Symantec’s endpoint security portfolio — now owned and operated by Broadcom — remains one of the most widely deployed enterprise endpoint protection platforms globally, with over 175 million endpoints under management. But the post-acquisition licensing model has become significantly more complex: three distinct product tiers with overlapping names, per-device subscription pricing that varies dramatically by volume band, mandatory cloud connectivity for newer tiers, and Broadcom’s characteristically opaque pricing practices. This guide cuts through the confusion to help enterprise buyers understand exactly what they are purchasing, what it costs, and how to negotiate effectively.
Symantec’s endpoint security portfolio consists of three distinct products that share a brand name but differ significantly in architecture, capabilities, and pricing. Confusingly, all three remain available for purchase simultaneously, and Broadcom’s naming conventions make it easy to conflate them. Here is the definitive breakdown.
SEP is the legacy on-premises endpoint protection platform — the product that most organisations know as “Symantec antivirus.” The current version is SEP 14.3.x, which continues to receive maintenance updates and virus definition releases. SEP is deployed and managed through the on-premises Symantec Endpoint Protection Manager (SEPM) console. It does not require cloud connectivity for core functionality, though it can optionally be enrolled in the cloud console for hybrid management.
SEP provides traditional endpoint protection: antivirus/antimalware (signature-based and heuristic), firewall, intrusion prevention system (IPS), device control (USB, removable media), application control, and deception technology (honeypot-based threat detection). It does not include Endpoint Detection and Response (EDR), behavioural analytics, or cloud-based threat intelligence — these capabilities require upgrading to the Enterprise or Complete tiers.
SEP is licensed per device as a subscription. Government contract pricing (via Carahsoft/Broadcom) shows SEP at approximately $19.60/device/year for the 1–99 device band. Enterprise volume pricing typically drops to $8–$12/device/year for 1,000+ device deployments. SEP is the lowest-cost Symantec endpoint option and remains appropriate for organisations that need traditional endpoint protection without EDR/XDR capabilities.
SES Enterprise is the modern cloud-managed endpoint protection platform with enhanced threat prevention. It can be deployed as cloud-only (managed entirely through the Broadcom cloud console) or hybrid (cloud console managing both cloud-connected agents and on-premises SEPM-managed agents). SES Enterprise includes all SEP capabilities plus advanced threat prevention features: machine learning-based threat detection, exploit prevention, behavioural analysis, and integration with Symantec’s Global Intelligence Network (GIN) for real-time cloud-based threat intelligence.
SES Enterprise is licensed per device. Government contract pricing shows approximately $16.25/device/year for the 1–99 device band, which is notably lower than SEP for small quantities — a pricing structure designed to incentivise migration from legacy SEP to the cloud-managed platform. Enterprise volume pricing for 1,000+ devices typically ranges from $6–$10/device/year depending on negotiated terms. SES Enterprise is positioned for organisations that want modern, cloud-managed endpoint protection but do not require EDR/XDR capabilities.
SES Complete is the full-featured endpoint protection, detection, and response platform. It includes everything in SES Enterprise plus Endpoint Detection and Response (EDR), behavioural analytics (SONAR), Adaptive Protection (automatic policy hardening based on observed application behaviour), threat hunting capabilities, sandboxing for suspicious files, and Active Directory security assessment. SES Complete represents Symantec’s competitive response to CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, and Palo Alto Cortex XDR.
SES Complete is licensed per device. Government contract pricing shows approximately $78.13/device/year, making it roughly 4× the cost of SES Enterprise and the most expensive Symantec endpoint tier. Enterprise volume pricing for 1,000+ devices typically ranges from $30–$50/device/year. The Complete tier is essential for organisations that require EDR/XDR capabilities within the Symantec ecosystem — these features are not available at the lower tiers, and there is no “EDR add-on” for Enterprise or SEP.
| Capability | SEP (Legacy) | SES Enterprise | SES Complete |
|---|---|---|---|
| Antivirus / antimalware | ✅ | ✅ | ✅ |
| Host firewall | ✅ | ✅ | ✅ |
| Intrusion Prevention (IPS) | ✅ | ✅ | ✅ |
| Device control (USB) | ✅ | ✅ | ✅ |
| Application control | ✅ | ✅ | ✅ |
| Deception technology | ✅ | ✅ | ✅ |
| Cloud-based management | ❌ (SEPM only) | ✅ | ✅ |
| ML-based threat detection | ❌ | ✅ | ✅ |
| Exploit prevention | ❌ | ✅ | ✅ |
| Cloud threat intelligence (GIN) | ❌ | ✅ | ✅ |
| Mobile device protection | ❌ | ✅ | ✅ |
| Endpoint Detection & Response (EDR) | ❌ | ❌ | ✅ |
| Behavioural analytics (SONAR) | Basic | Enhanced | ✅ Advanced |
| Adaptive Protection | ❌ | ❌ | ✅ |
| Threat hunting | ❌ | ❌ | ✅ |
| Sandboxing | ❌ | ❌ | ✅ |
| AD security assessment | ❌ | ❌ | ✅ |
| Hybrid (cloud + on-prem) management | ❌ | ✅ | ✅ |
| Deployment model | On-prem only | Cloud / hybrid | Cloud / hybrid |
The feature matrix reveals the critical implication of tier selection: EDR is Complete-only. Organisations that purchase SEP or SES Enterprise and later determine they need endpoint detection and response capabilities must upgrade to Complete — there is no intermediate add-on. Given that EDR has become a baseline expectation for enterprise security programmes, and regulatory frameworks increasingly mandate detection and response capabilities, the decision between Enterprise and Complete should be made based on your 2–3 year security roadmap, not just current requirements.
Symantec endpoint products are licensed per managed device. A device is defined as a single physical or virtual desktop, laptop, thin client, workstation, mobile device, server, or virtual operating system environment on which a single instance of the Symantec agent is installed or performs services. Understanding the device counting rules is essential for accurate cost modelling.
Every agent installation counts as one device. If you install the Symantec agent on 500 endpoints, you need 500 device licences, regardless of how many users those devices serve or how frequently they connect to the network.
Servers count as devices. A physical or virtual server running the Symantec agent consumes one device licence — the same licence as a desktop or laptop. There is no separate server licensing tier. However, server workloads typically require specific policy configurations and may justify a dedicated licence pool for administrative clarity.
Virtual machines each count separately. A physical host running 10 VMs, each with a Symantec agent, requires 10 device licences. There is no per-host or per-hypervisor licensing option.
Enrolled SEPM devices count toward cloud seat totals. If you enrol an on-premises SEPM domain in the SES cloud console (hybrid deployment), the devices managed by that SEPM are counted toward your SES seat allocation. If you subsequently unenrol the SEPM domain, those devices remain counted as used until you manually purge them from the cloud console. This is a common source of licence over-count and should be managed actively.
Mixed-tier licensing is supported. You can hold both SES Enterprise and SES Complete subscriptions simultaneously. Devices with an applied Complete-only policy (such as Adaptive Protection) are counted under the Complete licence. Devices without Complete-specific policies are counted under Enterprise. This allows organisations to deploy Complete selectively — for example, on executive devices and high-risk endpoints — while maintaining Enterprise for general population endpoints.
The mixed-tier capability is a significant cost optimisation lever. Rather than purchasing SES Complete for every device at $30–$50/device, deploy Complete only on high-risk endpoints (executives, finance, administrators, developers) and Enterprise on standard endpoints at $6–$10/device. A typical enterprise ratio is 20–30% Complete / 70–80% Enterprise, which can reduce total endpoint security spend by 40–60% versus an all-Complete deployment while providing EDR capabilities where they matter most.
Broadcom does not publish public list prices for Symantec endpoint products. All pricing is delivered through authorised partners, distributors (Carahsoft, Insight, SHI, CDW), and Broadcom’s direct enterprise sales team. Pricing varies significantly based on volume band, contract term, existing Broadcom relationship, competitive situation, and negotiation effectiveness.
| Product | Small (1–99 devices) | Mid (100–499) | Enterprise (1,000+) |
|---|---|---|---|
| SEP (Subscription) | ~$19.60/device/yr | ~$15–$18/device/yr | ~$8–$12/device/yr |
| SES Enterprise | ~$16.25/device/yr | ~$12–$15/device/yr | ~$6–$10/device/yr |
| SES Complete | ~$78.13/device/yr | ~$55–$70/device/yr | ~$30–$50/device/yr |
| Endpoint Encryption (SEE) | ~$41.24/device/yr | ~$30–$38/device/yr | ~$20–$30/device/yr |
| DLP Endpoint Discover | ~$8.54/device/yr | ~$6–$8/device/yr | ~$4–$6/device/yr |
| DLP Endpoint Prevent | ~$12.06/device/yr | ~$9–$11/device/yr | ~$6–$9/device/yr |
Note that these prices are drawn from US government contract disclosures and market intelligence; your actual pricing will vary based on geography, partner relationship, and negotiation. The key takeaway is the price spread between Enterprise and Complete: at enterprise volume, Complete costs 3–5× more than Enterprise per device. For a 5,000-device deployment, this translates to the difference between $30,000–$50,000/year (Enterprise) and $150,000–$250,000/year (Complete). The mixed-tier strategy described above is the most effective way to manage this cost differential.
| Deployment Model | Device Mix | Annual Cost (Est.) |
|---|---|---|
| All Enterprise | 5,000 devices @ $8/device | $40,000 |
| All Complete | 5,000 devices @ $40/device | $200,000 |
| Mixed (optimal) | 1,250 Complete @ $40 + 3,750 Enterprise @ $8 | $80,000 |
| Mixed + DLP + Encryption | Mixed endpoint + 5,000 DLP @ $5 + 2,000 SEE @ $25 | $155,000 |
The mixed model delivers EDR coverage for the highest-risk 25% of endpoints at 40% of the all-Complete cost. Adding DLP and encryption as needed creates a layered security posture without the blanket cost of deploying every capability to every device.
Redress Compliance provides independent Oracle licensing advisory services — fixed-fee, no vendor affiliations. Our specialists have helped enterprises save millions through strategic license optimization, audit defense, and contract negotiation.
Explore Oracle Advisory Services →Broadcom’s acquisition of Symantec’s enterprise security business in 2019 (for $10.7 billion) introduced changes that mirror the VMware acquisition playbook: partner channel reduction, pricing pressure, and support restructuring.
Partner channel consolidation. Broadcom dramatically reduced the number of authorised Symantec partners, concentrating distribution through a smaller number of large partners (Carahsoft, Insight, SHI, CDW). Smaller regional partners and VARs that previously sold and supported Symantec products lost access, reducing procurement options and local support availability for many organisations.
Support restructuring. Essential Support (break-fix, virus definition updates, software updates) is included with all subscription SKUs. However, dedicated Technical Account Manager (TAM) support — the premium support tier that provides a named engineer familiar with your environment — is priced at approximately $60,000/year. For organisations that previously relied on their Symantec partner for day-to-day technical support, the reduced partner ecosystem and high TAM cost create a support gap.
Subscription-only licensing. All Symantec endpoint products are now subscription-only. Perpetual licences are no longer sold, and existing perpetual holders must transition to subscriptions to receive updates and support. Unlike VMware (where subscription expiry is operationally catastrophic), Symantec endpoint agents continue providing local protection with their existing definitions after subscription expiry — but they cannot receive new definitions, policy updates, or cloud-based threat intelligence, which progressively degrades protection quality.
Cloud-first strategy. Broadcom is steering all new deployments toward the cloud-managed SES platform and away from on-premises SEPM. While SEPM remains supported (SEP 14.3.x receives maintenance updates), new features and capabilities are delivered exclusively through the SES cloud platform. Organisations planning to remain on SEPM long-term should understand that they are on a maintenance-only product trajectory.
Organisations running legacy SEP with on-premises SEPM face a strategic decision: migrate to SES (Enterprise or Complete) or evaluate alternative endpoint platforms. The migration path is structured but not trivial.
Hybrid migration (recommended). Broadcom supports a hybrid deployment where the existing SEPM domain is enrolled in the SES cloud console. This allows administrators to manage both SEPM-managed agents (existing SEP deployments) and cloud-managed agents (new SES deployments) from a single cloud console. Devices can be migrated incrementally from SEPM to cloud management by deploying the new Symantec Agent (replacing the legacy SEP client) in phases. This approach minimises disruption and allows parallel operation during the transition.
Agent replacement. Migrating from SEP to SES requires deploying the new Symantec Agent on each endpoint. The legacy SEP client and the new SES agent are different software packages — this is not an in-place upgrade but an agent swap. The new agent can be deployed alongside the existing SEP client (which is then uninstalled), or the SEP client can be removed first and the SES agent deployed subsequently. In either case, plan for deployment effort proportional to your endpoint count: for large environments (5,000+ devices), staged rollouts over 4–8 weeks are typical.
Policy migration. SEP policies created in SEPM do not automatically translate to SES cloud policies. Security policies must be recreated in the SES cloud console, which uses a different policy structure and configuration interface. For organisations with complex, customised SEP policy sets (application control rules, custom IPS signatures, device control exceptions), the policy migration effort can be substantial. Budget 2–4 weeks of security engineering time for policy translation and testing in a mid-size environment.
Licence transition. Broadcom provides subscription trade-in programmes for customers transitioning from legacy SEP licences to SES subscriptions. The specifics of these programmes (credit amounts, eligibility requirements) are negotiated through your Broadcom partner and vary by account. In our advisory experience, trade-in credits typically offset 20–40% of the first-year SES subscription cost, but this is highly dependent on the remaining term of your existing SEP licences and your overall Broadcom relationship.
Broadcom’s endpoint security pricing is negotiable, and the range between initial quotes and final negotiated pricing is typically 15–35%. The following strategies are drawn from our advisory engagements with enterprises managing Symantec renewals.
1. Audit actual device count versus licensed devices. Most organisations are over-licensed by 10–20% due to decommissioned devices that were never removed from the management console, retired VMs that still consume licence seats, and SEPM-enrolled devices that remain counted in the cloud after unenrolment. Run a device reconciliation before renewal to right-size your licence count. Every eliminated device saves $8–$50/year depending on your tier.
2. Deploy the mixed-tier strategy. As detailed above, deploying Complete on 20–30% of high-risk devices and Enterprise on the remainder can reduce total cost by 40–60% versus all-Complete pricing. Present this model to your Broadcom partner as a structured procurement — it is a supported deployment model, not a workaround.
3. Negotiate multi-year terms for price protection. 3-year subscriptions typically yield 10–20% discounts versus annual renewals and, critically, lock pricing for the term. Given Broadcom’s history of aggressive price increases post-acquisition, price certainty has tangible value.
4. Bundle across Broadcom products. If your organisation also purchases Broadcom VMware, Symantec DLP, Symantec Email Security, or other Broadcom software, consolidating these into a single negotiation creates a larger deal value that improves discount leverage. Broadcom’s deal desk is structured around total relationship value, not individual product margins.
5. Present credible competitive alternatives. The endpoint security market is intensely competitive. CrowdStrike Falcon, Microsoft Defender for Endpoint (often included in M365 E5), SentinelOne, Palo Alto Cortex XDR, and Sophos all represent credible alternatives. A documented competitive evaluation with specific migration timelines and cost comparisons creates negotiation leverage. Broadcom responds to the credible threat of workload departure with discounts of 15–30%, particularly when the alternative is Microsoft Defender for Endpoint (which many E5 customers already have entitlement to use at no incremental cost).
6. Challenge the TAM cost. The $60,000/year TAM pricing is negotiable, particularly when bundled with a multi-year subscription commitment. In our experience, TAM costs can be reduced to $35,000–$45,000 through negotiation, or included as part of a larger deal package.
Evaluating Symantec endpoint licensing requires understanding how it compares to the major alternatives on both capability and cost. The following comparison focuses on the licensing dimension rather than technical deep-dives of detection efficacy.
| Platform | EPP + EDR Pricing | Licensing Model | Key Advantage |
|---|---|---|---|
| Symantec SES Complete | $30–$50/device/yr | Per device, subscription | Mature EPP, hybrid on-prem/cloud, Broadcom ecosystem integration |
| CrowdStrike Falcon Enterprise | $185/device/yr (list) | Per endpoint, subscription | Cloud-native, leading MITRE results, strong threat intel |
| Microsoft Defender for Endpoint P2 | Included in M365 E5 ($57/user/mo) | Per user (bundled) | Zero incremental cost for E5 customers; integrated with Intune/Sentinel |
| SentinelOne Singularity | $80–$180/device/yr | Per endpoint, subscription | Autonomous response, AI-driven, strong XDR |
| Palo Alto Cortex XDR | $100–$200/device/yr | Per endpoint, subscription | Unified XDR with network/cloud data, XSIAM platform |
| Sophos Intercept X + EDR | $28–$48/device/yr | Per device, subscription | Strong value, managed threat response option, MSP-friendly |
On pure pricing, Symantec SES Complete is among the most cost-effective EDR-capable platforms at enterprise volume ($30–$50/device versus $80–$185 for CrowdStrike and SentinelOne). However, price is only one dimension. CrowdStrike and SentinelOne consistently outperform Symantec in independent EDR evaluations (MITRE ATT&CK assessments), and Microsoft Defender for Endpoint represents zero incremental cost for the growing number of enterprises with M365 E5 licences. The competitive evaluation should weigh pricing, detection efficacy, operational overhead, and existing ecosystem investments.
For organisations currently running Symantec, the most common alternative evaluation paths are: (a) Microsoft Defender for Endpoint for M365 E5 customers seeking to consolidate security spend, (b) CrowdStrike Falcon for organisations prioritising detection efficacy and cloud-native architecture, and (c) Sophos Intercept X for cost-sensitive organisations that want comparable EPP+EDR at a similar price point with MDR (Managed Detection and Response) included.
Redress Compliance provides independent advisory on Broadcom Symantec endpoint licensing, including tier selection (SEP vs Enterprise vs Complete), mixed-tier cost optimisation, device count auditing, competitive evaluation, and renewal negotiation. We are independent of all security vendors and work exclusively in our clients’ interests.
Book a free consultation with our licensing specialists. No obligations, no vendor ties — just independent advice tailored to your situation.
Book Your Free Consultation →