VCF renewals ▲ 31.4% YoY· Symantec EDR true-ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg −41% on quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true-ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg −41% on quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer-SideLive
Case of the Quarter
Verified · Net of fees · Signed contract delta A national healthcare network. Carbon Black EDR renewal. Halved in four months. Not affiliated with Broadcom Inc.
Case of the Quarter · Carbon Black

A national healthcare network halved its $11M Carbon Black EDR renewal.

A regulated healthcare network in North America with twenty eight thousand managed endpoints across hospitals, clinics and corporate. The Carbon Black EDR renewal quote arrived at eleven million two hundred thousand dollars for three years. The signed contract closed at five million five hundred thousand, with App Control bundled in on terms that had previously been a separate line item.
By The Negotiation Desk · Engagement closed Q3 2025 · Verified against signed contracts
Published 29 Oct 2024 · Updated 10 Feb 2026
Opening quote
$11.2M
Signed contract
$5.5M
Reduction on quote
51%
App Control
Bundled
"The quote read like the platform had become a tax. We needed it to read like a contract for a specific deployment with specific terms. That took a quarter of structured work." Director of cyber operations
The Long Read · Carbon Black EDR

How a national healthcare network cut its Carbon Black renewal in half.

The renewal landed twenty two percent above the prior contract on a deployment that had not grown. The buyer side took the next four months to find out why, and to write a contract that reflected the actual deployment.
By The Negotiation Desk · Outcomes · The Quote, The Find, The Restructure, The Outcome

The healthcare network operates across roughly eighty sites including hospitals, ambulatory clinics and corporate offices. The Carbon Black EDR estate had been steady at approximately twenty eight thousand managed endpoints for two years. The renewal quote that arrived in late winter was eleven million two hundred thousand dollars over three years, which was twenty two percent above the prior contract on a deployment that had not grown. The director of cyber operations escalated the quote to the chief information security officer. The CISO asked us to review it. The engagement that followed ran four months. The signed contract closed at five million five hundred thousand dollars, with the Carbon Black App Control line bundled in rather than priced separately and with a contracted growth allowance that capped the next renewal's exposure to seat count drift.

The case is representative of the Carbon Black renewal pattern we have seen across the last twelve months. The opening quote is rarely built against the buyer's actual deployment. It is built against an inflated per endpoint rate and a series of line items that have crept into the contract over successive renewals. The buyer side work is to reconcile the deployment, reset the per endpoint economics, and rebundle the line items into a single negotiable position.

The Quote

The eleven million two hundred thousand opening quote was built on a per endpoint subscription rate that had risen twenty two percent year over year, a separately priced App Control line item that had been folded into the contract during a previous renewal, and a three year ramp that compounded the rate increase across the term. The seat count assumption was correct against the deployment. The per endpoint rate was the issue, not the seat count.

The per endpoint rate increase was not justified by the contract. The previous renewal had carried a price hold for two of the three years, and the price hold had expired. The new rate was the rack rate applied without the price hold. The account team had not framed it that way. The account team had framed the renewal as a base case price for a continuing customer, which is a different commercial framing from a rack rate with no price hold. The buyer side had to surface the framing distinction before the negotiation could move.

The Find

The internal entitlement work was lighter than on a VMware engagement because the deployment was stable and the seat count was not in dispute. The work was instead on the contract history. The prior renewal documents were retrieved and reviewed. The price hold language was confirmed in writing. The App Control bundling history was traced across three previous contracts, where App Control had been included under the master subscription in two of three and broken out in the most recent one. The break out had been agreed during a renewal where the buyer side had not been advised. The break out had become permanent on the strength of one renewal cycle.

"The single largest source of value on this engagement was contract archaeology. The contract had a history. The history was on the buyer's side. The buyer had not used it."Lead advisor on the engagement

The third finding was on the growth allowance. The deployment was stable but the network had a known acquisition pending. The pending acquisition would add approximately two thousand endpoints inside the contract term. Under the existing contract, those endpoints would have been added at the full rack rate as a true up at the anniversary. Under a properly structured renewal, those endpoints could be priced into the contract in advance at the negotiated per endpoint rate, which made a measurable difference to the three year economics.

The Restructure

The restructure proposal was tabled in writing. It made three asks. First, a per endpoint rate that returned to a level consistent with the prior price hold plus a defensible inflation adjustment, applied across the new term. Second, the App Control line rebundled into the master subscription on the historical pattern. Third, a contracted growth allowance of three thousand endpoints across the term priced at the negotiated rate, covering the pending acquisition and a margin of organic growth.

The account team's first response moved the per endpoint rate by approximately ten percent and held the App Control line separate. The buyer side did not accept and asked for a written rationale for holding App Control separate against the historical contract pattern. The rationale that came back was not strong. The negotiation cadence shifted at that point. By the end of the third month App Control was conceded back into the master subscription. The per endpoint rate moved twice more across two further rounds and landed at a level the buyer side considered defensible against the prior contract economics. The growth allowance was agreed in the last round, with a defined ceiling and a defined ramp.

The final pricing closed at five million five hundred thousand dollars across three years. The reduction against the opening quote was fifty one percent. The acquisition closed during the contract term and the new endpoints were absorbed at the contracted rate.

The Outcome

The signed contract did three things beyond the price reduction. It reset the per endpoint rate to a defensible level for the next renewal. It restored the historical bundling pattern, which removed a structural line item the buyer had been carrying unnecessarily. And it priced in the acquisition before the acquisition closed, which meant the post acquisition cost integration was clean rather than a separate negotiation. The cyber operations director described the post engagement state as the first time in three renewal cycles the contract was an accurate description of what the network actually ran.

The broader pattern applies to most Carbon Black renewals we have worked on. The opening quote contains line items that should not be there, at a per endpoint rate that has drifted upward across cycles, against a deployment the buyer side knows precisely. The work is to bring the contract back into alignment with the deployment, the contract history, and the buyer's near term capacity plans. The work is structured and the timeline is short. The reductions are usually substantial.

Opening quote$11.2M / 3yr
Signed contract$5.5M / 3yr
Per endpoint rateReset
App ControlRebundled
Growth allowance3,000 endpoints capped
Reduction on opening quote51%

The takeaway

  • The Carbon Black per endpoint rate drifts upward across renewals more than the deployment itself does. Contract archaeology, particularly on price holds and bundle composition, is almost always the highest value early work.
  • App Control bundling is reversible. A line item broken out in a prior renewal can be rebundled in the next, provided the buyer side surfaces the historical pattern in writing and presses on the rationale for the change.
  • Known organic and inorganic growth should be priced into the renewal in advance, not absorbed as true ups. Contracted growth allowances at the negotiated rate beat anniversary true ups at the rack rate every time.
Reviewing a Carbon Black renewal quote right now? Write to the Desk → Two analyst calls, no pitch.

Related reading

Service · Renewal
Renewal Negotiation
Practice · Carbon Black (forthcoming)
Carbon Black EDR & App Control
Field Notes · The Tell
Three signs your renewal posture is leaking before the quote arrives
Field Notes · The Calendar
What the Broadcom desk is doing this quarter
Practice · VMware
Adjacent: VMware practice
Outcomes
All case studies
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer-side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.