternative in a specific segment (such as ACI in a new data center while still running NSX elsewhere), govern that carefully to avoid chaos. You don’t want two different SDN systems managing the same infrastructure by accident. Clear segmentation of responsibilities and documentation of where each tool is active will help.
- Meter and Showback Costs: Since NSX and Carbon Black can be expensive, implementing a “showback” or chargeback model internally for their usage can be effective. For example, if business units or different IT environments (such as prod, test, etc.) consume NSX licenses, calculate the cost per core and present it to those stakeholders. This often encourages teams not to over-provision or casually request NSX for every project. If a dev team knows that enabling NSX in their cluster will incur an extra $Xk per year, which hits their budget, they’ll think twice unless it’s truly needed. Even if you don’t formally charge back, showing the cost creates awareness and accountability. The same goes for endpoint security – if certain departments insist on separate security tools that duplicate Carbon Black, show the cost impact and require justification for exceptions.
- Policy for New Deployments: Update your IT standards and approval process to factor in Broadcom’s licensing. For instance, if a new vSphere cluster is being stood up, add a checkpoint: Will it use NSX? If yes, do we have licenses or budget for it? No cluster should have NSX installed without financial approval, given the cost implications. Similarly, if a new division is onboarding with endpoints, determine whether Carbon Black is mandatory or if certain cases require another solution, and ensure that licenses are planned. Essentially, fold license impact assessments into your architecture review boards or change management for any changes that would increase NSX or Carbon Black usage.
- Regular Vendor Engagement and True-Up Management: Maintain a proactive relationship with Broadcom and VMware representatives. Have quarterly or semiannual business reviews that focus on usage. Share your deployment numbers transparently and discuss any anticipated changes. This can sometimes prompt the vendor to advise on more cost-effective licensing approaches or at least ensure there are no misunderstandings. If you’re approaching a true-up (end-of-year reconciliation of usage), having ongoing dialogue can help you avoid last-minute panic. Also, ensure any decrease in usage is documented and reflected. Broadcom contracts might not offer refunds for downsizing mid-term, but at renewal, you should not be forced to renew for capacity you’ve dropped. Keep an internal record of when/where you reduced usage (e.g., “we removed NSX from X hosts in June, so our core count dropped from 500 to 400”) so you can firmly negotiate down if needed.
- Training and Knowledge Management: Invest in training your team on the new licensing and product nuances. Make sure your virtualization administrators understand the cost of an NSX-enabled host. Ensure that security ops know how Carbon Black licensing works (e.g., if an endpoint hasn’t reported in 30 days, can the license be reused for a new endpoint?). Encourage a culture where engineers treat license slots as valuable resources – for example, when decommissioning a server, they should also uninstall NSX VIBs or Carbon Black agents and inform asset management so the license count is freed. Over time, these good habits across the team prevent license creep and non-compliance.
- Stay informed about product changes: Governance isn’t static. Broadcom may introduce new editions or alter packaging (for instance, a new “lite NSX” or a new Carbon Black bundle). Stay up to date with product announcements and assess how they can help you optimize. Perhaps Broadcom will release a smaller-scale SDN option or integrate Carbon Black into a broader platform that you’re already using. Being aware allows you to quickly adopt something beneficial (or to lobby Broadcom for needed changes via customer advisory boards). If possible, join VMware or Broadcom user groups or forums; other customers often share optimization tips or creative licensing arrangements they’ve negotiated.
Risk Mitigation and Audit Readiness
Under Broadcom’s ownership, the risk of compliance issues and audits related to VMware NSX and Carbon Black is higher. CIOs should take a defensive stance: prepare for the worst (an aggressive audit or a license dispute) while working to prevent any actual compliance gaps.
Here’s how to mitigate risks and be audit-ready:
- Maintain an Accurate Inventory: It sounds basic, but many audit troubles start with an incomplete inventory. Ensure you have a single source of truth for all NSX and Carbon Black deployments in your enterprise. For NSX: document all vCenters, clusters, and hosts where NSX components are installed. Keep track of core counts and license assignments. For Carbon Black, have an up-to-date list of all devices (servers, VMs, laptops, etc.) running the Carbon Black agent. Cross-verify this with device inventory from IT management systems. Regularly reconcile differences (e.g., an endpoint that appears in the Carbon Black console but not in the IT asset list may indicate a rogue or outdated installation to investigate).
- Internal Audits and Mock Audits: Periodically conduct internal license audits as if you were Broadcom. For NSX, simulate the process: are all hosts running NSX covered by a subscription? Are there any NSX Manager appliances running in test environments that might be overlooked? For Carbon Black, check if any endpoints exceed the purchased count or if any users or groups of devices have installed the agent without proper licensing. By self-auditing, you catch issues on your terms. It may help to involve a third-party consultant in these mock audits for an objective view. Document the results and remediation actions taken – this documentation can be useful evidence of good-faith compliance efforts if an official audit arises.
- Stay Within Entitlements (or Properly True Up): A critical risk to avoid is “indirect usage” or unintentional, unlicensed usage. For example, be cautious of scenarios like cloning an NSX-enabled VM environment for testing without considering license implications, or using Carbon Black on a burst of temporary VMs during an incident, which could exceed your license counts. If you exceed your entitlements, proactively address the issue by contacting Broadcom for a true-up or additional licenses. It’s far better to pay for a needed expansion on your initiative than to be caught later. Use the contract’s terms: many subscription agreements allow true-ups at specific intervals – take advantage of those to legitimize any overage, ideally at pre-negotiated rates.
- Audit Clause Adherence: Know your contract’s audit clause thoroughly – what is Broadcom allowed to do, and what are your rights? Typically, you’ll have a certain notice period. When you receive an audit notice, don’t ignore or delay. Assemble your audit response team (including legal, IT, and procurement) and respond within the allowed time, acknowledging and scheduling accordingly. During an audit, provide only the required information – usually, they will specify the data (such as logs or environment reports). Avoid including extraneous data that might confuse the matter. Keep communications in writing whenever possible, and ask for clarification if any request seems outside the scope. The goal is to cooperate but also control the narrative.
- Remediation and Resolution Plan: Despite best efforts, audits can find compliance gaps. Have a predefined plan for how you will respond if that happens. For instance, if an audit finds you were 10 CPUs short on NSX licensing, what’s your plan? Likely, it would be to purchase the needed licenses (or subscriptions) and possibly pay back maintenance or fees. Know in advance who has the signing authority and budget to approve the purchase so that you can resolve the issue quickly. Dragging out an audit fight can be costly in terms of time and legal fees. In negotiations with Broadcom, try to include a clause that limits any “penalty” to buying licenses at standard rates, rather than punitive fees. If such a clause exists, enforcement becomes straightforward – you just buy what you were missing. If not, be prepared to negotiate the findings. This is where having independent advisors or legal counsel with experience in software audits pays off, as they can push back on unreasonable compliance interpretations.
- Protect Against Indirect Use Pitfalls: “Indirect use” typically refers to using software in a way that isn’t directly licensed. In the context of VMware/NSX, for example, if you allow a third-party or partner to connect to your NSX environment, does that require them to have a license? Or if you expose NSX-managed networks to something external. Ensure any such scenario is vetted. Another scenario: running NSX in a disaster recovery site. If your DR site is not always active, clarify if you need full licenses there or if you can transfer licenses during DR events (some vendors allow failover usage if not running concurrently). Get these clarifications in writing to avoid later disputes. For Carbon Black, indirect use might be less of an issue, but consider whether you install agents on third-party managed systems (such as contractor laptops) – are those covered under your license, and do you have the right to do so? Clear up any ambiguity by either not doing it or obtaining contractual permission.
- Maintain a well-organized repository of all license purchase records, contracts, and support agreements for VMware NSX and Carbon Black. During an audit, being able to swiftly show “Here’s what we purchased, and here’s how it maps to deployments” speeds up the process. Also, maintain records of any communications from VMware or Broadcom that might be relevant – for example, if Broadcom approved a specific deployment model or provided written answers to your licensing questions, save those. In case of a dispute, those could serve as evidence of what you believed was allowed.
- Security of License Systems: A bit of an obscure point, but ensure that systems like license managers or the VMware vCenter (which might display license info) are secure and accurate. Sometimes, auditors ask for log exports or screenshots from management consoles. You want to ensure that no one has tampered with or misconfigured them in a way that misreports usage. For instance, if an admin accidentally installs NSX on a host and then removes it, but artifacts remain, clear that up so reports are accurate. This is part of good IT hygiene and configuration management.
- Audit Readiness Drills: Some companies even do “audit readiness drills” – essentially a tabletop exercise where the team practices responding to a hypothetical audit notice. They run through the process of pulling the data, see how long it takes, and what issues arise. This can uncover, for example, that collecting NSX usage info from all sites is cumbersome, prompting you to automate that reporting ahead of time. The more prepared you are, the less disruptive an actual audit will be.
- Contractual Audit Fee Caps: When negotiating (tying back to the previous section), if possible, try to include a cap on audit fees or a clause that each party bears its own cost of audit unless a major shortfall is found. This deters vendors from frivolous audits. It might be tough to get Broadcom to agree. Still, some customers have had success with language like, “If the audit finds usage of 5% or less over entitlement, the customer is not considered out of compliance and pays the difference with no penalty.” Such clauses create a buffer for minor overage, which often occurs due to timing or minor mistakes. Use your leverage at negotiation time to bake in some audit protection; it will directly mitigate risk later.
- Stay Engaged with User Communities: Finally, keep your ear to the ground. Other enterprises are going through the same thing; join user groups, forums, or peer networks where you can share audit experiences and outcomes, under appropriate confidentiality. If Broadcom is particularly targeting a certain license type or product for audits, you may hear about it from peers. Likewise, if other companies successfully negotiated more favorable terms, that’s useful intelligence for you. There is strength in community knowledge – while you can’t share exact contract details due to non-disclosure agreements (NDAs), general experiences and strategies are often shared in CIO networks. Leverage that to remain vigilant and prepared.
By following these risk mitigation steps, CIOs can significantly reduce the likelihood of nasty surprises from Broadcom’s licensing regime. If Broadcom does come knocking with an audit or assertion, you’ll be in a strong position to respond with facts and ultimately protect your organization’s interests and continuity.
