VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg 41% off quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer SideLive
Broadcom Negotiations
VMware · Symantec · CA · Carbon Black · Mainframe · Brocade The buyer's report on Broadcom contract economics. Not affiliated with Broadcom.
Carbon Black App Control · Audit

What to do in the first 30 days after a Carbon Black App Control audit notice.

App Control audits look like a software inventory exercise on the surface. The exposure runs through rule allowances and policy server counts that almost no buyer is instrumented to defend at speed.
By The Negotiation Desk · Carbon Black · Archetype: The Audit
Published 27 Dec 2025

The Carbon Black App Control audit notice almost always arrives with three weeks of formal response time. The notice asks for a snapshot of agent deployments, a list of policy servers, a count of active rules across each policy, and the entitlement record the buyer was relying on at signature. The notice does not say what triggers the audit, what the seller expects to find, or what the consequence of a discrepancy will be. Buyers reading the notice for the first time treat it as a discovery exercise. That reading misses the structure of the audit. The exposure is concentrated in two specific lines of the contract, and the first thirty days determine the buyer's position for the rest of the audit. The work has to start the day the notice arrives. Waiting until the response window has begun to close is the most common error we see, and the most costly.

The first thing to do is to read the notice as a contract event rather than a procurement event. The notice triggers obligations under the audit cooperation clause of the existing contract. The clause defines what the buyer must provide, in what form, and within what time. It also defines what the buyer is not obliged to provide. The clause has limits. The audit cannot demand information that the contract does not require the buyer to retain. The clause is the floor of the buyer's response and is also the ceiling.

Days 1 to 3: Notice receipt and clause read

The notice is logged. The audit cooperation clause is pulled from the master agreement and read in full. The clause read is the foundation of the next 27 days of work and is the single piece of work most buyers skip. The clause typically defines a response window, a scope of permitted information requests, a confidentiality structure, and an escalation path. The clause read produces a one page summary of the buyer's obligations under the clause and the seller's obligations to the buyer. The summary is signed off by the buyer's legal lead and circulated to procurement, security operations, and finance leads on the response team. The first three days are not technical work. They are governance work.

In parallel, a single point of contact is named on the buyer side. The audit response is funnelled through that contact. Direct interaction between the seller's audit team and any other buyer side function is paused. This is not adversarial. It is procedural. Audits where the seller talks to multiple buyer functions in parallel always close worse for the buyer than audits where a single point of contact controls the information flow.

Days 4 to 10: Internal reconciliation, not external response

The second week is spent reconciling the buyer's internal records before any data is sent to the seller. The reconciliation has three lines. The agent count, the policy server count, and the rule count. The agent count is reconciled against the App Control management console. The policy server count is reconciled against the deployment architecture diagram and against the rule sets in force. The rule count is reconciled against the rule allowance entitlement in the contract, which is the line that carries the most exposure in 2026 audits.

"The rule allowance is the line the audit team is reading against. The agent count is the line the buyer thinks the audit is reading against. The gap between those two readings is where the audit defense lives."Carbon Black App Control Engagement Lead, The Desk

The rule allowance is a number specified in the contract that caps the total number of active rules across the buyer's App Control estate. The cap is rarely visible to the security operations team. The team builds rules to support policy. The contract carries an allowance that has not moved with the rule population. In 2026 audits, the rule allowance is the trigger for true up demands almost twice as often as the agent count. The buyer who is instrumented to count agents and not rules will be looking at the wrong line when the audit demand arrives.

Days 11 to 20: Position assembly, not information transmission

The third week is the assembly of the buyer's response position. The response is not a forwarding of the management console output. It is a curated document that responds to the seller's specific information request and no more. The audit cooperation clause does not require the buyer to volunteer information the seller has not asked for. It also does not require the buyer to format the response the way the seller has requested if the contract does not specify the format. Buyers who treat the audit as a question and answer session, with the seller setting the questions and the buyer answering each one in turn, end up disclosing more than the clause requires. Buyers who treat the audit as a contract event, with the buyer producing the response document that satisfies the clause, retain more control.

The position assembly includes three documents. The first is the deployment reconciliation, signed by the endpoint operations lead. The second is the rule allowance position, which states the current rule count, the contractual allowance, and any rule consolidation that has been completed or is in progress. The third is the entitlement read, which sets out the buyer's reading of the entitlement record at signature and any provisions that the buyer is relying on. The three documents together constitute the response. They are not a complete picture of the estate. They are a complete response to the clause.

Days 21 to 30: Engagement on findings, not on demands

The fourth week is the engagement window with the seller. The seller's audit team will return findings. The findings are not demands. The findings are positions the seller wants to negotiate against. The buyer's response on the findings should be conducted by the audit cooperation clause's escalation path, not by procurement directly. The clause typically allows the buyer to dispute a finding, request supporting evidence, and escalate to a contract level conversation if the finding is not supported. Buyers who allow the finding to skip the escalation path and move directly into a renewal conversation lose the structural protection the clause provides.

The most common 2026 finding on App Control audits is a rule allowance exceedance. The seller proposes a true up against the over count. The buyer's defense, if the rule consolidation work has been scoped, is a forward state in which the rule count returns to inside the allowance. The seller is often willing to accept a forward state commitment in place of a true up payment when the commitment is documented and time bound. The trade is not automatic. The trade is available to buyers who have prepared the documentation in the first three weeks.

The numbers

App Control audits supported 2024 to 20267
Audits where rule allowance was primary finding5 of 7
Audits where policy server count was primary finding1 of 7
Audits where agent count was primary finding1 of 7
Median initial demand vs settled outcome$3.2M vs $0.9M
Median time from notice to settlement11 weeks
Audits settled with no true up payment3 of 7

What we have seen on live deals

A pharmaceutical buyer received an App Control audit notice in late 2024 and engaged us four days into the response window. The clause read identified a 21 day response window the buyer had been treating as 30 days. The reconciliation produced a rule count that exceeded the contractual allowance by 38 percent. The buyer's security operations team had built rules into the estate to support a new regulatory regime without checking the contractual allowance. The position assembly produced a documented rule consolidation plan that returned the count to inside the allowance over a six month window. The seller accepted the forward state in exchange for a small one off settlement against the audit period over count. The settled outcome was 71 percent below the seller's initial demand.

A financial services buyer received an audit notice and treated it as a procurement matter. The buyer's procurement team responded directly to the seller's questions without involving legal, without reading the audit cooperation clause, and without a single point of contact governance structure. The buyer disclosed information the clause did not require, including a rule count taken from a non production environment that was higher than the production rule count. The seller's demand was built against the disclosed count. The buyer subsequently retained us to renegotiate. The recovery was partial. The settlement closed at 41 percent below the initial demand, against an exposure that would have been materially lower had the response been structured from day one.

The takeaway

  • Read the audit cooperation clause before responding to the audit. The clause defines the floor and the ceiling of the buyer's response. Most of the audit exposure that closes badly for the buyer in 2026 closes badly because the clause was not read.
  • Reconcile rules before agents. The rule allowance is the most common 2026 audit finding on App Control. The agent count is rarely the trigger. Buyers instrumented only on agent count are reading the wrong line.
  • Treat the audit as a contract event with a single point of contact and a curated response document. Audits where multiple buyer functions interact directly with the seller's audit team close at higher cost than audits funnelled through one named lead with a clause governed response.
App Control audit notice on your desk and the response clock already running? Write to the Desk → Two analyst calls, no pitch.

Three related articles

Carbon Black · Trap
The Carbon Black App Control rule allowance clause that inflates your 2026 renewal
Carbon Black · Audit
What to do in the first 45 days after a Carbon Black EDR audit notice
Outcomes · Case
A healthcare network halved its Carbon Black EDR renewal
Cross references. Service: Audit Defense. Practice: Carbon Black EDR and App Control. Calculator: Audit exposure estimator.
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.