VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer SideLive
Broadcom Negotiations
VMware · Symantec · CA · Carbon Black · Mainframe · Brocade The buyer's report on Broadcom contract economics. Not affiliated with Broadcom.
Symantec · DLP

The DLP licensing clause Broadcom is enforcing more aggressively in 2026.

The clause was always there. It was rarely the centre of the conversation. In 2026, it has become the part of the contract the seller opens first, and most enterprises do not know it is the lever moving the renewal.
By The Negotiation Desk · Symantec · Archetype: The Trap
Published 16 Feb 2026

Every Symantec Data Loss Prevention contract carries a usage clause that defines how the entitlement is counted. The clause language has not moved in years. The enforcement posture has. On live deals this quarter, Broadcom is reading the clause more strictly than it has in any of the prior three renewal cycles, and the reading produces a number that very few buyers were prepared to defend. The contract did not change. The interpretation did. The gap is being priced into the renewal in two ways, both of which the buyer can see if they read the clause against the live deployment before the seller does.

The clause counts users by detection scope rather than by named seat. The distinction sounds minor on first read. It is not. A named seat is a person. A detection scope is every identity that can be observed by any DLP policy on any channel, anywhere in the estate, including identities that have never logged in, never touched the network from a managed endpoint, and never authenticated to a covered service. The number of identities in scope is always larger than the number of named users the buyer thought they were paying for. In 2026, the seller is reconciling that gap and pricing it.

What the clause actually says

The licensing language defines the unit of measure as the number of identities subject to monitoring under any active policy. The clause does not require that the identity have a Symantec console seat, an active session, or a managed endpoint. It only requires that the identity be observable inside the policy scope. In a typical enterprise estate where DLP runs against email, web, endpoint, cloud applications and storage repositories, the policy scope captures every employee, every contractor with an account on a covered system, every service account that touches monitored data, and every guest identity provisioned through identity federation.

Buyers historically counted users by named employees. The seller historically did not test the difference. The renewal closed against the named employee count and the conversation moved on. In 2026 the seller is no longer leaving the difference on the table. The renewal opens with a recount of identities in scope, the recount is larger than the prior contract count by a meaningful margin, and the difference is being priced as a true up at list.

Why the enforcement shifted

The enforcement shifted because the seller can now measure it. Symantec DLP telemetry in the post 2024 console releases produces an in scope identity count that the seller can pull without the buyer's cooperation. The clause language was always there. The measurement was the constraint. With the measurement in place, the seller has the figure that supports the reading, and the figure shows up in the renewal pack as an entitlement discrepancy. The buyer sees the discrepancy for the first time at the renewal meeting, which is exactly the wrong moment to be reading the clause for the first time.

The Desk has now seen this pattern on enough Symantec DLP renewals in 2026 that it is no longer an outlier. It is the opening posture. The buyer who has not read the clause and the policy scope before the seller opens the meeting is on the back foot from the first slide.

"The contract said 14,000 users. The console said 19,200 identities in scope. The clause priced 19,200 at list. Five months later the renewal closed at the contract number, but only because the buyer had a read of the clause two weeks before the seller did."Symantec Practice, The Desk

The two prices the gap creates

The reading produces two separate price exposures. The first is the true up on the prior period. The seller argues that the in scope count was always the unit of measure, and that the buyer was under licensed for the term of the in force contract. The exposure is calculated as the difference between in scope count and contract count, multiplied by the unit price, multiplied by the years of the in force term. On a typical estate this number is large enough to be the lead item in the renewal conversation.

The second is the forward price. The seller carries the in scope count into the renewal as the new baseline. The renewal is priced against the new baseline, plus the standard uplift, plus the package adjustments. The forward price is the part that compounds. Every renewal cycle after this one will anchor to the in scope baseline rather than to the named user baseline the buyer thought they were operating against.

How the buyer reads the clause first

The buyer side read is mechanical. Pull the live in scope identity count from the DLP console. Hold it against the contract count. Document every identity category that contributes to the gap. Service accounts, contractors, federated guests, archived mailboxes still subject to policy, and identities provisioned through directory federation but never active on a covered system are the five categories that drive most of the difference. Each of those categories has a defensible argument for exclusion or restructure, and each of those arguments is much weaker if it is being made for the first time at the renewal table.

The arguments are not commercial. They are interpretive. The buyer is asking what the policy scope actually covers, what an identity is for licensing purposes, and what the seller's enforcement posture has been in prior contract periods. Each of those questions has been answered in writing somewhere in the contract history. The buyer who has those answers before the renewal meeting is in a different conversation than the buyer who is hearing the seller's reading for the first time.

The restructure paths

There are three restructure paths that have produced outcomes on live deals this quarter. The first is a scope reduction. The buyer narrows the policy footprint to remove identity categories that do not require monitoring. The console reflects the change. The in scope count falls. The renewal prices against the narrowed scope.

The second is a unit redefinition. The buyer negotiates a unit of measure that more accurately reflects the operational reality, typically a managed identity or active monitored identity definition that excludes provisioned but unused accounts. The clause language is amended. The renewal prices against the amended definition.

The third is a tiered baseline. The buyer accepts a higher baseline in exchange for a lower unit price and a tighter uplift cap, structurally moving the renewal from a list anchored conversation to a negotiated band. Of the three, the tiered baseline is the cleanest restructure for estates where the policy scope cannot be narrowed without losing coverage.

Typical gap between contract count and in scope identities22% to 48%
Categories that drive the gap5 (service, contractor, federated, archived, provisioned)
Average true up exposure raised by seller$1.8M to $6.4M
Settled exposure where buyer read the clause first0% to 12% of opening

What we have seen on live deals

A Fortune 200 healthcare network brought us a Symantec DLP renewal in early 2026. The in force contract counted 18,000 users. The console at the renewal meeting showed 26,400 identities in scope. The seller opened with a $4.7M true up plus a forward renewal anchored at the 26,400 baseline. The buyer side read identified 4,100 service accounts and federated guest identities that had a defensible argument for exclusion, and the operational team narrowed the policy scope on three covered channels. The closed renewal carried no true up and a forward baseline of 19,800, anchored to a redefined unit. The seller did not push back on the redefinition because the buyer had documented the prior period interpretation.

A regional bank in EMEA brought a similar shape on a $2.1M Symantec DLP renewal. In force count 6,800. In scope count 9,600. Opening true up $1.6M. Settled at no true up, forward baseline 7,200, and a unit definition amendment that excluded archived mailbox identities from the count. The work that produced the outcome was a two week read of the clause and the policy scope before the renewal meeting. The work the seller had done was three years of telemetry.

The takeaway

  • The Symantec DLP licensing clause counts identities in scope, not named seats. In 2026 the seller has the telemetry to measure the gap and the posture to price it. The clause has not changed, only the enforcement has.
  • The gap produces two price exposures. A true up on the prior period and a forward baseline that compounds across future renewals. Both are negotiable, but only if the buyer has read the clause against the live policy scope before the seller opens the conversation.
  • Three restructure paths produce outcomes. Scope reduction, unit redefinition, and tiered baseline. Of the three, tiered baseline is the cleanest where the policy footprint cannot be safely narrowed.
Working through a Symantec DLP renewal, audit notice or true up exposure right now? Write to the Desk → Two analyst calls, no pitch.

Three related articles

Symantec · The Tell
Three signs your Symantec endpoint renewal is overpriced
Symantec · The Audit
What to do when a Symantec audit notice arrives
Outcomes · Case
A regional bank cut Symantec audit exposure by 81 percent
Cross references. Service: Audit Defense. Practice: Symantec DLP and ProxySG. Calculator: Audit exposure estimator.
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.