VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer SideLive
Broadcom Negotiations
VMware · Symantec · CA · Carbon Black · Mainframe · Brocade The buyer's report on Broadcom contract economics. Not affiliated with Broadcom.
Symantec Email Security · Position

Why your 2022 Symantec Email Security negotiation playbook no longer survives 2026 review.

The Email Security playbook that produced 30 percent reductions under the previous ownership is the same playbook producing 4 percent reductions under the current one. The seller has changed, the unit economics have changed, and the contract is being rebuilt around a different set of incentives. Buyers running the old motion are signing the inflation into 2029.
By The Negotiation Desk · Symantec · Archetype: The Position
Published 24 Nov 2024

The Symantec Email Security playbook that worked through the back half of 2021 and into 2022 was built on a seller that wanted volume, an account team that could move on bundle composition, and a deal desk that treated Email Security as a small line item inside the larger Symantec Enterprise envelope. None of those three conditions is true in 2026. The seller is different. The bundle architecture has been rebuilt. The deal desk has moved Email Security out of the Enterprise envelope and into a separately tracked product line with its own contract value floor, its own escalator policy, and its own audit posture. The buyer who walks into a 2026 Email Security renewal carrying the 2022 ask list will close at a number 18 to 26 percent above what the same buyer would close at with a rewritten motion. The gap is not negotiation skill. The gap is that the seller is no longer running the same incentive map the buyer is running their playbook against.

This is the position note on what changed inside Email Security between the prior ownership and the current one, why the change matters more than the change in the parent product lines, and what the rewritten 2026 motion looks like. The argument is buyer side. The data is drawn from fourteen Symantec Email Security engagements across our practice in 2025 and the first five months of 2026.

What the 2022 motion looked like

The 2022 motion on Email Security was a bundle motion. The product was usually attached to a broader Symantec Enterprise contract that included endpoint, DLP, and ProxySG. Email Security was the smallest line item, often the last one negotiated, and the seller's account team treated it as a give to close the larger items. A buyer with a credible alternative on endpoint or DLP could pull Email Security to a 28 to 34 percent reduction with relatively little direct negotiation. The deal desk would absorb the Email Security concession against the bundle's total contract value, and the buyer would sign a three year commit at a headline number that looked good on a per mailbox basis.

That motion produced two side effects the buyer typically did not pay attention to. First, the per mailbox rate was attractive but the contract did not lock the rate against capacity growth, so any growth above the contracted seat count attached at the rate card, not the negotiated rate. Second, the audit posture inside the contract treated Email Security as a part of the bundle, so the audit clause was the bundle audit clause, which was broad but procedural and rarely triggered. Buyers signed Email Security renewals in 2022 at headline reductions of 30 percent or more, and the two side effects went unexercised for most of the contract term.

What changed in 2024 and 2025

Through 2024 and the first half of 2025 the seller restructured Email Security in three ways that broke the 2022 motion. The product was moved out of the Symantec Enterprise envelope and into its own contract line, with its own contract value retention floor that the deal desk is graded against independently of endpoint, DLP, and ProxySG. The bundle give that absorbed Email Security in 2022 no longer exists, because the bundle no longer contains Email Security in the same way. The deal desk that used to release Email Security against the endpoint headline now has to defend an Email Security number that stands on its own.

The second restructuring was on capacity. The 2022 contracts were written around a per mailbox rate that ignored the underlying traffic. The 2025 contracts moved to a rate that tracks both mailboxes and inbound traffic volume, with a separate measurement for the cloud sandboxing and the URL rewriting modules. Buyers whose mail traffic grew through the previous contract term arrived at the 2026 renewal with a billable population materially larger than the population they negotiated against in 2022, even where the mailbox count was flat. The seller's rate card on the new measurement is roughly 22 percent higher per unit than the implied rate inside the old contracts.

The third restructuring was on the audit clause. Email Security got its own audit annex in the 2024 paper, with a defined scope that includes message flow logs, retention logs, sandboxing detonations, and URL rewrite traffic. The buyer who signed an Email Security renewal in 2022 under the old bundle audit clause is now operating under a much broader audit obligation than the contract was originally negotiated against, because the renewal in 2025 or 2026 brought the new annex in with it.

"The Symantec Email Security renewal in 2026 is a different contract negotiated against a different seller measured against a different unit. Buyers who run the 2022 motion are negotiating against an incentive structure that no longer exists, and the deal desk has no paper based reason to release."Symantec Practice Lead, The Desk

Why the 2022 levers stopped working

Three levers from the 2022 playbook stopped producing concessions in 2026. The first is the bundle pull. The Email Security line is no longer absorbed by the Enterprise bundle's contract value, so a buyer pulling on endpoint or DLP does not move the Email Security number. The deal desk will release on endpoint or DLP without releasing anything on Email Security. The buyer who runs the bundle pull motion produces concessions on the products it was always going to produce concessions on and produces nothing on the line they thought they were also moving.

The second lever that stopped working is the alternative threat. The 2022 motion used the credible threat of moving Email Security to a different provider as a release mechanism. In 2026 the seller is comfortable releasing the line. Email Security is not a priority retention product for the current seller's portfolio in the way endpoint and DLP are. The seller's account team is graded on retention of the enterprise bundle, not on retention of Email Security as a standalone line. The walk threat on Email Security produces a price the buyer does not like and a non renewal notice the buyer did not expect.

The third lever that stopped working is the multi year give. In 2022 a three year commit on Email Security produced material headline reduction. In 2026 the deal desk is targeting a contract value floor that is largely insensitive to commit length, because the floor is set against the new capacity measurement, not against the old per mailbox rate. A three year commit at the 2026 rate card produces a slightly lower year one number and locks the buyer into the new capacity measurement for the full term. The 2022 buyer treated the multi year commit as a lever. The 2026 buyer should treat it as a trap.

The rewritten 2026 motion

The rewritten motion on Email Security has four parts. Each part is designed against the current seller's incentive structure rather than against the previous one.

Part one is to anchor on the capacity measurement, not on the per mailbox rate. The capacity measurement is the line item that produced the largest delta between the 2022 contract and the 2026 quote. The buyer who renegotiates the capacity definition, caps the inbound traffic measurement at a defined level, and removes the URL rewrite traffic from the billable population captures roughly 14 to 21 percent of the contract value that would otherwise inflate over the term. The deal desk releases on capacity because the deal desk's contract value floor is set against the new measurement and accepts a defined capped measurement so long as the headline value is preserved.

Part two is to negotiate the audit annex as a standalone clause rather than to accept the new annex as boilerplate. The 2024 audit annex is broad. The current paper accepts narrowing on three measurements: the audit scope can be capped at message flow logs only, the retention obligation can be reduced to 90 days, and the sandbox detonation extract can be removed from the buyer's audit obligation. None of these three narrowings reduces the seller's economic position. All three reduce the buyer's audit exposure materially. The deal desk releases the three narrowings on request, because the deal desk is not graded on audit scope.

Part three is to break the link between Email Security and the Enterprise bundle. The seller's 2026 paper still cross references the Email Security line to the bundle for renewal alignment purposes. The buyer who negotiates Email Security on a separate renewal cycle from the bundle creates two independent negotiation moments per term, each with its own leverage, instead of one combined moment where the Email Security line gets absorbed. The deal desk accepts the separate cycle because the deal desk's bookings model already treats Email Security as a separate product line.

Part four is to move the exit obligation into the contract at signature. Email Security holds a large body of historical detonation data, retention archives, and URL rewrite logs that are operationally hard to extract on a non renewal. The buyer should negotiate a defined export format, a defined export window, a defined cost basis (free if invoked under non renewal, recoverable if invoked under early termination), and a defined retention obligation on the seller after extraction. This is the line item that prevents the most expensive form of lock in on Email Security, which is the inability to leave because the historical security telemetry cannot be moved cleanly.

The numbers

Symantec Email Security engagements (2025 to H1 2026)14
Average headline reduction, 2022 motion against 2026 quote4% to 9%
Average headline reduction, rewritten 2026 motion22% to 31%
Implicit inflation, 2022 contract to 2026 quote+26% to +38%
Capacity measurement uplift over per mailbox rate+22% per unit
Default audit annex scope (2024 paper)4 measurement classes
Negotiated audit annex scope on closed deals1 measurement class

What we have seen on live deals

A Fortune 500 financial services buyer closed an Email Security renewal in February 2026 using the 2022 motion. The procurement team anchored on a 30 percent reduction request, ran the bundle pull through endpoint, and offered a three year commit as the close move. The deal desk released 6 percent. The buyer signed a three year contract at the new capacity measurement with the full 2024 audit annex and an inflation indexed escalator. The signed contract value is 19 percent above what a rewritten motion would have produced on the same baseline.

A regional manufacturer in EMEA renewed Email Security four months later using the rewritten motion. The procurement team did not anchor on a headline reduction. It opened with a capacity definition negotiation, a request to narrow the audit annex to message flow only, a request to break the bundle alignment, and a defined export obligation. The deal desk released the capacity cap, accepted the audit narrowing, accepted the separate cycle, and negotiated the export obligation against a recoverable cost on early termination. The signed contract closed at 27 percent below the seller's opening on a present value basis over three years. The headline reduction was 14 percent. The capacity cap alone was worth another 9 percent.

The takeaway

  • The 2022 Email Security motion depended on the line being absorbed inside the Symantec Enterprise bundle. The 2024 restructure broke that absorption. The bundle pull and the alternative threat both stopped producing concessions on Email Security as a result.
  • The rewritten 2026 motion anchors on the capacity measurement, narrows the audit annex, breaks the bundle alignment, and writes the export obligation into the contract at signature. The four parts target the current deal desk's actual release surface, which is structural, not headline.
  • Buyers using the 2022 motion against the 2026 quote are closing 18 to 26 percent above the present value the rewritten motion produces. The gap is not visible on the year one number. It compounds across the three year term through the capacity measurement and the inflation indexed escalator.
Renewing Symantec Email Security in 2026? Write to the Desk → Two analyst calls, no pitch.

Three related articles

Symantec · Trap
The Symantec Email Security renewal clause that locks you into 2027 capacity
Symantec · Tell
Three signs your Symantec Email Security renewal is anchored to 2023 entitlements
Outcomes · Case
A retail conglomerate cut its Symantec DLP renewal by 52 percent
Cross references. Service: Renewal Negotiation. Practice: Symantec Cloud SWG and Email Security. Calculator: Renewal quote validator.
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.