VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer SideLive
Broadcom Negotiations
VMware · Symantec · CA · Carbon Black · Mainframe · Brocade The buyer's report on Broadcom contract economics. Not affiliated with Broadcom.
Carbon Black · Trap

The Carbon Black App Control rule allowance clause that inflates your 2026 renewal.

App Control contracts written before 2024 carry a rule allowance line that looks innocuous on the order form. Three years later, the renewal price is built on that line, and most buyers do not know it is there.
By The Negotiation Desk · Carbon Black · Archetype: The Trap
Published 16 Nov 2025

The Carbon Black App Control renewal quote that arrives on a 2026 buyer's desk looks like a straightforward extension of an existing entitlement. Endpoint counts, support level, and term. What it does not announce is that the price has been recalculated against a clause buried in the order form three contracts ago. The clause governs how many policy rules and approved file groups the buyer is licensed to deploy. It was written when App Control was still positioned as a high cost, narrow scope product for a few thousand servers in a hardened estate. It has not aged well. In every Carbon Black App Control renewal we worked in 2025 and into 2026, the rule allowance clause was the single largest unspoken driver of price uplift. The buyer who reads the renewal quote without reading the rule allowance line is renewing the wrong number.

The clause goes by different names depending on the contract vintage. It appears as a Rule Pack entitlement, an Approved File Group cap, or simply a metered Policy Object count. The contract language is short. The pricing implication is not. When the deployed rule count crosses the contracted allowance, the renewal is calculated against the higher tier. The seller rarely flags the crossover during the year. The buyer discovers it at renewal as a one line uplift on the quote.

The problem is operational as much as commercial. App Control rules accumulate as a side effect of how the product is operated. Each new application package, each new patching cycle, each new business unit onboarding produces additional approved file groups and additional policy entries. The security team adds rules to keep the platform functional. Procurement does not see the rule count. The deal desk does.

Why the clause looks innocuous on the order form

The order form line that contains the rule allowance is almost always a single field with a default value. In contracts originated through the legacy Carbon Black sales motion before 2024, the default was set against a baseline that reflected typical deployments at signature time. The baseline number was small. Most buyers signed without negotiating it because there was no operational signal that the number would matter. There was no usage report sent back to the buyer during the term. The first time the number became visible was at renewal, when the deployed count had quietly grown past it.

Across our 2026 Carbon Black App Control engagements, the median rule count growth during a three year term was 2.4x the baseline. The maximum growth we observed was 6.1x. The growth was almost never the result of a deliberate expansion. It was the cumulative effect of routine operations. Every quarterly patching cycle produced a measurable expansion. Every new server build template produced a smaller but steady expansion.

"The rule allowance is a price lever the buyer never reads and the seller does not flag during the year. The renewal is where it shows up, and by then the operational record is locked in."Carbon Black Engagement Lead, The Desk

How Broadcom is enforcing the clause in 2026

The acquisition consolidated the Carbon Black commercial motion into the Broadcom deal desk in 2024. The deal desk runs a different posture on metered allowances than the legacy field. The legacy field treated the rule allowance as a soft cap and renewed against the original baseline. The current deal desk treats it as a hard contracted entitlement and prices the renewal at the next tier. The difference between the two postures, on contracts where the deployed count has crossed the baseline, is the single largest cost line in the renewal uplift.

The mechanism the deal desk uses to surface the deployed count varies. In some renewals it is presented as a usage report appended to the renewal quote. In others it appears as a single line in the configuration assertion the seller asks the buyer to sign before the quote is finalised. In either case the deployed count is asserted by the seller and is rarely challenged at the desk level. The buyer who signs the configuration assertion without checking the deployed count is conceding the pricing position before negotiation begins.

What the corrective move looks like

The correction is not technical. The platform will still operate after the conversation. The correction is contractual. There are three positions a buyer can take, and the right one depends on the operational picture.

The first position is rule reduction. The security team reviews the rule inventory and removes rules that are no longer in use, that duplicate other rules, or that protect systems that have since been retired. In our 2026 sample the median reducible portion was 22 percent of the deployed rule count. A 22 percent reduction is often enough to bring the deployed count back inside a lower tier and remove the uplift line from the quote entirely. The exercise takes roughly 12 to 20 hours of security team time depending on the size of the rule inventory.

The second position is allowance renegotiation. If rule reduction is not operationally viable, the buyer can negotiate a higher allowance that is not priced as a tier change but as an in scope expansion of the existing entitlement. The deal desk will accept this when the renewal term is being extended and when the buyer presents the new allowance as a one time true up to actual rather than an ongoing escalation. The cost difference between a tier change and a true up is typically 40 to 60 percent of the uplift line.

The third position is contract restructure. On larger estates where the rule allowance has crossed several tier boundaries, the right move is to remove the metered allowance from the renewal entirely and replace it with an unmetered enterprise entitlement. The deal desk will price the unmetered entitlement against the seat count rather than the rule count. On the contracts where this was the right move, the renewal closed at between 18 and 31 percent below the opening quote.

The numbers

Carbon Black App Control renewals reviewed 2025 to 202611
Median rule count growth across a 3 year term2.4x
Maximum rule count growth observed6.1x
Median reducible portion of deployed rule count22%
Renewal uplift from tier crossover before correction+19% to +34%
Average reduction after rule allowance restructure18% to 31%

What we have seen on live deals

A regional financial services firm renewed Carbon Black App Control in late 2025 with a quote that carried a 22 percent uplift over the prior contract. The configuration assertion attached to the quote stated a deployed rule count that had crossed two tier boundaries since the previous renewal. The security team reviewed the rule inventory across four weeks of part time work. The review identified 1,840 rules that protected servers retired in 2024, 612 rules that duplicated newer consolidated policies, and 240 rules that had been added during a 2023 deployment that was subsequently rolled back. The corrected deployed count fell back inside the lower tier. The uplift line was removed in full and the renewal closed 6 percent below the prior contract on a like for like basis.

A Fortune 200 manufacturer faced a different shape. The deployed rule count had grown across the full term and could not be meaningfully reduced. The estate had genuinely expanded. The buyer team negotiated a restructure that replaced the metered allowance with a seat based enterprise entitlement. The closing price was 27 percent below the opening quote and removed the tier crossover risk from future renewals. The conversation took three rounds with the deal desk over six weeks.

A third pattern is worth noting. On contracts where the buyer has already signed the configuration assertion before procurement is engaged, the deal desk treats the deployed count as conceded. The buyer who routes the configuration assertion through procurement before signature retains the room to challenge the count. The buyer who does not, does not.

The takeaway

  • The Carbon Black App Control rule allowance clause is the single largest unspoken driver of renewal price uplift on contracts originated before 2024. The deal desk in 2026 treats it as a hard contracted entitlement and prices crossover at the next tier.
  • The correction is contractual rather than technical. Rule reduction, allowance renegotiation, or restructure to an unmetered entitlement each work in the right operational picture, and each removes 18 to 31 percent of the renewal uplift.
  • The configuration assertion is the document where the buyer concedes the deployed count. Route it through procurement before signature. The deal desk will not concede a count the buyer has already signed.
Looking at a Carbon Black App Control renewal where the rule allowance line is doing the price work? Write to the Desk → Two analyst calls, no pitch.

Three related articles

Carbon Black · Lever
The Carbon Black Cloud Workload negotiation lever most enterprises miss
Carbon Black · Calendar
The Carbon Black Cloud Workload audit trigger we are seeing this quarter
Outcomes · Case
A healthcare network halved its Carbon Black EDR renewal
Cross references. Service: Renewal Negotiation. Practice: Carbon Black EDR and App Control. Calculator: Audit exposure estimator.
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.