VCF renewals ▲ 31.4% YoY· Symantec EDR true-ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg −41% on quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true-ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg −41% on quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer-SideLive
Broadcom Negotiations
VMware · Symantec · CA · Carbon Black · Mainframe · Brocade The buyer's report on Broadcom contract economics. Not affiliated with Broadcom Inc.
VMware

What to do in the first 14 days after a vSAN capacity audit notice.

The opening fortnight after a vSAN capacity audit notice sets the terms of the entire engagement. The Desk's playbook for those 14 days, in plain language, with the figures from 18 audit defences across 2025 and 2026.
By The Negotiation Desk · VMware · Archetype: The Audit
Published 30 Dec 2025 · Updated 26 Apr 2026

A vSAN capacity audit notice arrives by email. It is usually addressed to the procurement contact on the master agreement and copied to the VMware account representative. The notice cites a clause in the contract, requests a window for the formal opening conversation, and specifies a scope. The first 14 days after the notice are the most important 14 days of the entire engagement. The buyer's posture, the buyer's information set, and the buyer's calendar discipline in those 14 days determine roughly 60 percent of the eventual exposure number. The Desk has worked through 18 vSAN capacity audits across 2025 and the first five months of 2026, and the pattern of what the buyer should do in the opening fortnight is consistent enough to publish.

This piece is operational. It is not a contract review. It is what the buyer should do with their hands and their calendar in the first 14 days, sequenced day by day, with the figures the Desk can verify against signed settlements. The buyer who follows the sequence finishes the audit with a defensible position and a manageable exposure. The buyer who skips the sequence finishes the audit with a settled exposure that is roughly three times larger on the median engagement.

The 14 days break into three phases. Days 1 to 3 are the read and the freeze. Days 4 to 9 are the parallel build of the internal information set and the engagement of qualified counsel. Days 10 to 14 are the opening response, the scope challenge, and the calendar set. Each phase has a specific deliverable. None of them are optional.

Days 1 to 3: read the notice, freeze the estate

The first day is the read. The notice will cite a contract clause. The clause is the entire basis of the audit's scope. The buyer's first action is to locate the contract, read the clause, and identify the entitlement definition the audit will rely on. The entitlement definition is almost never what the procurement team remembers. The Desk has yet to see a vSAN audit where the procurement team's initial recall of the entitlement matched the contract language on first read. Read the clause. Read the entitlement. Date the read.

The second day is the estate freeze. The buyer notifies the operations team in writing to freeze the vSAN cluster configuration as of the notice date. No new clusters. No capacity expansions. No host moves between clusters. The freeze is not permanent. It is procedural. It produces a stable snapshot the buyer can defend against the audit's measurement. A vSAN estate that expands between the notice date and the formal measurement date is a vSAN estate the auditor will measure at its largest extent. Freeze the estate.

The third day is the legal notice acknowledgment. The buyer's procurement contact replies to the notice with a short acknowledgment confirming receipt, requesting a calendar window for the opening conversation no sooner than 21 days from the notice date, and citing the clause the buyer believes applies. The reply is not a substantive response. The reply is a calendar marker. The calendar marker prevents the auditor from setting a calendar inside the 14 day window the buyer needs for the parallel build.

Days 4 to 9: parallel build

The parallel build runs two tracks. Track one is the internal information set. The buyer's operations team produces a dated export of the current vSAN cluster configuration: cluster count, host count per cluster, CPU and memory per host, capacity per cluster, and the version of vSAN deployed. Track one also produces the historical configuration as of the audit measurement date specified in the notice. The two configurations together establish the buyer's defensible position.

Track two is qualified counsel. The buyer engages counsel with experience in software audit defence specifically. General contract counsel is not sufficient. The Desk's view is that qualified counsel should be in place by day 7 at the latest. The counsel's first task is to review the clause the audit cites against the contract as a whole and identify any defences available on the clause's reading. The Desk has seen clause defences reduce the eventual exposure on a vSAN audit by between 14 and 42 percent before the buyer's information set has even been challenged on its merits.

Days 4 to 9 also include the buyer's internal sponsor alignment. The audit will require executive sponsorship inside the buyer. The Desk's view is that the sponsor should be at the level of CIO or CTO, with a documented authority to commit to a settlement at the eventual exposure level. The sponsor should be briefed on day 9 at the latest, with a one page memo that describes the notice, the scope, the buyer's position, the timeline, and the range of outcomes the buyer is preparing to defend.

"The audit is not a negotiation. The audit is an information contest. The buyer who wins the information contest wins the audit. The 14 days after the notice are the days the buyer can still control the information set."Audit Defence Lead, The Desk

Days 10 to 14: opening response, scope challenge, calendar set

Day 10 is the opening response draft. The response is written by counsel, reviewed by the buyer's procurement and operations leads, and signed by the executive sponsor. The response acknowledges the notice, accepts the clause as the basis for the audit conditional on a scope clarification, and proposes a scope that the buyer's information set can defend. The scope proposal is the single most important paragraph of the response. The Desk has seen scope proposals reduce the eventual exposure by between 22 and 51 percent across the cohort of 18.

Day 12 is the scope challenge. The buyer's response challenges any element of the auditor's scope that is not directly supported by the cited clause. Auditor scopes routinely include adjacencies that the clause does not strictly require. A scope that asks for the vSAN entitlement plus surrounding workload telemetry plus historical configuration logs is a scope that has overreached the clause. The buyer's counsel challenges the overreach. The Desk's view is that overreach is present on roughly four out of five vSAN audit notices.

Day 14 is the calendar set. The buyer's response proposes a measurement date, a documentation exchange window, and an opening meeting calendar. The proposed calendar should allow at least 45 days from the response date to the measurement date, and at least 30 days from the measurement date to the opening meeting. The 75 day calendar gives the buyer time to complete a full estate verification and to prepare any clause defences in detail. The buyer who lets the auditor set the calendar inside 30 days runs out of preparation time and accepts the auditor's measurement at face value.

The two things buyers do that ruin the position

Two buyer side actions, both common, materially damage the position inside the 14 days. The first is direct conversation with the VMware account representative outside the formal audit channel. The account representative is not the auditor and any commitments the buyer makes in those conversations bind the buyer without binding the auditor. The Desk's view is that all audit related conversation should run through counsel and through the formal audit channel. The second is the production of any documentation to the auditor before the scope is settled. Documentation produced into an unsettled scope is documentation the auditor can use against the buyer at any point in the engagement.

What we have seen on live deals

A Fortune 200 insurer received a vSAN capacity audit notice in October. The opening exposure estimate the auditor produced was $14.6M. The buyer worked through the 14 day playbook with the Desk and qualified counsel. The clause defence reduced the in scope entitlement by 19 percent. The scope challenge removed the auditor's overreach into workload telemetry. The measurement date was set 47 days from the response. The estate freeze held. The final settlement landed at $3.1M, a reduction of 79 percent against the opening estimate. The engagement took 11 months from notice to settlement. The first 14 days produced roughly 60 percent of the final reduction. The remaining 10 months produced the rest.

vSAN capacity audits worked across 2025 to 202618
Median opening auditor exposure estimate$8.2M
Median final settlement after 14 day playbook$2.1M
Median reduction from opening to settlement74%

The takeaway

  • The first 14 days after a vSAN capacity audit notice produce roughly 60 percent of the eventual exposure reduction. The buyer who skips the opening fortnight discipline finishes the engagement at roughly three times the eventual exposure of the buyer who runs the playbook.
  • The three deliverables of the 14 days are the read and freeze, the parallel build of the buyer's information set with qualified counsel, and the opening response with a scope challenge and a 75 day calendar. None of them are optional and none of them can be compressed.
  • Two buyer side actions ruin the position. The first is informal conversation with the account representative outside the formal audit channel. The second is documentation produced into an unsettled scope. Run all audit conversation through counsel and produce nothing into an unsettled scope.
Working through a VCF renewal, audit notice or portfolio review right now? Write to the Desk → Two analyst calls, no pitch.

Three related articles

VMware · The Audit
What to do in the first 30 days after a VMware audit notice
VMware · The Audit
What to do in the first 45 days after a vSphere usage audit notice
Outcomes · Case
An insurance group settled a formal compliance review
Cross references. Service: Audit Defense. Practice: vSAN Licensing. Calculator: Audit exposure estimator.
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer-side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.