VCF renewals ▲ 31.4% YoY· Symantec EDR true-ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg −41% on quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true-ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg −41% on quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer-SideLive
Case of the Quarter
Verified · Net of fees · Signed contract delta A retail conglomerate. Symantec DLP renewal restructured at 52 percent reduction. Not affiliated with Broadcom Inc.
Case of the Quarter · Symantec DLP

A retail conglomerate cut a Symantec DLP renewal by 52 percent.

A North American retail conglomerate operating twelve banners across thirty four thousand seats. The opening Symantec DLP renewal quote arrived at nineteen million six hundred thousand dollars across a three year term. The signed contract closed at nine million four hundred thousand. The reduction was structural rather than discount driven, achieved through a reconciliation of enforcement endpoints, a reset of the discovery scope, and a contract pivot from combined entitlement to split entitlement.
By The Negotiation Desk · Engagement closed Q1 2026 · Verified against signed contracts
Published 31 Dec 2024 · Updated 20 Feb 2025
Opening quote
$19.6M
Signed contract
$9.4M
Reduction
52%
Negotiation cycle
7 months
"The first quote treated every endpoint as an enforcement endpoint. Half of them never were. The reset on the entitlement type was the entire delta." Head of information security on the engagement
The Long Read · Symantec DLP

A retail conglomerate cut its Symantec DLP renewal from $19.6M to $9.4M in seven months.

The negotiation was won on the entitlement structure, not on the discount. The reset on enforcement scope changed the price.
By The Negotiation Desk · Outcomes · The Quote, The Find, The Restructure, The Outcome

The conglomerate operates twelve banners across grocery, general merchandise and specialty retail, with thirty four thousand named seats running Symantec data loss prevention across a single consolidated contract that had been carried forward through four prior renewals. The DLP estate covered endpoint discovery, endpoint enforcement, network discovery and cloud channel monitoring, all wrapped into a single combined entitlement that priced every seat as a full enforcement seat regardless of what role the seat actually played. The opening renewal quote arrived in late summer at nineteen million six hundred thousand dollars across a three year term, a thirty seven percent uplift against the prior period on a like for like basis. The conglomerate's information security lead called us in week three of the seller's working schedule, which gave the engagement seven months of runway against the contract end date.

The signed contract closed at nine million four hundred thousand dollars across the same three year term, a fifty two percent reduction against the opening quote and a thirteen percent reduction against the prior period in real dollar terms. The reduction was not built on a discount concession. It was built on a structural change to how the contract counted enforcement and how it priced discovery, with the combined entitlement split into two priced lines and twelve thousand seven hundred seats moved from the higher priced enforcement line to the lower priced discovery line.

The Quote

The nineteen point six million dollar opening quote was constructed on three positions that were each reasonable from the seller's perspective and each questionable from the buyer's. The first was a seat count of thirty four thousand, derived from the conglomerate's deployment inventory, with every seat priced at the combined entitlement rate. The second was a three year term with an annual price escalator of seven percent, which the seller positioned as the standard renewal escalator and the buyer had accepted at the prior renewal. The third was a discovery scope that covered every banner's full document estate, calculated on the conglomerate's aggregate storage footprint, with no distinction between regulated data zones and general document storage.

Each position was negotiable on the contract's own terms. The combined entitlement rate was a pricing convention rather than a contract requirement. The seven percent escalator had been declared as an industry standard but the buyer had accepted it without a benchmark. The discovery scope was scoped to the full document estate because nobody had ever asked for a narrower scope. The opening quote was the price of every prior renewal having been signed without contesting any of these three positions.

The Find

The reconciliation work ran in parallel across three streams over the first eight weeks. The first stream classified the thirty four thousand seats by role, against the conglomerate's own active directory and endpoint management telemetry. The classification surfaced that twelve thousand seven hundred seats were used by store associate and warehouse staff who interacted with point of sale and inventory systems, not with the document and email channels that DLP enforcement actually protects. These seats had been deployed with the DLP agent for discovery and reporting but the enforcement policies had never been activated on them and the deployed agent was not, in operational terms, an enforcement agent. The contract priced them as if they were.

The second stream reconciled the discovery scope against the conglomerate's actual regulated data zones, working with the data governance team to identify which document repositories held card holder data, employee personal data, supplier contract data, and which did not. The reconciliation found that approximately sixty percent of the aggregate document storage carried no regulated data and did not require discovery scanning under the conglomerate's own data risk policy. The discovery scope, in other words, was wider than the policy required.

"We were paying enforcement prices for endpoints that were not enforcing anything, and discovery prices for repositories we had no regulatory reason to scan. The contract had drifted away from the policy."Director of data governance

The third stream pulled benchmarking data from peer retail customers on what the comparable enforcement, discovery and cloud channel rates actually were in signed contracts across the previous twelve months, in a normalised range that the conglomerate's procurement function could reference without breaching any confidentiality on the source contracts. The benchmark range placed the conglomerate's opening quote in the upper quartile across all three components.

The Restructure

The restructure proposal that went to the account team was a written renewal scope that split the combined entitlement into two priced lines, moved the twelve thousand seven hundred non enforcement seats to the discovery only line, reset the discovery scope to the regulated data zones only, removed the seven percent annual escalator in favour of a flat priced three year term, and held the cloud channel monitoring scope at the prior term. The proposal also requested a written most favoured customer clause limited to retail peer customers of comparable seat band, a standard ask that the conglomerate had never made at prior renewals.

The account team's first response held the per seat enforcement rate above the working envelope and contested the discovery scope reset on the basis that the prior contract had covered the full estate. The conglomerate's procurement lead provided the benchmarking range on the enforcement rate and the data governance team's written policy on regulated data zones. The second round closed the enforcement rate inside the envelope and conceded the discovery scope reset. The third round closed the split entitlement structure, the flat price for the term, and the most favoured customer clause limited to a defined peer band.

The signed contract carried a total committed value of nine million four hundred thousand dollars across three years, with the enforcement line covering twenty one thousand three hundred seats at the negotiated enforcement rate, the discovery only line covering twelve thousand seven hundred seats at a substantially lower rate, the discovery scope tied to the regulated data zones, and the cloud channel scope held at the prior level. The fifty two percent reduction was visible at signature against the opening quote.

The Outcome

The conglomerate closed the renewal on a contract that matched its actual deployment and its actual policy, on terms that were defensible across the audit chain and the board level vendor risk reporting. The split entitlement structure was carried into a contract template that the procurement function will reuse at the next DLP renewal cycle, which means the structural work does not have to be repeated. The most favoured customer clause inside the defined peer band gives the buyer a price check mechanism if the seller signs a materially better contract with a comparable retail peer during the term.

The lesson, the lesson we apply on every Symantec DLP renewal we work, is that the combined entitlement is almost never the right entitlement structure for a retail or distributed workforce buyer. The combined rate is the easy contract to sign and the expensive contract to carry. The split structure takes more procurement work at signature and returns the work many times over across the term. The discovery scope is similarly almost always wider than the buyer's own data risk policy requires, because the prior renewal was scoped before the data risk policy was written or revised. The renewal is the moment to bring the contract back into alignment with the policy. Buyers who do that work, on the lead time the contract actually allows, sign renewals that match the deployment they actually run.

Opening quote$19.6M
Signed contract$9.4M
Reduction on opening52%
Seats reclassified to discovery12,700
Discovery scope reduction60%
Escalator removed7% to flat
Negotiation cycle7 months

The takeaway

  • The combined entitlement is the wrong entitlement for distributed workforce buyers. The split between enforcement and discovery is structural work that has to happen at renewal and returns the work across every subsequent year of the term.
  • Discovery scope is almost always wider than the buyer's own data risk policy requires. The reconciliation between the contracted scope and the policy is a buyer side conversation that has to happen before the seller's quote arrives.
  • The annual escalator is a pricing convention, not a contract requirement. The flat priced term is achievable when the buyer has the benchmark range to contest the escalator on signed contract data.
Symantec DLP renewal approaching? Write to the Desk → Two analyst calls, no pitch.

Related reading

Service · Renewal Negotiation
Renewal Negotiation
Practice · Symantec DLP
Symantec DLP & ProxySG
Field Notes · The Trap
The DLP combined entitlement trap
Field Notes · The Lever
The ProxySG renewal lever most buyers miss
Practice · Carbon Black
Adjacent: Carbon Black practice
Outcomes
All case studies
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer-side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.