Overview β NSX, Carbon Black, and Broadcom's Strategy
Broadcom's acquisition of VMware (closed late 2023) folded NSX and Carbon Black into a broader portfolio that already included Symantec's security products. This convergence is strategically significant for CIOs, as Broadcom is reshaping licensing, bundling, and product roadmaps to maximise value from the $61 B+ deal.
VMware NSX
Leading network virtualisation and micro-segmentation solution for data centres and clouds. Enables overlay networks, distributed firewalls, and is tightly integrated with vSphere. Under Broadcom, NSX is no longer sold standalone β it is bundled within VMware Cloud Foundation or new "VMware Firewall" security suites. Customers must subscribe to larger bundles to access NSX.
VMware Carbon Black
Cloud-native endpoint detection and response (EDR) and workload protection platform. Provides next-gen antivirus, behavioural monitoring, and threat hunting. Now being merged with Broadcom's Symantec enterprise security unit into a unified Enterprise Security Group β combining Carbon Black's EDR with Symantec's endpoint and network security portfolio.
Broadcom's Licensing Approach
Perpetual licences phased out in favour of subscriptions. SKU lineup drastically simplified to a few bundles (VMware Cloud Foundation full stack, vSphere + vSAN Foundation). Per-core licensing with steep minimums β even small deployments require high core counts. Broadcom prioritises large enterprise customers with high-margin, rigid deals.
NSX Licensing Shifts and Impacts
Broadcom has implemented significant shifts in how VMware NSX is licensed. These changes can have major budgetary and architectural impacts, especially for distributed environments and smaller deployments.
Per-Core Licensing with 72-Core Minimums
NSX moved to a per-CPU core licensing model. Previously VMware often licensed per CPU socket (up to 32 cores typically covered). Now every core counts. The smallest NSX subscription you can buy covers 72 cores, regardless of actual needs. A remote site with a single 8-core server must purchase 72 cores of licensing β a dramatic increase in minimum spend. A site that previously needed 2 CPU licences (~16 cores) now subscribes to 72 cores, potentially 4β5Γ the cost for the same usage.
Edge and Remote Site Impact
Remote offices, small clusters, and edge deployments that only require NSX on a few low-core hosts are forced into oversizing their licences. An edge cluster with two 6-core hosts (12 cores total) would be compelled to licence 72 cores β paying for 60 unused cores. This makes NSX economically impractical for many small sites, potentially forcing organisations to simpler alternatives or leaving sites without advanced networking security.
Over-Licensing on Shared Hosts
NSX licensing is tied to host cores, not specific VMs using its features. If NSX is enabled on a host, all cores must be licensed even if some VMs don't use NSX networking. In shared clusters this leads to paying for NSX on workloads that derive no benefit. If 50% of VMs use micro-segmentation but the rest are plain, you still licence 100% of cores. Risk is inflated costs unless architecture is adjusted (dedicated NSX-exclusive clusters).
Enforcement and Compliance Risks
Broadcom is being aggressive in auditing licence usage. If NSX is deployed beyond purchased core counts β even unintentionally (adding hosts to NSX clusters without increasing licences) β Broadcom could levy substantial backcharges or penalties. New subscription models may introduce technical enforcement (licence activation per host, usage data reporting). CIOs should treat NSX licensing as a compliance priority to avoid unexpected fees.
NSX Licensing Response Strategies
π Evaluate Deployment Footprint
Review where NSX is deployed. For each cluster or site, assess if NSX benefits (micro-segmentation, overlay networking) justify the new higher cost. Scrutinise small clusters and edge sites β you may decide to limit NSX to larger central environments and use alternative solutions at the edge.
ποΈ Architect for Licence Efficiency
Reorganise workloads so NSX is used in a contained way. Create dedicated clusters for NSX-protected VMs (only licence those hosts) and keep NSX off clusters that don't require those features. Right-size hardware β the cost scales linearly with cores. More moderately specced servers may yield fewer total cores to licence.
π€ Engage Broadcom Early for Edge Use Cases
If NSX at remote sites is a key requirement (e.g. for security compliance), engage Broadcom to discuss options. Vendors historically offered ROBO (Remote Office/Branch Office) licences. Large customers pushing back might negotiate exceptions to the 72-core minimum. Document your edge requirements and costs to build a case for tailored licensing.
π Budget for Higher Costs and Monitor Usage
Update budget forecasts to reflect the new model. Expect higher run-rate costs at renewal. Put monitoring in place to track NSX-enabled core counts continuously. Ensure you have subscriptions for every host where NSX is deployed. Keep a buffer of licensed cores if you anticipate growth.
Security Portfolio Integration β Carbon Black and Symantec
In 2024, Broadcom merged Carbon Black's business unit with Symantec into a single Enterprise Security Group. The goal is to fuse Carbon Black's EDR and cloud workload protection with Symantec's threat prevention, data loss prevention, and network security capabilities.
Unified Security Strategy
Future offerings will be more tightly integrated β potentially a single agent or console combining Symantec Endpoint Protection (malware protection, device control) with Carbon Black's behavioural analytics and incident response. In the short term, both product lines continue "as-is," but expect bundled deals and cross-selling at renewal.
Overlap and Redundant Agents
Many enterprises deploy Carbon Black alongside Symantec or other AV solutions. Running two agents doubles administrative effort (two consoles, two policies), consumes extra resources, and means paying for two products where one might suffice. Broadcom's integration may eventually unify these, but in the interim organisations may be overspending with duplicative solutions.
Potential Bundling and Licensing Changes
Broadcom could introduce bundles combining Symantec and Carbon Black under a single licence. If you only need one of the two, you might be forced into a pricier bundle. Watch for announcements of "Endpoint Security Suites." Also monitor whether Broadcom sunsets either brand in favour of a unified product β CIOs should be prepared for a migration.
Vendor Consolidation Opportunity
With one company providing both EDR and full endpoint/network security, enterprises might negotiate a consolidated deal. Fewer vendors can mean volume discounts and simpler management. However, consolidation should only be pursued if the combined solution meets your needs β avoid consolidating just for convenience if it means giving up a superior point solution.
Security Integration Recommendations
π Audit Your Endpoint Security Stack
Inventory all endpoint agents (Carbon Black, Symantec, Microsoft Defender, etc.). Identify overlaps. Determine if you can reduce agents per endpoint without sacrificing security. Reducing duplicates saves licensing, maintenance, and endpoint performance overhead.
π Engage Vendors for Roadmap Clarity
Ask Broadcom about agent unification plans, timeline for any integrated platform, and support plans for existing products. If a "unified agent" is coming next year, delay major re-deployments and plan for convergence instead. Get commitments in writing.
π° Consider Consolidated Deals β But Compare Options
When renewal comes, expect bundled pricing. Leverage this for savings, but benchmark against independent solutions. Use overlapping products as a negotiation point: "We don't need to pay double for similar capabilities." Be wary of long-term lock-in.
π‘οΈ Avoid Knee-Jerk Replacement β But Have Plan B
Don't make hasty moves purely from fear. Carbon Black is still a strong platform and a forced swap introduces new risks. Instead, maintain current defences but develop a contingency plan β evaluate at least one alternative EDR (pilot CrowdStrike or SentinelOne) so you understand the effort to switch if Broadcom's direction doesn't align.
Negotiation and Procurement Strategies
Broadcom's business model focuses on high-margin deals with large enterprises. Many customers report renewal quotes that are multiples of previous spend (2Γ, 3Γ, or higher) with minimal flexibility. CIOs must adapt their procurement strategy for this new era.
Understand Broadcom's Stance
Broadcom often takes a "take-it-or-leave-it" approach and is known for rigid, high-margin licensing after acquisitions (CA, Symantec). Set expectations internally that VMware renewals may be significantly higher and negotiations tougher than in the past. Budget accordingly.
Leverage Volume and Scope
Consolidate purchases into a single negotiation event. Rather than piecemeal renewals of NSX, vSphere, and Carbon Black, co-term them or negotiate an enterprise agreement. Broadcom is more likely to give concessions on a big deal. But only aggregate if you're committed β keep some deals separate to preserve flexibility.
Aim for Pricing Protections
Negotiate pricing caps or locks. For 3- or 5-year terms, cap annual price increases. Pre-negotiate unit prices for additional cores or endpoints. Some enterprises have capped renewal uplifts (e.g. "no more than 3β5% increase"). Predictable costs make it easier to justify continuing with VMware internally.
Tighten Audit and Compliance Terms
Negotiate reasonable audit rights β at most one audit per year, specified notice period, no "fishing expeditions." Include a grace period for remediation before penalties. Clarify how DR sites, non-production labs, and cloud usage count toward licensing. Well-defined contracts prevent Broadcom from leveraging grey areas.
Insist on Scope Clarity
Ensure agreements explicitly list entities, subsidiaries, and geographies covered. If using VMware in cloud (VMware Cloud on AWS or others), confirm subscriptions apply there. Broadcom's BYOS (Bring Your Own Subscription) capability should be documented to port licences to cloud without additional cost.
Start Renewal Prep 12β18 Months Early
Conduct a full inventory and usage audit of VMware products. Identify what's actually used and what can be shed. Research alternative solutions for competitive benchmarks. By negotiation time, have a clear picture of needs, a target price, and a credible fallback plan.
Engage Third-Party Licensing Advisers
For high-stakes renewals, independent advisers (such as Redress Compliance) can provide insights into what discounts others are getting, identify hidden contract gotchas, and craft negotiation strategies. Their fees are often offset by savings. Ensure advisers are truly independent and not financially tied to Broadcom.
Consider Timing and Leverage
Schedule major negotiations toward end of Broadcom's fiscal quarter or year when sales teams may grant concessions. Leverage public benchmarks β user groups share experiences with quotes. Subtle reminders of fairness and willingness to escalate can be helpful.
Escalate if Necessary
Don't hesitate to escalate to higher management at Broadcom. If you're a Fortune 500 or significant account, VP-level discussions might yield more palatable terms. Craft a compelling case for why flexibility now leads to a long-term partnership versus pushing you to a competitor. Walking away is an option β but only if you truly have a replacement plan.
Plan for Renewals and Exits
Include exit windows in your IT strategy. Avoid auto-renewal clauses. If unsure about long-term Broadcom alignment, avoid very long terms despite larger discounts. Strive for balance β long enough to ride out turmoil, with checkpoints to re-evaluate.
Enter Broadcom negotiations armed with data, alternative options, and a firm understanding of your requirements. Be assertive β Broadcom may not offer flexibility upfront, but a savvy CIO can secure better terms or at least clarity and protection against the most onerous conditions.
SDN and Endpoint Security Alternatives
Whether as leverage in negotiations or as genuine contingency plans, understanding alternatives is prudent. Below are notable alternatives in both the SDN domain (for NSX) and endpoint security domain (for Carbon Black).
Combines Cisco Nexus switches with policy-driven APIC controller for network virtualisation, segmentation (including micro-segmentation via endpoint groups), and automation.
SDN solution originating in cloud and telco. Focuses on overlay networks using VXLAN, managing connectivity across VMs, containers, and bare metal.
CloudVision provides software-driven control, automation of VLANs, VXLANs, segmentation, and telemetry across Arista switch fabric. Macro-Segmentation Service (MSS) integrates third-party security appliances.
Includes Open vSwitch with custom orchestration (OVN, OpenDaylight), Kubernetes CNI plugins like Calico (provides networking and policy extending to VMs), and SD-WAN solutions for branch connectivity.
Market-leading cloud-native platform offering endpoint protection (NGAV), EDR, and threat intelligence in one lightweight agent. Managed detection services (OverWatch) available.
Known for autonomous endpoint protection using AI-driven detection and response. Agent can automatically mitigate threats without human intervention β ideal for lean security teams.
Provides anti-malware, EDR, and threat hunting deeply integrated into Microsoft 365. Correlates signals across email, identity, and endpoints for comprehensive XDR defence.
Trellix (McAfee + FireEye) offers combined detection capabilities. Trend Micro Deep Security is strong for server/cloud workload protection. Cortex XDR by Palo Alto integrates endpoint, network, and cloud data if using their firewalls.
When to Switch vs. When to Hold
Consider Switching Whenβ¦
Broadcom's cost increase is unsustainable (3Γ+ budget impact). Your broader strategy is reducing VMware dependency. Alternatives show clear long-term savings after migration costs. You're moving to cloud or containers where NSX's role diminishes. Carbon Black innovation is slowing during integration.
Consider Holding Whenβ¦
NSX is deeply ingrained (scripts, CI/CD integration, compliance requirements). Migration complexity and risk outweigh cost savings. You can negotiate a shorter-term renewal and re-evaluate later. Carbon Black is effective in your SOC and switching introduces retraining risk. Broadcom's integrated solution may improve your position.
π Related Reading
Governance and Optimisation Recommendations
π₯ Establish a Licence Governance Team
Form a cross-functional team (IT operations, security, asset management, finance) to oversee VMware/Broadcom licence compliance and optimisation. Meet regularly to review NSX and Carbon Black usage relative to entitlements. Assign clear ownership β someone must "own" NSX licensing tracking and Carbon Black endpoint counts.
π Implement Continuous Usage Monitoring
Track licence consumption using vCenter dashboards, Carbon Black Cloud console, or third-party SAM tools. Set up alerts for triggers like "new host added to NSX domain" or "endpoint count exceeds X% of licences." Catch growth or over-deployment early to avoid end-of-period surprises.
π Right-Size NSX Deployment
Analyse whether NSX is deployed in areas where it's underutilised. A development cluster with NSX enabled but no workloads using micro-segmentation wastes licences. Remove NSX from clusters where it doesn't add strategic value. Review feature usage within NSX β if only using distributed switch but not firewall or VPN, negotiate a lower-cost tier or pay less.
π‘οΈ Optimise Carbon Black Agent Deployment
Ensure only devices that truly need advanced EDR run the agent. Low-risk kiosk machines or lab systems might use standard antivirus instead. Remove agents from decommissioned systems promptly. Monthly reconciliations of active endpoints vs inventory catch stragglers. Use Carbon Black Cloud filters to identify inactive agents.
π« Avoid Agent and Tool Sprawl
Develop an endpoint agent policy defining which security agent(s) are standard. If running both Symantec and Carbon Black, categorise which endpoints use which and eliminate unplanned overlap. If introducing alternative SDN in a segment (e.g. ACI in a new data centre), govern carefully to avoid two SDN systems managing the same infrastructure.
π° Meter and Showback Costs
Implement internal showback/chargeback for NSX and Carbon Black. Calculate cost per core and present to business units. When teams see that enabling NSX in their cluster costs $Xk/year, they'll think twice unless it's truly needed. Same for endpoint security β require justification for duplicative tools that add cost.
π Policy for New Deployments
Update IT standards to factor in Broadcom licensing. Add checkpoints: "Will this new cluster use NSX? Do we have licences or budget?" No cluster should have NSX installed without financial approval. New endpoint onboarding should confirm Carbon Black licensing is planned. Fold licence impact assessments into architecture review boards.
π€ Regular Vendor Engagement
Maintain quarterly or semiannual business reviews with Broadcom. Share deployment numbers transparently and discuss changes. Ensure any decrease in usage is documented and reflected at renewal. Keep records of when/where you reduced usage so you can firmly negotiate down.
π Training and Knowledge Management
Invest in training teams on the new licensing nuances. DBAs should understand the cost of an NSX-enabled host. Security ops should know how Carbon Black licensing works. Encourage a culture where engineers treat licence slots as valuable resources β decommission agents and uninstall VIBs when retiring servers.
Risk Mitigation and Audit Readiness
Under Broadcom's ownership, the risk of compliance issues and audits is higher. CIOs should prepare for the worst (an aggressive audit) while working to prevent any compliance gaps.
Maintain an Accurate Inventory
Ensure a single source of truth for all NSX and Carbon Black deployments. For NSX: document all vCentres, clusters, and hosts with core counts and licence assignments. For Carbon Black: maintain an up-to-date list of all devices running the agent. Cross-verify with IT asset management systems regularly.
Conduct Internal Audits and Mock Audits
Periodically simulate Broadcom's audit process. For NSX: are all hosts covered by subscription? Any NSX Manager appliances in overlooked test environments? For Carbon Black: any endpoints exceeding purchased count? Document results and remediation β this evidence demonstrates good-faith compliance if an official audit arises.
Stay Within Entitlements or True Up Proactively
Avoid unintentional unlicensed usage β cloning NSX-enabled environments for testing, or using Carbon Black on burst temporary VMs could exceed licence counts. If you exceed entitlements, proactively contact Broadcom for a true-up at pre-negotiated rates. It's far better to address overages on your initiative than under audit pressure.
Know Your Audit Clause Thoroughly
Understand what Broadcom is allowed to do and what your rights are. When you receive an audit notice, assemble your response team (legal, IT, procurement) immediately. Provide only required information β avoid extraneous data. Keep communications in writing. Ask for clarification if requests seem outside scope.
Have a Remediation and Resolution Plan
Pre-define how you'll respond if an audit finds compliance gaps. Know who has signing authority and budget for emergency licence purchases. Try to include contract clauses limiting penalties to buying licences at standard rates. Having independent advisers or legal counsel experienced in software audits can push back on unreasonable interpretations.
Protect Against Indirect Use Pitfalls
Clarify scenarios like: third-party access to your NSX environment, DR site licensing (can you transfer licences during failover if not running concurrently?), Carbon Black agents on contractor laptops. Get all clarifications in writing to avoid later disputes.
Maintain Organised Documentation
Keep a well-organised repository of all licence purchase records, contracts, and support agreements. During an audit, quickly showing "here's what we purchased and here's how it maps to deployments" speeds up the process. Save any communications where Broadcom approved specific deployment models or answered licensing questions.
Negotiate Audit Fee Caps
When negotiating contracts, try to include: cap on audit frequency (one per 2 years), each party bears own costs unless major shortfall found, and a buffer clause (e.g. "usage 5% or less over entitlement is not considered non-compliant β customer just pays the difference"). These protections directly mitigate risk later.
Conduct Audit Readiness Drills
Run tabletop exercises where the team practises responding to a hypothetical audit notice. Pull the data, time how long it takes, identify issues. This uncovers process gaps (e.g. collecting NSX usage from all sites is cumbersome) and prompts automation improvements ahead of a real audit.
Stay Engaged with User Communities
Join VMware/Broadcom user groups and peer networks where audit experiences and outcomes are shared. If Broadcom is targeting a certain licence type for audits, you'll hear about it from peers. General experiences and strategies are often shared in CIO networks β leverage that intelligence to remain vigilant.
By following these risk mitigation steps, CIOs can significantly reduce the likelihood of surprises from Broadcom's licensing regime. If Broadcom does come knocking with an audit, you'll be in a strong position to respond with facts and protect your organisation's interests.
Navigating Broadcom's VMware Licensing Changes?
Broadcom's acquisition of VMware has introduced per-core licensing, 72-core minimums, forced bundling, and aggressive compliance enforcement. Whether you're facing a renewal with a 2β3Γ cost increase, evaluating alternatives to NSX or Carbon Black, or preparing for a potential audit β our Broadcom licensing specialists provide independent, vendor-neutral advice to protect your budget and ensure compliance. Engage early for the best outcomes.