Broadcom VMware Audits
Barely a year after Broadcom acquired VMware, enterprise IT teams are facing a new reality: surprise legal notices and aggressive license audits for VMware software.
If your organization has been running VMware products on perpetual licenses without active support, you may have already received a cease-and-desist (C&D) letter or an official audit notice.
These developments aren’t business as usual – they’re strategic moves by Broadcom to enforce compliance and drive customers into new contracts. For a complete overview, read our ultimate guide – Broadcom Audit Defense 101: Strategies to Handle Broadcom/VMware/CA/Symantec License Audits.
In this guide, we break down why this is happening and, more importantly, how to respond.
Let’s dive in.
1. Why You’re Seeing C&Ds and Audits Now
Broadcom’s Tactics:
After acquiring VMware in late 2023, Broadcom wasted no time overhauling VMware’s licensing model. Perpetual licenses were discontinued, and support renewals were largely discontinued, effectively forcing customers toward subscription bundles.
Many organizations with perpetual VMware licenses have chosen to run “unsupported” versions rather than accept costly subscription deals.
Broadcom is now cracking down on these customers by sending cease-and-desist letters and initiating formal audits. The message is clear: subscribe or stop using VMware software and support services.
Cease-and-Desist Letters for Unsupported Use:
The C&D letters target companies whose VMware support contracts have expired. They demand that you stop using any VMware software updates, patches, or versions released after your support expiration (with a sole exception for critical security patches).
In Broadcom’s view, continuing to apply updates without an active support contract violates intellectual property rights and license terms.
It’s an aggressive stance – essentially telling customers with perpetual licenses that if they won’t pay for support or subscription, they must roll back or remove any updates and potentially stay on old, vulnerable software.
Why Now?
Broadcom’s hardball approach is largely driven by revenue and control. By forcing legacy customers to either pay up or fall behind on patches, Broadcom creates a sense of urgency to move into subscription agreements.
It’s also a response to customers who tried to “wait out” Broadcom by using VMware without support while exploring alternatives.
Broadcom is betting that legal pressure will convert many holdouts into paying customers or drive them away from VMware entirely. This is happening now because Broadcom’s post-acquisition license enforcement strategy has intensified in 2025.
Practical Impact of These Letters:
- Halted Patching: If you’re out of support, the C&D means you shouldn’t apply further updates or patches to VMware products. This freezes your ability to fix bugs or update systems, potentially leaving critical infrastructure vulnerable to outdated software. Many organizations feel they must choose between compliance and security – a terrible position to be in.
- Legal Exposure: The letter’s language (often signed by a Broadcom/VMware executive) warns that using VMware software beyond your license terms is a material breach and IP infringement. It threatens enhanced damages and attorneys’ fees if you don’t comply. In short, if you ignore the letter and continue business as usual, you risk serious legal liability.
- Reduced Negotiation Leverage: Once Broadcom sends a C&D and later an audit notice, you’re on the defensive. Any upcoming negotiation for licenses or support starts with you in a weaker position. Broadcom knows you’re under pressure to resolve potential non-compliance quickly. This loss of leverage can translate into less favorable contract terms unless you manage the situation shrewdly.
Bottom line: Broadcom’s use of C&D letters and audits is a calculated move to squeeze customers into compliance. Understanding this context will help you respond not with panic, but with a clear strategy.
2. Who’s Auditing You: Connor Consulting
If you’ve received an audit notice from Broadcom/VMware, it is likely to name Connor Consulting as the firm conducting the review. Connor Consulting is Broadcom’s chosen audit partner for VMware license compliance.
In practice, this means Broadcom has outsourced the day-to-day audit process to Connor’s team of licensing specialists, while Broadcom oversees the outcomes.
What you should know about Connor Consulting and its approach:
- Third-Party Audit Specialists: Connor is a professional software license auditing firm (headquartered in San Francisco with global offices). They’ve handled compliance audits for various software vendors. Now, they act as Broadcom’s agents to verify VMware license compliance at customer sites. Treat them as an extension of Broadcom’s licensing department – they represent Broadcom’s interests, not yours.
- Initial Contact & 3-Day Response Window: The Broadcom audit letter typically states that you must respond within three (3) business days to start the audit process. This response isn’t the full audit deliverable – it’s just an acknowledgment to Connor Consulting that you received the notice and will cooperate. Be prepared: A Connor representative will reach out (often via email and phone) shortly after you receive the letter. Meeting that 3-day response deadline is crucial to show good-faith cooperation and avoid giving Broadcom any excuse to escalate.
- Audit Coordination: In the letter, Broadcom typically assigns an internal VMware/Broadcom contact to coordinate alongside Connor. However, Connor’s auditors will be your primary point of contact. Expect Connor to propose a kickoff call or meeting to outline the audit scope and logistics. They may introduce their team, explain the process, and start gathering high-level information about your VMware environment.
- Scope of Review: The letter’s wording mentions a review of your “VMware deployment and entitlements.” Connor’s audit can encompass both fieldwork (on-site inspections) and remote analysis, as well as meetings with your staff in departments such as IT, asset management, finance, and operations. In other words, they might want to inspect systems, run diagnostic tools, and ask questions of the people who manage your VMware infrastructure and contracts.
- Connor’s Process: Typically, Connor Consulting will follow a structured process:
- Information Request: They will send you a detailed list of data they want to see (e.g., product deployment inventories, license keys and contracts, support renewal records, configurations, usage metrics, etc.). This may be presented as a formal audit questionnaire or spreadsheet for you to complete, along with scripts or tools to run on your vCenters or hosts.
- Data Collection: Connor may request logs or remote access to review your VMware vCenter, license portal, or other systems to verify usage. Sometimes they propose a screen-sharing session to observe how many hosts, CPUs, or what features are active. In some cases, they might even request read-only access to license management consoles. It’s up to you to evaluate and manage these requests – more on that later.
- Interviews/Meetings: Expect Connor to schedule meetings with key stakeholders. Commonly, they’ll want to speak with your IT administrators (to understand deployment), your Software Asset Management or licensing owner (for entitlements and any license tracking system you have), and sometimes Finance or procurement (to verify purchase records and perhaps discuss how you handle license accounting).
- Analysis and Reporting: Connor will compile the data and analyze compliance. They’ll eventually report back to Broadcom (and to you) on any findings – e.g., where your VMware usage exceeds entitlements, or if you applied updates you weren’t entitled to.
Keep in mind that Connor is not your friend in this process. They might be cordial and “professional,” but their job is to find compliance gaps.
Every question they ask and every piece of data you hand over can be used to build a case that you owe Broadcom money or must stop doing something.
While you should remain cooperative, do so in a controlled and deliberate manner (we’ll cover defense strategies shortly). Always assume Connor will share all information with Broadcom’s sales and legal teams.
3. Timeline: What Happens After the Letter
Facing an audit can feel urgent and chaotic, but in reality, the process will unfold over weeks or even months. The only hard deadline in the very beginning is that three-business-day response. Here’s a timeline of what typically happens after you receive Broadcom’s letter:
Day 0: Audit Notice Arrives – Your organization receives the formal letter (often via email to a senior executive or a generic mailbox, such as “License Compliance”). As soon as it lands, internal alarms should go off. You should immediately alert your internal response team, which will likely involve Procurement, Legal, IT Asset Management, and Senior IT leadership. Don’t delay; the clock to respond is already ticking.
Day 1–3: Acknowledge and Organize – Within the three-business-day window, send a response to Broadcom/Connor acknowledging receipt and willingness to cooperate. This is usually just a brief email or letter that meets the requirement. (We’ll provide a sample in the Artifacts & Checklists section.)
Use these first few days wisely:
- Identify a single point of contact (POC) for the audit (e.g., your Software Asset Manager or a procurement manager) who will handle communications with Connor.
- Loop in your legal counsel to review the audit notice and help draft the reply (ensuring you don’t admit any wrongdoing while committing to cooperate per contract terms).
- Notify the IT teams that an audit is imminent and request that they gather relevant data; however, freeze any non-essential changes to the VMware environment. (Important: The audit letter likely instructs you to report any changes made after the notice date – this is to prevent people from quietly uninstalling or migrating systems to hide them. Avoid sudden, unreported changes that could be seen as bad faith. If you must make critical changes for operational reasons, document and be ready to disclose them.)
Week 1: Initial Contact from Connor – Shortly after your response, Connor Consulting will reach out (if they haven’t already) to schedule a kickoff call. In this meeting, expect introductions and a discussion of next steps. Connor might outline the audit scope and request preliminary info. It’s okay at this stage to ask questions and also to propose ground rules (for example, you can ask if they will sign a non-disclosure agreement, or clarify how data will be collected).
Week 2: Data Request and Planning – Connor will send over their formal audit information request. This could include a list of required documents and data extracts, along with relevant templates.
Commonly requested items include:
- Lists of all VMware software deployments (product, version, edition, physical server or cluster details, CPU counts, etc.).
- Proof of entitlements (licenses owned, contract numbers, purchase dates, quantities).
- Access to license management portals or VMware vCenter screenshots showing license assignment.
- Details on any VMware support contracts, their end dates, and any upgrades or patches applied after support ended.
- Exports or reports from tools (they may provide a script or tool to run on vCenter to gather inventory).
- Meetings or Q&A sessions with specific teams for clarification.
During this phase, you should negotiate reasonable timelines for providing the data. Do not let the auditor unilaterally dictate unrealistic deadlines if the request is large. Audits are typically contractual obligations, but contracts usually say they should be at a “mutually convenient time” – use that to your advantage to get sufficient time (e.g., a couple of weeks) to collect and validate data internally before handing it over.
Weeks 3–6: Data Collection & Auditor Review – Your team will gather the requested info and deliver it in the agreed format. Connor’s team will likely analyze it and follow up with additional questions. There may be a back-and-forth process: clarifying ambiguous entries, double-checking counts, and possibly scheduling a remote session for Connor to verify a sample of systems or review license keys in your interface. The duration of this stage varies: a smaller environment audit might wrap in a few weeks; a large enterprise with many VMware products could take a couple of months of iterative queries.
Weeks 6–8: Preliminary Findings & Discussion – Once Connor believes they have a full picture, they will compile their findings. Typically, they’ll share preliminary results with you for discussion. This might be a meeting where they present any compliance gaps they found (for example, “You have X more CPU sockets in use than you have licenses” or “You applied updates on these servers after support expired”). This is a critical juncture – it’s your chance to dispute any inaccuracies before Broadcom formalizes a compliance claim. Do not accept findings blindly; if something appears incorrect, speak up and provide supporting evidence. Connor may adjust the report if you successfully challenge a point (e.g., proving a server they counted is decommissioned or that you actually have a license that they overlooked).
Weeks 8+: Broadcom’s Next Move (Settlement Negotiation) – After the audit report is finalized, Broadcom will step back into the picture (often via their sales or compliance division) to discuss remediation. In plain terms, this is where they inform you of their requirements: typically, to sell you a subscription or charge you for any unauthorized usage. They might present a bill for back-dated support or propose a new contract to legitimize your current usage. This marks the beginning of the negotiation phase, which we cover in detail in the Negotiation Playbook section.
It’s essential to note that the timeline can be flexible. Broadcom and Connor might initially show urgency, but large enterprises have managed to stretch the process over several months to get their affairs in order. The key is constant, good-faith communication. If you need more time to gather data, request it proactively and give a valid reason. Once findings are delivered, don’t rush into a settlement meeting until you’ve internally analyzed the report. Use the time to strategize your approach.
In summary, after the initial scramble to respond within 3 days, the audit becomes a project – coordinate it accordingly. Set internal deadlines, assign owners to tasks, and manage the auditor’s expectations. This will reduce panic and put you back in control of the timetable as much as possible.
Read about Broadcom vs Tesco and what to learn: Broadcom vs Tesco: Top 10 Lessons for VMware Customers.
4. What They’ll Ask For
Every audit is, to some extent, a fishing expedition. Broadcom (via Connor Consulting) will cast a wide net to collect information about your VMware deployments and licenses. Being prepared for their requests will help you avoid surprises.
Here are the typical things auditors will ask for and how to handle them:
- Comprehensive VMware Inventory: Expect to provide a detailed inventory of all VMware software in use. This means listing out every installation of VMware products – commonly vSphere/ESXi hosts, vCenter servers, VMware Cloud Foundation components, NSX instances, vRealize/Aria products, and so on. For each, you’ll need to include details like version and edition (Standard, Enterprise Plus, etc.), the physical hardware it runs on (number of CPUs or cores, cluster size), and possibly usage metrics (e.g., peak VMs, features enabled). The goal is to enable them to calculate the licenses that should be required for your environment.
- Proof of Entitlements (Licenses Owned): The auditors will verify your deployments against the licenses you are authorized to use. So they will request documentation of your VMware entitlements. This usually includes:
- License keys or files for VMware products you’ve purchased.
- Purchase records or contracts that show quantities and types of licenses (e.g., 100 CPUs of vSphere Enterprise purchased on XYZ date, with support that ended on ABC date).
- Support contract details for each product (when support/Subscription Service was active, and when it expired).
- Access to VMware’s license portal or your internal asset management system to validate these entitlements.
- If you have an Enterprise License Agreement (ELA) or any other special licensing deals, those contracts or summaries will be required.
- Deployment vs. License Reconciliation: They might explicitly ask you to map each deployed instance to a specific license. For example, which license keys are applied to which vCenter/ESXi host, and how many sockets each key covers. Any gap (more deployments than licenses) is what they’re hunting for. Be careful to only present what is asked. If they don’t ask for specific environment details (such as test or lab systems), don’t volunteer them unless those are clearly in scope.
- Software Versions and Patch History: Since the C&D letters prohibited the use of patches after support expiration, auditors could inquire about the updates that had been applied and when. They may ask for version numbers or build numbers of your VMware software to determine if those builds were released after your support lapsed. If you’re running versions that you technically shouldn’t have access to, this will be a point of contention.
- Tools and Data Collection Methods: Connor may provide scripts or tools to run in your environment, automating data gathering. For instance, a PowerCLI script to extract all vCenter license and usage info. Alternatively, they may request readouts from VMware’s own tools (like VMware’s License Service reports or logs). In some cases, they propose doing a remote session to run these themselves. You do not have to grant them unfettered access; you can run provided scripts yourself and share the output. Always review any script/tool in a safe environment first to ensure it doesn’t capture more than necessary. If something seems overly intrusive, push back and offer an alternative way to provide them with the information.
- Meetings with Stakeholders: As mentioned, Connor will likely want to speak to a few key people. Typical requests:
- A meeting with your IT operations lead or VMware admin to walk through the environment topology and answer technical questions.
- A meeting with the asset manager or ITAM/SAM representative to discuss how licenses are tracked internally, and perhaps to understand any internal compliance assessments you’ve done.
- Possibly a session with procurement or finance to go over purchasing records, or with your VMware account manager (if you have one), alongside, to clarify any contractual ambiguities.
- If you have third-party support providers or consultants managing your VMware environment, they may also want to be involved.
- Questionnaires: Some audits include a written questionnaire about your policies and procedures. For instance, “Describe how you deploy and activate VMware licenses,” or “Have you ever used VMware evaluation licenses in production?” These are as much about probing for weaknesses as they are about gathering facts. Answer truthfully but succinctly, and avoid volunteering extra detail that isn’t asked.
Key Advice – Centralize and Control the Flow: It’s wise to funnel all communications and data submissions through one channel (the POC you designated). This way, your organization speaks with one voice. Require that all requests be submitted in writing (email is acceptable), and whenever possible, respond in writing as well. This creates an audit trail of exactly what was asked and how you answered, preventing misunderstandings. It also gives you time to craft thoughtful answers rather than being caught off guard during a phone call.
Disclose the Minimum Necessary: You have a duty to cooperate per your contract, but that doesn’t mean you should overshare. Stick to the scope of the audit. Suppose the audit is about VMware products, for example. In that case, you don’t need to talk about your use of other software or even VMware’s parent products (like if you also use Broadcom/Symantec utilities unrelated to VMware – keep that out of the conversation). Answer direct questions fully, but do not volunteer information that wasn’t specifically requested. Auditors often ask broad questions; you can clarify and narrow them. For example, if asked, “Tell us about your VMware environment,” you can respond by asking what specific information they’d like, rather than spilling everything in a stream-of-consciousness monologue.
By anticipating what auditors will want, you can prepare much of this information in advance (see the Audit Intake Checklist later). Just remember that during the audit, every piece of data is effectively evidence. Handle it with care and only hand it over when asked through proper channels.
Read our Top 10 lessons about Broadcom vs A&T, Top 10 Lessons from Broadcom vs AT&T: What VMware Customers Should Learn.
5. Defense Basics
When facing a license audit (especially one as charged as this VMware/Broadcom scenario), an active defense strategy is crucial. “Defense” here doesn’t mean being uncooperative; it means protecting your interests while fulfilling your obligations.
Consider these foundational defense moves:
- Internal Self-Review (Audit Yourself First): As soon as you suspect you might be audited (or immediately upon receiving notice), conduct an internal compliance audit. Gather your team (IT asset management, VMware admins, etc.) and compare your entitlements vs. deployments. Identify any obvious discrepancies:
- How many CPU licenses do we own, and how many are actively in use? Are we exceeding license counts anywhere?Are we using any VMware features or products we didn’t purchase? (e.g., using vSAN or NSX without licenses, or running an edition above what you bought)Did we apply any patches or upgrades after our support expired? If so, list them.Check for “license creep” – old evaluation licenses that never got replaced, or trial versions that were enabled, etc.
- Clean Up (Carefully): If your self-review identifies something clearly out of compliance, you face a dilemma: fix it now or leave it as is during the audit. Broadcom’s letter explicitly says you must report any changes after the audit notice date, to discourage companies from scrambling to cover up issues. Nonetheless, basic hygiene fixes are advisable:
- For instance, if you discover that a certain VMware feature (e.g., vRealize Operations Manager) was deployed as a trial and never removed. You’re not using it, consider uninstalling or disabling it now and be ready to inform the auditor you did so as part of clean-up. Proactively fixing minor issues can demonstrate good faith, as long as you’re transparent.
- However, do not destroy evidence or data. Don’t delete audit logs or anything that might look like you’re hiding usage. That will backfire legally.
- Any changes you make after the notice (such as decommissioning an unlicensed host) should be documented. During the audit, you can say: “Yes, we retired these five hosts after receiving the notice, as they were already slated for decommission – here are their details.” It’s better to control the narrative of a change than to have the auditor find out and think it was sneaky.
- NDA in Place: You might assume your existing contract’s confidentiality clause is enough, but given that a third-party (Connor) is involved and sensitive data about your infrastructure will be shared, insist on a Non-Disclosure Agreement specifically covering the audit. A mutual NDA (so neither side can disclose information) is ideal. This ensures that any information about your environment or business learned in the audit cannot be used outside the audit or shared freely within Broadcom for sales advantage. Broadcom might resist a separate NDA if the contract already has one, but it’s reasonable to request that Connor (the outside firm) sign an NDA with you. At a minimum, get written confirmation that all data you provide will be treated as confidential and used solely for compliance verification.
- Tool and Data Controls: If the auditors want to use any automated tools or run software in your environment, exercise tight control:
- Review and Approval: Request documentation or code for any tool they propose. Have your IT security vet it. You have the right to protect your systems from potential malware or overly invasive data collection. If you’re not comfortable, propose that you run it yourself or provide equivalent data through your own tools.
- Scope Limitation: If a script is provided, check what data it gathers. Ensure it only collects VMware-related information, not, for example, scanning unrelated systems. If it’s too broad, push back and refine it.
- Observation: If they do remote sessions, have your staff shadow everything they do. Screen-share on your terms; don’t leave them unattended in your environment. If they come on-site, escort them at all times. Think of it like having an external auditor in a financial audit – you wouldn’t let them rummage through every file cabinet at will; you’d hand them specific documents in a controlled room.
- Define the Audit Scope in Writing: At the very start, seek clarity on what exactly is being audited. “Use of VMware software and support services” is broad language. Try to obtain a well-defined scope statement: Does this audit encompass all VMware products your company uses? Only certain products (e.g., vSphere family)? Only certain timeframes (e.g., compliance as of the date of notice)? If you have multiple business units, is the audit for the whole company or a particular division?
- The more you can contain the scope, the less of a fishing expedition it becomes. For example, if you only use vSphere and vCenter, you might confirm that the audit is limited to those and not other VMware software, such as Tanzu or Horizon. If the letter was addressed to a specific subsidiary, clarify if it’s limited to that entity.
- Also, clarify deliverables: what will the audit report consist of, and will you have the opportunity to review it for accuracy (most contracts allow for discussion of results before they are finalized)?
- Engage Experts if Needed: This is especially true if your situation is complex or if the stakes are very high. Software license consulting firms (some specialize in VMware or general software compliance) can provide guidance or even interface with the auditor on your behalf. They can conduct an independent review and help rebut the auditor’s claims. Yes, it’s an added cost, but if you’re looking at potentially millions in license fees, a consultant or outside counsel versed in software audits can save you money by finding errors in the audit or negotiating better terms.
- Stay Organized Internally: Treat this like a project with a formal plan. Maintain detailed records of all communications with and from Connor/Broadcom. Maintain a secure repository (e.g., a SharePoint or Google Drive folder restricted to the core team) where you store:
- Copies of the C&D letter and audit notice.All emails with the auditors.The data you provided (exact files, versions).Meeting minutes or notes from calls.Internal discussions/decisions about how to respond.
To summarize, defense basics are about being proactive, not passive. Don’t just roll over and let the audit happen to you. Take steps to understand your position, protect sensitive info, and guide the process.
By doing so, you transform an audit from a potential ambush into a more routine (albeit unwelcome) due diligence activity – one that you are managing, not just enduring.
6. If They Push to Court
The nuclear scenario in any software audit is a lawsuit. It’s the outcome everyone wants to avoid – including, usually, the vendor.
However, Broadcom has signaled a willingness to invoke strong legal language, and you need to be aware of how things could escalate if negotiations fail.
Escalation Path: The typical progression we’re seeing is:
Cease-and-Desist Letter → Audit → Settlement Discussion → (Potentially) Lawsuit.
Not every case goes all the way. In fact, most software audits end in a negotiated settlement or purchase, rather than a trial. Lawsuits are expensive, slow, and risky for both sides. But the threat of a lawsuit is a leverage tool. Broadcom’s letters explicitly mention “claims for enhanced damages” and other legal remedies. This is meant to instill fear that if you don’t comply or negotiate, they might take you to court for breach of contract or copyright infringement.
Could Broadcom/VMware Really Sue Us? Yes, it’s within the realm of possibility:
- If an audit uncovers major unauthorized use (for example, you were running far more copies of VMware than you paid for, or you distributed VMware software illegally), Broadcom could file a lawsuit for violation of the license agreement and infringement of its intellectual property. They could seek financial damages for the unpaid licenses and potentially statutory damages (especially if they frame it as copyright infringement of software).
- They might also seek an injunction – a court order to stop you from using the software until the matter is resolved. For a business relying on VMware, that threat alone is frightening because it could mean shutting down critical systems if enforced.
- Realistically, Broadcom’s goal is revenue, not a lengthy court battle. The legal route may be used as a means to pressure you to the table. However, there have been instances in the tech industry where vendors have sued customers (Oracle and SAP have had a few high-profile cases, for example). Broadcom could decide to make an example of a particularly defiant customer if negotiations completely break down.
When Is Litigation More Likely?
- If you ignore the audit letter entirely (don’t respond or refuse to cooperate), you increase the risk of Broadcom moving straight to legal action. Non-cooperation could be seen as a breach of contract on its face.
- If an audit concludes and you refuse to pay or settle a clear under-licensing finding, Broadcom might sue to recover the value of those licenses/support.
- In situations of repeat offenses or bad faith, like if they caught you uninstalling software to deceive auditors or using pirated license keys, etc., they’d be more inclined to involve courts.
- Additionally, consider jurisdiction: Broadcom is a large company; if you’re in a jurisdiction where they have a legal foothold and the contract specifies the governing law, they could file suit there. Many VMware contracts specify California law (since VMware was based there) or local country law for international customers. This can also become an international legal issue.
Preparing a Defensible Position:
While you work toward a negotiated solution, you should quietly prepare as if you might need to defend yourself in court.
This means:
- Ensure you have documentation of your compliance efforts. E.g., if you truly believed you were compliant, what evidence could show that? Maybe internal license tracking reports, communications with VMware reps about your license usage, etc. This could counter a claim of willful infringement.
- Legal Review of Contracts: Have your legal team (or outside counsel) analyze your VMware license agreements and any relevant clauses, such as those related to audits, breaches, and other key provisions. Perhaps there are limitations of liability or ambiguities in the contract language that could be in your favor. For example, some contracts may not explicitly forbid using patches after support ends (Broadcom asserts that it does, but the legal basis may be arguable). Know your legal arguments before you’re in a courtroom.
- Record of Cooperation: Keep evidence that you cooperated in good faith (emails where you responded on time, provided info, and requested reasonable extensions). If it ever got to court, you want to show the judge/jury that you were not a rogue actor, but a customer trying to follow the rules and who got caught in a complex licensing trap.
- Impact analysis: If Broadcom were to seek an injunction to shut down your VMware usage, could you demonstrate the disproportionate harm it would cause (e.g., “this would cripple our operations”)? Courts sometimes balance harms when granting injunctions.
Negotiation Over Litigation:
In almost all cases, a negotiated settlement is vastly preferable to a lawsuit. Litigation would be public, could damage your company’s reputation, and the legal costs could rival the settlement costs.
Moreover, Broadcom likely prefers a paying customer over a protracted fight. Use the credible threat of litigation as motivation to engage seriously in negotiation (not as a reason to capitulate to any demand, but as a reason to find a mutually acceptable resolution).
If Legal Threats Get Real: If you receive a formal legal notice or if talks break down and Broadcom indicates they’re moving toward litigation:
- Engage your legal counsel immediately. Ensure they are ready to respond to any filings or to reach out to Broadcom’s lawyers for last-ditch negotiation.
- You might propose involving a mediator or escalating the discussion to higher management before filing a lawsuit. Sometimes, a quick call between your CEO and a Broadcom executive can pull the issue out of the legal mud and back into a business resolution, if both sides are rational.
- Also consider your regulatory and disclosure obligations. If you’re a publicly traded company or operate in a regulated industry, a lawsuit from a major vendor might need to be disclosed to shareholders or regulators. This is yet another reason to avoid that outcome if possible.
In essence, lawsuits are the heavyweight endgame that everyone should want to avoid. They’re mentioned here not to scare you into capitulation, but so you remain clear-eyed about risks.
The credible risk of litigation means you shouldn’t take Broadcom’s threats lightly – but it doesn’t mean you must agree to everything either. It means playing smart: follow the contractual process (so they have no procedural grounds to dispute with you), build your case, and push hard to settle this dispute privately.
Most importantly, don’t panic. The specter of court is daunting, but if you’ve done your homework, engaged legal help, and shown willingness to resolve issues, it usually won’t come to that. Broadcom would rather have your money through a contract than through a court judgment. The next section on negotiation will help you aim for that outcome.
7. Negotiation Playbook
By the time the audit results are in, you’ll have one or more compliance issues identified – real or alleged. Now comes the business negotiation to resolve those issues.
This is where your procurement and legal teams take center stage, and a procurement-first mindset is key. Do not treat the audit findings as a final bill; treat them as the vendor’s opening bid.
Here’s how to negotiate your way to a manageable settlement or agreement:
- Dissect the Audit Findings: Begin by thoroughly reviewing the auditor’s report. Verify every claim:
- Did they count your usage correctly? (Example: If they say you have 50 ESXi hosts and licenses for 40, make sure those 50 were all active and not including decommissioned systems or duplicates.)
- Do you actually lack entitlements where they say you do? Cross-check with your purchase records – auditors sometimes miss recent purchases or upgrades.
- Are they applying the contract terms fairly? Maybe they flagged the use of a feature that, according to your contract, you were entitled to. Look for any inflated claims or errors. It’s common to find some discrepancies.
- Challenge what you can: If something is wrong or not clearly supported by evidence, push back. You can provide log data or other proof to counter their claim. Even if you can’t refute a finding entirely, any reduction helps (e.g., proving only 45 hosts were in use instead of 50 could save you money).
- Accept Only Documented Gaps: For any compliance gap they identify, ensure it’s well-documented and clearly a breach of your agreement before you concede it. If auditors use assumptions (“we assume you must have used this many licenses because of X”), that’s not concrete. Ask for their evidence. When it’s truly black-and-white (e.g., you installed software on 10 more CPUs than you purchased licenses for, or you installed a patch on a date after support ended – and they have records), then you can prepare to address that. But don’t admit to more than the facts show.
- Frame the Narrative: In negotiations, how you frame your compliance issue matters. Instead of “we were caught violating licenses,” frame it as “we have a gap that needs to be remedied.” Perhaps there were misunderstandings – for instance, “We believed our license allowed using security patches, and our team applied them out of an abundance of caution to protect systems. We now understand Broadcom’s position and want to find a commercial solution.” Showing a cooperative attitude but not groveling can set a better tone.
- Convert Findings into a Future-Focused Deal: Broadcom wants revenue. Use that to your advantage. Propose a forward-looking solution:
- Example: If you’re short 10 CPU licenses for vSphere, rather than paying a huge penalty for past usage, offer to purchase subscriptions/licenses for those 10 CPUs moving forward. Essentially, true-up by buying what you need for the future. Many vendors are amenable to this because it locks you in as a paying customer going forward, which for them is as good as (if not better than) extracting a one-time penalty.
- If the issue is using software after support has expired, the “solution” Broadcom wants is for you to renew support (or subscribe). So negotiate the terms of that new support/subscription rather than just paying damages. Perhaps you’ll agree to resume support from now on, and Broadcom, in return, waives claims for the unsupported period.
- Try to steer the conversation to “what can we buy or sign now that resolves this?” rather than rehashing past breaches.
- Minimize Retroactive Fees: Vendors often initially demand back payments (like “you need to pay for the last 12 months of support you missed, plus a penalty”). Your goal: minimize or eliminate retroactive charges. Strategies:
- Argue that paying back for support is pointless since you didn’t receive those support services during that time. Instead, suggest applying costs toward future support (this resonates in procurement as getting value for money).
- If they claim you used more licenses than owned for X years, they may ask for back license fees. Counter with: “We’ll purchase the licenses now (or a subscription that covers them) and move forward. Let’s focus on fixing the issue, not punishing the past.”
- Some compromise might be inevitable (e.g., a reduced back-support fee or an “audit fee”), but try to cap it. For example, you might negotiate to pay 6 months of back support instead of 2 years, or a one-time charge that’s far less than their initial number.
- Negotiate Caps and Limits: If a payment is unavoidable, negotiate a cap on liability as part of the settlement. For instance, if they calculated a $1 million “compliance gap value,” you might settle for a new contract worth $600k and an agreement that this fully resolves all issues. By capping it, you prevent any surprise add-ons.
- Additionally, consider negotiating limits on future audits or penalties – for example, if you sign up for a new 3-year subscription now, you may want to include a clause that prevents Broadcom from auditing you again for at least 2 years, as long as you maintain the subscription. Use this event to extract some assurances and stability.
- Demand a Full Release of Claims: Any settlement or new contract should include a “full and final release” clause, meaning Broadcom/VMware relinquishes any claims related to past non-compliance once the deal is finalized. This is critical. You don’t want them coming back next year, saying, “By the way, we also realized you owe us for XYZ.” The release should cover all matters discovered up to the settlement date.
- Typically, the wording would be like: “Vendor agrees that upon Customer’s fulfillment of the obligations in this agreement (such as payment and/or signing the new license contract), Vendor releases Customer from any claims related to Customer’s use of VMware software before the effective date of this agreement.” Ensure it’s comprehensive and clearly concludes the audit.
- Also, ensure the settlement states that it is not an admission of wrongdoing by your company, simply a resolution of a contract dispute.
- Leverage Future Business: If your company has significant IT budget and choices, use that as leverage. Perhaps you were considering moving off VMware to a competitor (Hyper-V, Nutanix, cloud, etc.). It might be worth subtly letting Broadcom know that how they handle this audit could influence whether you remain a VMware customer in the long term. They might moderate their demands if they sense they’ll lose the customer entirely. Conversely, if you plan to stick with VMware, consider using that to get a better price: e.g., “We’re willing to commit to a three-year Enterprise Agreement for VMware because we do value the technology – but we need this audit issue settled fairly to move forward.”
- Package the Settlement into a Contract: Ofte,n the outcome of an audit negotiation is either a separate Settlement Agreement or simply a new Purchase/License Agreement (with an order form and so forth) that includes settlement language. Work closely with legal and procurement to make sure all pieces of the negotiation are documented:
- If you agreed to buy X licenses, specify their part numbers, quantities, price, and term.
- If Broadcom agreed to waive certain fees, ensure the contract explicitly says that those are waived or that the pricing is “in consideration of resolving past usage,” etc.
- Include those protective clauses (release, confidentiality of the settlement, etc).
- Consider adding an audit clause amendment if the previous contract’s audit clause was too open-ended. For example, if no cure period existed before, put one now (e.g., “VMware will provide 30 days for Customer to resolve any compliance issues before pursuing remedies”). We’ll list some sample clause improvements in the next section.
- Don’t Forget Support and Technical Needs: If, as part of the settlemen,t you re-up support or subscribe anew, clarify how that impacts your current deployments:
- Will Broadcom allow you to keep using the software versions you have without disruption? (They should, if you come back into compliance.)
- If you had to uninstall patches per the C&D, perhaps you could negotiate to reapply them once you’re back under support (for security purposes).
- Little details, such as ensuring continuity of license keys and avoiding downtime when switching to subscription licensing, should be part of the plan. Obtain commitments, if necessary, that Broadcom will facilitate a smooth transition back to supported status.
Negotiation Mindset:
Throughout this process, keep a firm but constructive tone. Broadcom’s auditors and sales reps will have their playbook – likely starting with a high demand. It’s procurement’s job to systematically bring that down to a reasonable outcome.
Use data, precedent (if you have any info on how others settled, that helps), and the promise of ongoing business to drive the negotiation.
In an ideal case, you end up with:
- A tolerable financial impact (maybe even some discount off the list price for future purchases as a gesture).
- A new contract that meets your needs (maybe you secure a better package or bundle that you actually can use).
- Closure on the past issues (no lingering liabilities).
- A better understanding with the vendor moving forward (you might not like their tactics, but at least you’ve established a working relationship post-crisis).
Finally, time is on your side to some extent in negotiation – the end-of-quarter or end-of-year deadlines might put pressure on Broadcom’s sales team to close a deal.
If you can time your negotiation to coincide with Broadcom’s sales targets, you may be able to extract a better price. Don’t rush to sign unless there’s a strategic advantage; make them sweat a little, too, as long as you’re making progress.
In summary, treat the audit settlement like any major procurement deal: do your homework, negotiate hard on value, and lock down the terms in writing. You want to emerge not just having paid a bill, but with a viable path forward for your VMware usage that your IT and finance teams can live with.
8. Artifacts & Checklists
To help you put all this advice into action, this section provides concrete artifacts and checklists. These are practical tools that you can adapt to meet your organization’s needs. Think of this as your audit-response toolkit:
Audit Intake Checklist
When an audit notice hits, a lot needs to happen quickly.
Use this checklist to ensure you cover all prep steps in the first few days:
- 🔒 Secure Internal Alignment:
- Identify the core response team: typically includes Legal Counsel, Procurement/Sourcing Manager, IT Asset Manager (SAM), Lead VMware Administrator, and potentially a CIO/CTO representative for executive support.
- Set up an internal kickoff meeting (even if brief) to assign roles and establish communication channels (e.g., a dedicated Slack/Teams channel or email thread for the audit team).
- 📄 Review Contracts and Policies:
- Pull up all relevant VMware license agreements, order forms, and support contracts. Pay special attention to any audit clause, termination clauses, and usage rights.
- Locate any prior communications from VMware/Broadcom about licensing changes (e.g., notices about end of support or license migrations) as they might be relevant in discussions.
- 📧 Draft Initial Response:
- Compose a formal acknowledgment letter/email to meet the 3-day deadline. Key points to include: acknowledgment of receipt, statement that you intend to cooperate pursuant to the agreement, designation of a contact person, and a request for NDA (if you choose to mention it upfront). Keep the tone professional and neutral. (A sample email is provided below.)
- Have a legal review of this response before sending.
- 🗄️ Gather Entitlement Data:
- Compile a licenses inventory: all VMware products your company owns, with quantities, versions, license keys, and purchase references. Use your SAM database or maintenance renewal quotes as references to ensure nothing is missed.
- Download or locate proof of purchase for each (invoices, license certificates, contract PDFs).
- Document support status: For each product, note if support is current or the date it lapsed.
- 🖥️ Gather Deployment Data:
- From IT, get a list of all servers/clusters running VMware software. Include environment tags (production, dev, etc.) because you might argue about certain environments if needed.
- Export data from vCenter or other management tools showing host counts, VM counts, and features in use.
- Identify any VMware software that might be installed but not in active use (shelfware or pilots). Mark these, as you might present them differently (e.g., “installed but not actually utilized”).
- 🔍 Identify Known Gaps or Risks:
- Cross-check the deployment vs entitlement. Create a private list of any discrepancies (e.g., more usage than licenses, etc.).
- Note any “gray areas” in your usage (e.g., using a secondary product that came with a suite, or running old versions beyond the support period).
- Highlight any mitigating factors for gaps (e.g., “that host was decommissioned last month,” or “we have a purchase in progress for those licenses”).
- 🤝 Plan the Communication Strategy:
- Decide who will speak in meetings with Connor. Typically, one person leads (often from SAM or procurement), and others provide answers as needed. This prevents the auditors from cornering junior IT staff with leading questions.
- Agree internally on what not to volunteer. For example, instruct all team members to let the designated lead handle any questions about plans or budget, so no one accidentally reveals “oh, we were actually thinking of leaving VMware” or something strategic.
- 💾 Set Up a Document Repository:
- Create a secure folder for all audit-related documents. Immediately save copies of the C&D letter and audit notice there.
- As you gather data, store master copies here. This ensures that everyone is working from the same information, and you have a record of what was provided to the auditors.
- ⏲️ Timeline and Deliverables:
- Make an internal timeline for the audit process. For example: “Day 3: send acknowledgment; Day 7: complete initial data gathering; Day 10: internal review of data; Day 12: provide data to auditors.” Adjust as needed once you talk to Connor, but having a plan is key.
- If you have critical business events coming (quarterly closes, major system changes), note these. You might need to negotiate around them (e.g., avoid heavy audit activity during a data center migration or financial close week).
This checklist will evolve as you become immersed in the audit, but initially, it ensures you have the essentials covered.
Sample Audit Acknowledgment Email
Crafting the right initial email sets the tone and meets Broadcom’s requirements without oversharing. Here’s a template you can customize:
Subject: Response to VMware Audit Notice – [Your Company Name]
Dear [Broadcom/VMware Audit Team],
We acknowledge receipt of your letter dated [Date of Letter] regarding a formal review of [Your Company Name]’s use of VMware software and support services. [Your Company Name] is committed to cooperating with the audit in accordance with our license agreements.
To facilitate a smooth process, we propose the following initial steps:
– Primary Contact: Please direct all audit-related communications to [Name, Title], who is our designated point of contact for this review. [He/She] can be reached at [email] and [phone].
– Non-Disclosure Agreement: Given the sensitive nature of our technical and business information, we request that Broadcom/VMware and its audit partner Connor Consulting enter into a mutual non-disclosure agreement before any data exchange. We can provide a draft NDA, or we are open to reviewing one from your side.
– Scope & Schedule: We would like to schedule an introductory call with the audit team to clarify the scope of the review and agree on a reasonable schedule that minimizes impact on our operations. Our team’s availability for a call early next week (e.g., [propose two or three dates/times]) is provided below for your convenience.Please confirm receipt of this email and let us know the next steps or any information needed upfront. We look forward to working collaboratively to complete the review efficiently.
Sincerely,
[Your Name]
[Your Title]
[Your Company Name]
[Your Contact Information]
Notes on this email: It formally acknowledges the audit (fulfilling the 3-day response obligation) and immediately sets some terms: an NDA and a scoped kickoff discussion. This positions you as cooperative yet cautious.
It also gives you a bit of control by proposing meeting times, rather than passively waiting. Adjust the tone to match your corporate style, but keep it factual and concise, avoiding overly detailed information.
Sample Contract Clause Redlines (Audit Provisions)
One longer-term outcome of this saga might be the opportunity to renegotiate some contract terms (perhaps when signing a new agreement as part of the settlement).
Here are key clauses to consider amending or adding to protect yourself in the future, presented as what you should ask for in an ideal world:
- Audit Frequency and Notice: Current issue: Many vendor contracts allow audits at any time with minimal notice.
Redline to add: “Vendor may audit no more than once in any 12 months, and must provide at least 30 days’ written notice before initiating an audit.”
Why: This prevents constant harassment and allows for reasonable preparation time. - Audit Scope and Method: Current issue: Contracts often fail to define how an audit is conducted, which gave Broadcom latitude to bring in Connor and request broad access.
Redline to add: “Any audit shall be conducted during normal business hours, in a manner that minimizes disruption, and shall be limited to verification of compliance with licensing terms for VMware products in use by Customer. Vendor will work in good faith with Customer to agree on the scope of data and systems reviewed.”
Why: This ensures audits don’t become fishing expeditions into unrelated areas and that they won’t grind your operations to a halt. - Confidentiality of Audit Findings: Current issue: Your sensitive info might be shared widely.
Redline to add: “Vendor and any auditor will treat all information obtained in an audit as confidential, using it solely for the purpose of verifying compliance. Audit results will not be disclosed to third parties or used for sales/marketing purposes. Vendor shall not retain any Customer data beyond the audit conclusion, except as required for compliance records.”
Why: Protects you from your data being misused or leaked (which could be a competitive risk or PR risk). - Cost of Audits: Current issue: Contracts sometimes say if you’re non-compliant by a certain margin, you pay audit costs. Broadcom’s tactics aside, try to cap this.
Redline to add: “Audits shall be at Vendor’s expense. If a material license shortfall is discovered (exceeding, for example, 5% of licenses), the Customer will then reimburse reasonable audit costs up to a cap of $X. Otherwise, Customer bears no costs for audits.”
Why: This incentivizes the vendor not to audit frivolously, and even if they find something, your financial exposure for the audit process itself is limited. - Cure Period: Current issue: Broadcom jumped straight to enforcement. Contracts often lack an explicit cure period for compliance issues.
Redline to add: “If any license non-compliance is found, Customer shall have 30 days to purchase additional licenses or otherwise resolve the non-compliance before Vendor may exercise further legal remedies or rights under the agreement.”
Why: Gives you a chance to fix the issue (usually by buying what you need) without immediately facing penalties. It basically forces negotiation rather than ambush. - Cease-and-Desist on Support Use: Current issue: The letter demanded the removal of patches. If you can, clarify this in contracts to avoid future surprises.
Redline to add (if negotiating new support terms): “Upon support expiration, Customer may retain any software and updates already deployed as of that date. Customer will not deploy new updates released after expiration, except for critical security patches, which may be applied to maintain security. Such an application will not be deemed a license breach.”
Why: This one might be tough to get in writing from Broadcom, but it’s worth a shot. It codifies some fairness – you get to keep using what you had without tearing it out, and allows security fixes. At least it can be a starting point for negotiation, even if Broadcom counters with something less generous.
Remember, when presenting redlines like these, you might not get everything. But it starts a negotiation on terms, not just dollars. If Broadcom wants to close a big license sale or settlement, you can say, “These contract protections are part of the deal for us.” They may relent on some to get your signature (especially if they plan to treat you better going forward as a renewed customer).
Sample Settlement Language: Full and Final Release
As discussed, any settlement or new contract to resolve the audit should contain language that fully releases you from past claims.
Here’s a snippet of what that could look like in an agreement:
Settlement and Release: Upon Customer’s payment of the fees and/or execution of the new VMware subscription agreement described herein, and Vendor’s receipt of such payment and signed agreement, Vendor (including VMware/Broadcom and its affiliates) agrees to release, acquit, and discharge Customer and its affiliates from any and all claims, demands, liabilities or causes of action arising out of or related to any use of VMware software by Customer prior to the Effective Date of this Settlement. This release is acknowledged by the parties to be full and final, and Vendor waives any rights to further audit or pursue remedies for past matters covered by this settlement. Nothing in this clause affects Vendor’s rights concerning compliance or audits for Customer’s use of VMware software after the Effective Date.
A few notes on this:
- It specifies that once you pay or sign whatever new deal, Broadcom/VMware can’t come after you for old issues.
- “Any claims… before the Effective Date” covers everything up to now, so they can’t slice out something like “oh, except we still might sue for that patch issue.” No, it’s all covered.
- It also implicitly ties to the assumption you’ll remain compliant going forward (it doesn’t stop them from auditing you next year for new issues, but at least the past is closed).
- Work with your legal team to get precise language, but be firm that without a solid release, there is no deal.
Internal RACI Template for Audit Response
Complex responses benefit from clarity in roles. A RACI matrix (Responsible, Accountable, Consulted, Informed) can help assign tasks and responsibilities during the audit and negotiation process.
Below is a simplified RACI breakdown for key roles in a VMware audit scenario. You can adapt this to a table if needed, but here’s a description form:
- Executive Sponsor (e.g., CIO or IT Director) – Accountable for the overall outcome. Informed of major developments. This person might send the internal message that cooperation is required and ensure teams prioritize the audit. They typically are informed (I) at major decision points, and consulted (C) if big concessions or strategic choices must be made (like “do we consider migrating off VMware as leverage?”).
- Legal Counsel (in-house or external) – Responsible for the legal strategy. Drafts or reviews communications (especially the initial response and any settlement agreement). Ensures compliance with contract terms. They are also Accountable for protecting the company against legal risk. They need to be consulted on any negotiation terms (C) and kept informed (I) of auditor communications.
- Procurement / Sourcing Manager – Often Responsible for leading the negotiation with Broadcom for any new contracts or settlement payments. They coordinate pricing discussions, contract revisions, and other related matters. They should be consulted when the audit findings are coming together (to assess cost implications) and are Accountable for securing a financially acceptable outcome.
- IT Asset Manager / Software Asset Management (SAM) Lead – Responsible for gathering and validating license and deployment data. They usually maintain the internal records and can interface with IT teams to consolidate information. They may also be on point for communications with Connor about data. They’re Accountable for the accuracy of the data provided. They work closely with IT technical folks (consulting them) and update legal/procurement (informing them) about what was found internally.
- VMware Technical Lead (Infrastructure Manager or Architect) – Responsible for providing the technical details: environment inventory, configurations, any changes implemented, etc. They implement any remediation steps (like disabling features or collecting logs). They are consulted on the feasibility of requests (e.g., if Connor asks to run a tool, this person assesses it). They need to be informed of any agreements that might affect operations (like if a settlement says “remove those installations”).
- Finance Representative – Often needed when matters progress to financial matters. Consulted to verify purchase records and budgeting for any settlement. If the negotiation involves multi-year contracts, finance will be informed to plan for it. Not heavily involved day-to-day in the audit, but crucial when numbers get discussed.
- Project Manager (optional) – If you have one, they can be Responsible for tracking tasks, scheduling meetings, and keeping everyone on deadlines (essentially managing the project of the audit response). They’d be Accountable for ensuring that nothing falls through the administrative cracks. This role might be played by one of the above people if no dedicated PM, but in big companies, a PM is very helpful here.
Using a RACI chart or similar, list out the main tasks (Data Collection, Communications, Negotiation, etc.) and assign R, A, C, I for each role. That way, everyone knows who should do what. For example, “Communicate with Auditor: R = SAM Lead, A = Legal (for content), C = IT Lead (for technical accuracy), I = CIO.” This level of organization prevents confusion, such as two people sending redundant replies or, worse, nobody answering a critical question because each thought the other was handling it.
By having these artifacts and templates, you’ll save time and reduce ambiguity in a high-pressure situation.
Adapt them freely to your context – every company is different – but the core ideas should hold. Now, with your toolkit ready, let’s address some frequently asked questions that teams often have in these Broadcom audit scenarios.
9. FAQs
Finally, here are concise answers to a few frequently asked questions that procurement, legal, and IT teams often raise when dealing with Broadcom’s VMware audits:
- Q: What’s the real deadline to respond to the audit letter?
A: The letter requires an initial response within 3 business days. This essentially confirms that you received the notice and will proceed. You do not have to have all your data ready in 3 days – just acknowledge. After that, the timeline for the audit itself can be negotiated. So, don’t miss the 3-day window. A simple email (like our sample above) to Broadcom/Connor meets this requirement and buys you time to organize. - Q: What will the auditors actually ask for and look at?
A: They’ll ask for proof of what VMware software you’re using and proof of what you have rights to. Concretely, this means providing a list of VMware products deployed (with details like versions and quantities) and a list of licenses you own (keys, contracts, support dates). They’ll look for any mismatch – such as more installations than licenses, or use of software versions you shouldn’t have. They may request to run scripts on your vCenter to gather usage info, or ask for config files and logs. Expect queries about your processes too (e.g., “How do you track licenses internally?”). Essentially, if there’s any way you might be using VMware beyond what you paid for, they’ll examine it. Our section “What They’ll Ask For” covers the typical requests in detail. - Q: Are we in trouble just for using VMware after support expired? It was a perpetual license after all.
A: Broadcom’s stance is that once support ends, you lose rights to any new updates or fixes. They aren’t (currently) telling you to uninstall the base software – just any updates released post-support. If you continued normal patching after your contract lapsed, Broadcom considers that unauthorized. So, yes, in their view, using those patches is a breach. It’s a contentious point (some argue that a perpetual license should allow bug fixes that were available at the time of purchase), but the letter cites contract clauses to support their position. You won’t likely be sued just for staying on an old version without support, but if you applied patches or upgraded to a new version while out of contract, that’s what the C&D addresses. In short, a Perpetual license allows you to use the software as-is up to the point your support ends – anything beyond that, Broadcom requires you to pay for. - Q: What happens if we ignore the letter or refuse the audit?
A: Ignoring it is highly risky. Not responding could be taken as a breach of the audit clause in your contract, giving Broadcom grounds to escalate. They might terminate your licenses or take legal action (in the worst case, sue for infringement). Refusing an audit (or not cooperating) can lead to Broadcom pursuing remedies, such as obtaining a court order. It also practically looks like you have something to hide, which puts you on a very weak footing if it goes further. Your best course of action is to respond and comply in a controlled manner (as we’ve outlined). You can be cooperative and protect yourself – those aren’t mutually exclusive. Stonewalling will likely make things worse. - Q: Our VMware usage is mostly in test/dev and not production – does that matter?
A: From a licensing standpoint, no – VMware licenses generally don’t distinguish between production and non-production usage. A host running VMware requires a license, whether it’s for testing or live. So you can’t use “it’s just dev” as a license compliance defense. However, it could matter in negotiation or sympathy: you might argue a bit for leniency (“Those 10 hosts were test servers, and we’d be willing to shut them down if needed”). But legally, unlicensed use is unlicensed use. So, gather data on all environments and be transparent, but you might prioritize remediation over dev systems (e.g., decommission some if you’re over-deployed). - Q: Could Broadcom really take us to court and force us to stop using VMware? Has that happened?
A: It’s rare in the industry for these disputes to end up in court, but Broadcom is flexing an aggressive posture. They could sue for an injunction to stop your use, especially if you’re blatantly in violation and refuse to remedy. As of 2025, we haven’t seen public reports of Broadcom actually suing a customer over this VMware issue – likely because most companies under audit are coming to the table and reaching a settlement. Broadcom knows that litigation is a last resort and can be bad PR. That said, the threat is real. They included heavy legal language in letters for a reason. So yes, it’s possible if you hit an impasse. That’s why our advice is to avoid reaching that stage by negotiating a settlement. If you were to find yourself facing a lawsuit, it would likely be over either a licensing contract breach or copyright infringement for using software beyond the terms of the license. That could get ugly and expensive. It’s better to solve it beforehand, if at all possible. - Q: We’re considering third-party support or migrating off VMware to avoid all this. Does that help or hurt us now?
A: In the immediate audit, it doesn’t change much – you still have to address the current compliance issues. Broadcom won’t waive its claims just because you plan to leave; in fact, if it senses you’re leaving, it might push harder to get a last payout. However, mentioning that you have alternatives (third-party support, different hypervisor) can be a negotiation angle: “If the settlement is too onerous, we might just accelerate moving off VMware.” Broadcom would prefer to keep you (even under third-party support, you still use VMware software, which they ultimately want to convert to their support). So it could give you some leverage to negotiate a softer landing. In the long term, third-party support can help you safely run out the clock on older VMware versions after resolving this audit, and migration may free you from Broadcom entirely. However, those are strategic moves that are unlikely to halt the current audit process. Use them as a carrot/stick in negotiation carefully. - Q: How can we prevent this from happening again?
A: A few lessons to implement:- Stay on top of support contracts – if you choose to lapse support in the future, be aware of the risks and have a plan (such as third-party support) in place, and be prepared for an audit. There’s no more “grace period” culture with Broadcom.
- Maintain real-time license compliance records – adopt a SAM tool or process that continuously tracks VMware deployments vs entitlements. Periodically self-audit so you catch issues before the vendor does.
- Negotiate better contract terms (as we outlined) when you have the chance – especially audit terms and clarifications on updated usage.
- Vendor management – if Broadcom remains a key vendor, ensure you have an account manager dialogue. Sometimes they can warn you or work with you on compliance issues softly before it reaches the formal audit stage (though with Broadcom, that might be optimistic).
- Consider your platform strategy – If you don’t want to be in this position again, diversifying away from vendors who take a hard-line approach (or being prepared for it if you stay) is a strategic decision. Many companies are now seriously evaluating alternatives to VMware, given Broadcom’s approach.
- Q: Should we involve our VMware sales rep or partner in this, or go solo?
A: It’s wise to loop in your VMware/Broadcom account manager or your preferred reseller/partner once the audit starts moving. They often aren’t directly involved in the compliance action (and might even be taken by surprise by it), but they can become allies in negotiation. A sales rep might prefer you spend your budget on new licenses rather than on theoretical penalties, so they might advocate internally for a resolution that includes a new purchase (which could get you a better deal). However, be cautious: the sales team’s interest is also to sell, and they might not be experts in compliance nuance. Use them to get information (e.g., “Have other clients faced this? What did they do?”) and to put pressure on Broadcom’s compliance team to be reasonable. If you have a good relationship with a reseller or integrator, they might provide advice or even mediate conversations. Just remember that once an audit is underway, the compliance team tends to run the show, and sales follow their lead, not vice versa. Still, no harm in rallying any internal champions you have at VMware – just do so with a clear idea of your goals.
Closing Thoughts: Broadcom’s audits of VMware and cease-and-desist letters have created a challenging environment for enterprise IT departments.
By understanding the motivations and methods behind these actions and responding with a clear strategy, you can effectively protect your organization’s interests.
It’s about being prepared, informed, and proactive. This guide equipped you with knowledge on why this is happening and how to navigate the audit process from start to finish. Now it’s up to your cross-functional team – procurement, legal, IT – to execute the game plan.
Good luck, stay sharp, and remember that you have more power than you may initially feel.
A well-prepared customer can turn this unnerving audit experience into a manageable (if not slightly educational) project and emerge on the other side with systems intact and a fair settlement in hand.
Read about our Broadcom Audit Defense Service.
