A 56 page buyer side guide to Symantec enterprise licensing under Broadcom. Symantec Endpoint Security, DLP, CASB, ProxySG, the enterprise bundle economics, the partner channel structure, and the renewal levers that hold Broadcom accountable through the next Symantec cycle.
Broadcom has restructured Symantec on the same commercial playbook it applied to VMware. The Symantec renewal is the next time most enterprises will feel the consequences of that decision.
For most enterprises the Symantec estate is the foundation of the endpoint security posture, layered with Data Loss Prevention, Cloud Access Security Broker, ProxySG web security gateway, and the broader Symantec Enterprise Security Group portfolio that ran for two decades as the standard enterprise security suite. Broadcom completed the Symantec Enterprise acquisition, restructured the product catalogue around a small number of enterprise bundles, consolidated the partner channel into a focused set of authorised resellers, and repositioned the renewal economics on the same commercial playbook that Broadcom applied to VMware. By the time the Symantec renewal proposal arrives, the customer is sitting on a price quote that bears no resemblance to the historical Symantec spend, and the procurement function has to convert that quote into a defensible commercial outcome. This guide is written for that moment, and it pairs with the source Symantec Enterprise Software Licensing article, the Broadcom VMware Negotiation 2026 Playbook, and the wider Broadcom advisory practice.
Symantec under Broadcom is genuinely different from the Symantec the enterprise security team is most familiar with. The product catalogue has been consolidated into the Symantec Endpoint Security enterprise bundle, the Symantec Data Center Security bundle, the Symantec Information Security bundle covering DLP and CASB, and the Symantec Network Security bundle covering ProxySG and the secure web gateway estate. The per user pricing and per device pricing has been restructured on commercial terms that frequently open three to five times above the historical Symantec spend. The renewal cycle is now managed through the Broadcom Strategic Account programme that mirrors the VMware account team architecture. And the partner channel reshuffle removed the long tail of resellers and concentrated negotiation leverage with a smaller number of authorised partners. The buyer side response has to address every one of those mechanics while still securing a defensible security posture across the deployed Symantec estate. The framework pairs with our Broadcom VMware Negotiation 2026 Playbook for the macro Broadcom playbook view.
Used in sequence, the techniques in this guide routinely deliver Symantec commitment savings between twenty and thirty five percent against the opening Broadcom proposal, plus structural protection against the bundle composition uplift, plus a defensible position that keeps the option open to substitute selected Symantec components with the alternative endpoint, DLP, CASB, and secure web gateway platforms. The guide is updated quarterly to track the Broadcom Symantec price book, the bundle catalogue, the partner channel structure, and the negotiated discount band we observe in live deals. Read it next to our Broadcom VMware Negotiation 2026 Playbook for the macro framing, the Broadcom advisory practice page for how Redress Compliance applies these techniques inside live engagements, and the audit defense kits for the operational checklist.
The opening section deconstructs the 2026 Symantec commercial model under Broadcom. We document the Symantec Endpoint Security bundle, the Symantec Data Center Security bundle, the Symantec Information Security bundle covering DLP and CASB, the Symantec Network Security bundle covering ProxySG, the per user and per device pricing mechanics, and the partner channel structure that mediates every enterprise deal. The section closes with a Symantec cost model template that lets the buyer pressure test the Broadcom proposal against actual deployed inventory and the alternative endpoint, DLP, CASB, and secure web gateway platforms.
The second section addresses the Symantec Endpoint Security bundle. The bundle combines the Symantec Endpoint Protection agent, the Symantec Endpoint Detection and Response capability, the Symantec Threat Hunter intelligence, the Symantec Application Control capability, and the Symantec Device Control capability inside a single per device per year subscription. The buyer side approach maps the deployed endpoint population against the actual feature usage and surfaces the populations where a narrower endpoint posture is sufficient. This is the same endpoint discipline we apply across the wider Broadcom advisory practice.
The third section covers DLP and CASB under the Symantec Information Security bundle. The Symantec DLP estate that the enterprise built over a decade carries content classification rules, policy templates, and regulatory mappings that the customer cannot quickly replicate on an alternative DLP platform. The buyer side approach documents the DLP estate footprint, the CASB integration scope, and the contract grandfather positions that protect the customer from a forced bundle composition.
The fourth section addresses ProxySG and the Symantec Network Security bundle. The ProxySG secure web gateway estate and the Symantec Web Security Service have a deployment profile that varies materially by enterprise, and the buyer side approach documents the on premises ProxySG footprint, the cloud Web Security Service consumption, and the substitution options on the alternative secure web gateway platforms.
The fifth section covers competitive substitution. The Symantec alternative platforms have matured considerably since the Broadcom acquisition. CrowdStrike, SentinelOne, Microsoft Defender, and Palo Alto Cortex XDR appear inside Symantec Endpoint conversations. Forcepoint, Netskope, Microsoft Purview, and Zscaler appear inside DLP and CASB conversations. Zscaler, Netskope, and Cisco Umbrella appear inside secure web gateway conversations. The buyer side approach documents the substitution architecture, the migration economics, and the language we have used to extract concessions using the alternative platforms.
The closing section documents the Symantec enterprise renewal contract clauses Redress Compliance routinely negotiates: the bundle composition grandfather clause, the per device price hold language, the partner channel allocation clause, the support entitlement transfer language, the cloud Web Security Service consumption ceiling, the data residency posture, and the executive escalation path. Each clause is paired with negotiated language we have already placed inside live Broadcom Symantec contracts.
Two fields and the full guide opens on this page. No PDF to wait for, no inbox follow up unless you ask.
Broadcom acquired Symantec's enterprise security business in 2019 and moved it onto its own commercial model. Licensing now runs through Broadcom, with subscription terms and consolidated SKUs.
The product set spans endpoint, data loss prevention, web and email security, and CASB. The cost driver is how many of those you carry and at what tier.
Renewals run high because the estate carries more than it uses. Dormant modules, over counted seats, and suite tiers you never deployed all sit in the base.
Three gaps recur across the reviews we run. Each is defensible when your deployment records and the contract metric agree.
Reconcile entitlement against actual deployment before any pricing talk. A clean, smaller baseline is the single strongest lever you hold.
Where Symantec renewal cost hides
| Line | Usual driver | Buyer side position |
|---|---|---|
| Seat count | Drift above headcount | Live protected users only |
| Module set | Never deployed | Drop or hold dormant SKUs |
| Annual uplift | Open ended escalator | Capped uplift in writing |
You have more options than renew as quoted. Consolidation, partial replacement, and platform shift each reduce the spend in different ways.
Consolidation wins when the controls work and only the commercials are wrong. Replacement wins when a module is weak, redundant, or already covered by another platform you own.
The standard advice is that a security renewal is non negotiable because the risk of switching tools is too high. We disagree.
Across the Symantec and Broadcom reviews we have run, most of the saving came from dropping modules the customer never deployed, not from ripping out working controls. The buyer side move is to separate the security decision from the commercial one. Cut the dormant SKUs and right size the seats first, then decide what to keep on merit.
A security renewal feels mandatory, but the dormant modules inside it almost never are.
Run it on your timeline, not Broadcom's. Start the baseline early, set a walk position, and bring the consolidation case to the first commercial conversation.
Start the renewal six to nine months out, not at the notice deadline. Early preparation is what turns the consolidation case into a real price lever.
Bring security, procurement, and asset management to the same table. A renewal handled by one function alone usually concedes ground the other two could have held.
Keep the entitlement documentation clean throughout. Broadcom defines the terms in its licensing terms and lists the security portfolio on its cybersecurity product pages, so read both before you respond.
Fredrik Filipsson wrote this guide from the Symantec and Broadcom security reviews he has led. He will walk your SKU spread, your true forward exposure, and your renewal levers in a 30 minute call. No pitch.
Talk to a buyer side advisor. No pitch. No sales theatre. Thirty minutes, your Broadcom commitment, our scenarios.
One letter a month. Negotiation moves, audit signals, and price book shifts.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
