VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer SideLive
Broadcom Negotiations
VMware · Symantec · CA · Carbon Black · Mainframe · Brocade The buyer's report on Broadcom contract economics. Not affiliated with Broadcom.
Symantec · Case

How a global pharma cut its Symantec ProxySG renewal by 47 percent.

The opening quote came in at $9.1M for three years. The signed contract closed at $4.8M for the same term and a tighter scope. The work was not in the headline negotiation. It was in the entitlement read that came before the negotiation began.
By The Negotiation Desk · Symantec · Archetype: The Case
Published 28 Dec 2024

The Desk took on a Symantec ProxySG renewal in late 2025 for a Fortune 200 pharmaceutical manufacturer with operations in 41 countries. The opening quote from the seller landed at $9.1M for a three year term, anchored to a population count that the buyer's own access logs did not support and to a feature mix the buyer had not used in two refresh cycles. The renewal closed in early 2026 at $4.8M for the same three years, on a scope that more closely matched the buyer's actual use. The headline reduction was 47 percent. The work that produced the reduction was not what most procurement teams would have spent their time on.

What follows is the negotiation arc of that engagement, in the order it actually happened. The Quote. The Find. The Restructure. The Outcome. The case is presented without the buyer's name and without details that would identify the deal. The pricing and the structural points are reproduced as the contract reads.

The Quote

The opening quote arrived in early October 2025 on the seller's renewal cycle. The total contract value was $9.1M across three years. The proposed structure included a year one price of $2.85M, year two of $3.05M, and year three of $3.20M. The escalator between years was 7 percent compounding. The entitlement population was set at 38,000 monitored users across the global footprint. The bundle included the full ProxySG appliance support stack, the policy management console, the SSL inspection module, the threat intelligence subscription, and the cloud connector that the buyer had begun piloting in 2024 but never moved to production.

The seller's renewal narrative was that the previous contract had been priced below the published rate card on a multi year commit signed in 2022, and that the 2026 renewal had to true up to current rate card before any discount could be discussed. The seller's account team described the opening as a return to baseline. The buyer's procurement team initially treated it as a starting point for a 12 to 15 percent negotiation. The buyer's IT director, who had read three Symantec contracts before this one, suspected the entitlement population was wrong but did not have time to prove it.

The Find

The Desk spent the first three weeks of the engagement on entitlement reconciliation rather than on commercial negotiation. The exercise was to align the contractual population with the actual deployed population. The seller's quote was built on a number that came from a 2022 population assertion that the buyer had submitted in good faith but had never revisited. Between 2022 and 2025 the pharma had divested two business units, consolidated three regional offices into one, and migrated roughly 6,400 contractor identities off the corporate domain. The seller had no visibility into any of this and the buyer had not flagged it.

The reconciliation produced a corrected population of 27,600 monitored users. That is 10,400 below the quoted population. At the seller's per user rate, the population delta alone was worth $1.9M across the three years. The reconciliation was supported by a thirty day access log extract from the buyer's identity provider, a written attestation from the buyer's IT operations lead, and a reconciliation summary that the buyer was prepared to share with the seller's deal desk in full.

The second piece of the find was the SSL inspection module. The buyer had paid for it across two contract cycles. Internal traffic analysis showed that the module had been disabled at the appliance level in three of the four major regions for at least 18 months. The buyer's security team had moved that workload to a different inspection platform in 2023. The SSL inspection module in the renewal quote was listed at $480K per year. The buyer was paying for a feature that no production traffic was passing through.

The third piece was the cloud connector. The seller had positioned the connector as a continuity item, presuming the buyer would move it to production. The buyer had decided in mid 2024 that the connector was not the right pathway and had selected a different cloud security broker for that workload. The connector was listed in the renewal at $310K per year and the buyer had no plan to deploy it.

"The seller's quote was not built on bad faith. It was built on a 2022 picture of the buyer that the buyer had not bothered to update. Two thirds of the reduction came from telling the seller what the buyer's network actually looked like in 2025."ProxySG Engagement Lead, The Desk

The Restructure

The restructure proposal that went to the seller in November 2025 had three commercial components and two structural components. The commercial components were a corrected population of 27,600 users, a removal of the SSL inspection module from the bundle with a written acknowledgement that the buyer would not use it, and a removal of the cloud connector with the same acknowledgement. The structural components were an escalator cap of 3.5 percent rather than 7 percent compounding, and a renewal review clause at month thirty that allowed either party to reopen the population assertion without penalty.

The seller's deal desk rejected the first version of the restructure in week one. The grounds were that the bundle had been priced as a bundle and could not be unbundled without rate card recalculation. The Desk responded with the rate card itself, showing that the unbundled price of each component was lower than the embedded bundle price. The seller's deal desk reopened the conversation in week three.

The negotiated outcome on the population was a contractual count of 28,000 with a true up provision at the end of year two if the actual count exceeded 30,000. That structure protected the seller against undercount risk and protected the buyer against overpayment for users who did not exist. The negotiated outcome on the SSL inspection module was full removal with a 12 month re entry option at the original rate, which the buyer was willing to accept because the security team had no plan to bring the workload back. The cloud connector was removed entirely with no re entry. The escalator landed at 4 percent compounding rather than the requested 3.5 percent, which the procurement team agreed to in exchange for the year three rate being held flat against year two if the buyer's regional footprint did not expand.

A small but consequential point on the renewal review at month thirty. The seller's first version of the clause allowed a review but reserved the right to refuse to reopen the population assertion. The Desk rewrote the clause so that either party could trigger the review and the population number would default to the actual count from the buyer's identity provider extract on the trigger date. That language change removed the seller's right to anchor the review on the original assertion. It is a single paragraph in the contract and it is worth more in present value than any other concession in the deal.

The negotiation also produced two protections that did not show up in the headline price. The first was a clause that any future acquisition by the buyer would not automatically expand the contracted population for a period of nine months from the close of the acquisition. That clause was added because the pharma had two pipeline acquisitions under board review at the time of the renewal. The second was a notice requirement of 90 days before any rate card change could be applied to optional modules the buyer might add later. Neither clause has a dollar value at signing. Both have material dollar value in the second and third years of the contract if the conditions trigger.

The Outcome

The signed contract closed at $4.8M across three years. The structure was $1.55M in year one, $1.61M in year two, and $1.64M in year three. The escalator between years was 4 percent compounding. The contractual population was 28,000 users with the true up provision. The SSL inspection module was excluded with a re entry option. The cloud connector was excluded entirely. The renewal review at month thirty was included. The headline reduction against the opening quote was 47 percent. The reduction against the published rate card was 38 percent. The reduction against the buyer's internal budget for the renewal was 32 percent.

Opening quote (3 year total)$9.1M
Signed contract (3 year total)$4.8M
Headline reduction47%
Quoted population38,000
Contracted population28,000
Escalator (quoted vs signed)7% vs 4%
Modules removed from bundleSSL inspection, cloud connector
Total negotiation duration14 weeks

What we have seen on live deals

The ProxySG renewal pattern in this case is repeating across our 2026 book. The single largest source of overpayment is a stale population assertion that the buyer has not contested in two or more contract cycles. The second largest source is bundle drift, where modules priced as part of a continuity bundle are no longer being used in production but are being renewed by default. The third source is the escalator language, which is almost always quoted at 6 to 8 percent compounding and almost always settles at 3 to 4.5 percent compounding if the buyer asks. None of these are exotic moves. All of them require the buyer to do the entitlement work before the commercial conversation starts.

One observation that travels across the rest of the Symantec book. The seller's deal desk is not adversarial when the buyer presents a corrected entitlement read. It is procedural. The deal desk needs a documented basis to release a concession. If the buyer arrives with the basis already documented, the concession follows. If the buyer arrives without the basis, the desk holds the line because it has no procedural cover to do otherwise. The negotiation in this engagement was not won by toughness. It was won by paperwork.

The takeaway

  • Two thirds of the 47 percent reduction on this ProxySG renewal came from population reconciliation and module removal. The remaining third came from the escalator cap and the renewal review clause. The headline negotiation moved last and moved least.
  • The entitlement work has to happen before the commercial conversation. Most procurement teams sequence it the other way. The result is a negotiation against the wrong baseline.
  • Bundle drift is the quietest source of overpayment in any Symantec contract written before 2024. Every module the buyer is no longer using is a line item the seller is happy to renew until the buyer asks for it to be removed.
Sitting on a ProxySG or DLP renewal where the population looks suspect? Write to the Desk → Two analyst calls, no pitch.

Three related articles

Symantec · Lever
The ProxySG renewal lever most enterprises miss
Symantec · Position
Why your 2022 ProxySG negotiation playbook no longer survives 2026 review
Outcomes · Case
A regional bank cut its Symantec audit exposure by 81 percent
Cross references. Service: Renewal Negotiation. Practice: Symantec DLP and ProxySG. Calculator: Renewal quote validator.
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.