VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer SideLive
Broadcom Negotiations
VMware · Symantec · CA · Carbon Black · Mainframe · Brocade The buyer's report on Broadcom contract economics. Not affiliated with Broadcom.
Carbon Black App Control · Lever

The Carbon Black App Control negotiation lever most enterprises miss.

App Control renewals get fought on per agent pricing. The lever that moves the deal is the policy server consolidation count, and the buyer who arrives without that number has already lost the argument.
By The Negotiation Desk · Carbon Black · Archetype: The Lever
Published 6 Dec 2024

Carbon Black App Control is one of the older products in the Broadcom security portfolio and is the one we see negotiated the least competently in 2026. The reason is that the per agent price is treated as the negotiable axis. It is not. The per agent price is rate carded and moves a couple of points either way during a renewal. The negotiation lever that actually moves the contract is the policy server count and the way it interacts with the per agent rate. Enterprises that arrive at the renewal without a defensible policy server consolidation position end up signing against a per agent rate that has been silently uplifted by the policy server overhead, and they almost never know it has happened. The deal desk does. The rate card carries a policy server multiplier on the per agent rate that scales with the number of distinct policy servers the buyer's estate is configured against. The multiplier is not visible on the quote.

App Control was built to support large estates with policy heterogeneity. A buyer with three distinct security domains might run three policy servers, with policies tuned to each domain's application set. The platform supports the pattern. The contract economics penalise it more aggressively in 2026 than they did in 2022. The buyer who consolidates policy servers reduces the multiplier. The buyer who does not, pays the multiplier whether or not the estate genuinely requires the separation.

How the multiplier works

The Broadcom rate card for App Control in 2026 starts with a base per agent rate. The rate is then adjusted by a multiplier driven by the policy server count. The first policy server is at parity. The second adds 8 to 11 percent to the per agent rate across the whole estate. The third adds another 6 to 9 percent. By the fourth, the multiplier compounds to between 24 and 32 percent above the single policy server base. The compounding is not linear, and the rate card does not explicitly disclose the structure to the buyer. The renewal quote shows a per agent rate and an agent count. The math behind the per agent rate is internal to the deal desk.

The compounding pattern surfaced for us through reconciliation work across nine App Control renewals between 2024 and early 2026. In each case where the buyer had retired or consolidated a policy server in the period leading up to the renewal, the per agent rate dropped by an amount that did not correspond to any disclosed line item. The pattern across the sample produced the multiplier estimates above. We have not been able to obtain the rate card itself. The mathematical signature is consistent enough that we treat the multiplier as established.

The corrective move

The corrective move is a policy server consolidation review. The buyer's endpoint and security architecture teams produce a list of currently configured policy servers, the agent count attached to each, and the policy distinctness justification for keeping each one separate. The review almost always identifies one or more servers that exist for historical reasons rather than current policy distinction. A buyer estate built up across two or three acquisitions often carries policy servers that were never consolidated after the acquisitions closed. A buyer with a divested business unit often carries a policy server that lost its underlying agent population two years ago.

"The number on the quote is the per agent rate. The number that drives the per agent rate is the policy server count. Buyers who do not bring the second number to the table are negotiating with one hand."Carbon Black App Control Engagement Lead, The Desk

The review typically identifies a consolidation path that reduces the policy server count by one or two. In our 2025 to 2026 sample the median consolidation available, after operational review, was a reduction of 1.4 policy servers across the buyer estate. The consolidation requires real engineering work. Policies have to be merged, conflicts resolved, agents repointed. The work is non trivial but is also tractable inside a four to seven month window. Buyers who scoped the work before the renewal anniversary and produced a credible consolidation commitment, with an executable plan, were able to negotiate the per agent rate at the consolidated count rather than the original count.

What blocks the move

Three things block buyers from using the lever. The first is that policy servers are an architecture decision and the security architecture team is rarely at the renewal negotiation. The second is that the consolidation work is in security operations, not in procurement, and there is no procurement reason to do the work absent the rate card visibility. The third is timing. The consolidation has to be credible at the renewal table, which means the planning has to happen six months before the anniversary rather than six months after.

The numbers

App Control renewals reviewed 2024 to 20269
Buyers with consolidation available after review8 of 9
Median policy server reduction available1.4
Median per agent rate reduction after consolidation9 to 14%
Median total renewal reduction including discount layer17 to 26%
Median lead time required before renewal anniversary6 months

What we have seen on live deals

A regional utility had been running App Control across four policy servers since 2019. Two of the four had been carried forward from acquisitions completed in 2017 and 2018. The security architecture team had been planning a consolidation for two years and had not had a commercial reason to prioritise it. The buyer engaged us four months before the App Control renewal anniversary. The consolidation plan was scoped, presented to the deal desk as a committed forward state, and used to negotiate the renewal against a two policy server count. The per agent rate dropped by 13 percent against the four server baseline. The total renewal reduction, including a layered discount conversation, was 24 percent against the opening quote.

A national retailer ran the same review and found no consolidation opportunity. The four policy servers in the estate genuinely supported distinct policy domains. The renewal closed against the standard discount lever alone. The reduction was 6 percent against the opening quote. The lever does not work for every buyer. It works when the policy server count exceeds the policy distinctness that genuinely justifies it, which is the more common pattern but not the universal one.

A third pattern. A buyer with a single policy server and no consolidation lever to use turned the lever into a forward commitment instead. The buyer was planning to introduce a second policy server to support a regulated workload coming online in the next 18 months. The buyer negotiated the renewal at the single policy server rate and added a clause that the second server, when stood up, would not trigger the multiplier for the remainder of the contract. The clause is in force. The forward saving has not yet crystallised. The clause itself is worth tracking as a buyer position even when the current estate does not present a consolidation case.

The takeaway

  • The per agent rate on a Carbon Black App Control renewal is rate carded, but the rate card is adjusted by a policy server count multiplier the deal desk does not disclose. In our 2025 to 2026 sample the multiplier compounded to 24 to 32 percent above the single server base by the fourth policy server.
  • A policy server consolidation review is the corrective move. Most buyers carry policy servers that were stood up for historical reasons rather than current policy distinctness. The consolidation reduces the multiplier and pulls the per agent rate down by 9 to 14 percent in addition to whatever discount is negotiated on top.
  • The lever requires lead time. Six months before the renewal anniversary is the practical minimum to scope and credibly commit a consolidation. Buyers who arrive at the renewal table without the policy server question on the agenda lose the lever by default.
Running App Control across more policy servers than you think you should? Write to the Desk → Two analyst calls, no pitch.

Three related articles

Carbon Black · Trap
The Carbon Black App Control rule allowance clause that inflates your 2026 renewal
Carbon Black · Benchmark
What enterprises actually paid for Carbon Black App Control in 2025
Outcomes · Case
A healthcare network halved its Carbon Black EDR renewal
Cross references. Service: Portfolio Optimization. Practice: Carbon Black EDR and App Control. Calculator: Renewal quote validator.
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.