VCF renewals ▲ 31.4% YoY· Symantec EDR true-ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg −41% on quote· VCF renewals ▲ 31.4% YoY· Symantec EDR true-ups ▲ 18%· Carbon Black avg quote uplift +22%· Mainframe MIPS capacity squeezes ▲· Audit notices ▲ 47% QoQ· Our last 10 deals avg −41% on quote
Wednesday · 27 May · MMXXVIIssue II
Independent · Buyer-SideLive
Case of the Quarter
Verified · Net of fees · Signed contract delta A regional bank in North America. A Symantec endpoint audit defended over six months. Not affiliated with Broadcom Inc.
Case of the Quarter · Symantec Enterprise

A regional bank cut its Symantec audit exposure by 81 percent.

A mid sized regional bank in North America, running Symantec endpoint, DLP and email security across fourteen thousand seats. The opening asserted exposure was eleven million four hundred thousand dollars. The final settled position was two million one hundred thousand, with the contract restructured at signature and the bank retained on Symantec endpoint for the following renewal.
By The Negotiation Desk · Engagement closed Q2 2025 · Verified against signed contracts
Published 6 Oct 2024
Asserted exposure
$11.4M
Final settlement
$2.1M
Exposure cut
81%
Defense cycle
6 months
"We were three days from sending the auditor a fully populated entitlement statement. We did not send it. That was the most important decision of the engagement." Head of vendor risk and compliance
The Long Read · Symantec Audit Defense

A regional bank cut Symantec audit exposure from $11.4M to $2.1M in six months.

The defense did not start with the audit. It started with what the buyer was about to send before the buyer side controls were put in place.
By The Negotiation Desk · Outcomes · The Quote, The Find, The Restructure, The Outcome

The audit notice arrived in late November and the bank's vendor management lead called us nine days later. By that point the bank had already done the most dangerous thing a buyer can do in the first week of an audit. The technical owner of the Symantec estate had received an informal request from the auditor for a list of installed endpoints and the technical owner, acting in good faith, had begun populating a spreadsheet. The spreadsheet would have been delivered to the auditor in the following ten days. The asserted exposure on Symantec endpoint, DLP and email security across the bank's fourteen thousand seats was eleven million four hundred thousand dollars at the auditor's opening assertion. The defense that followed was not primarily about contesting the assertion. It was about controlling what information left the bank, in what form, and on what schedule.

Six months later the audit settled at two million one hundred thousand dollars. The bank stayed on Symantec endpoint and renewed the following quarter on restructured commercial terms. The eighty one percent reduction in asserted exposure was achieved without the audit going to formal escalation, without external counsel taking the lead, and without a confrontation with the auditor on the contractual basis of the notice.

The Quote

The auditor's opening exposure model was built on three positions. The first was a deployed endpoint count derived from a tool inventory the auditor had requested informally and which the bank had partially supplied before any audit response group was constituted. The second was a DLP licensing position that asserted enforcement endpoints and discovery endpoints under a single combined entitlement, which the bank's contract did not support. The third was an email security position that asserted licenses against mailbox count rather than against the seat count the contract actually used as the licensing metric.

Each of the three positions was wrong on the contract's own terms. None of them would have been visible to the auditor if the bank had completed the spreadsheet that was almost sent in the first week. The first defensive task was to retract what had already been said, on the correct terms, without retracting the bank's overall posture of cooperation.

The Find

The internal entitlement reconciliation took four weeks. The bank's endpoint inventory was reconciled against the contractually licensed seat count by site, by business unit and by entitlement class. The reconciliation surfaced approximately twenty two hundred seats that the auditor was counting as deployed but which were either decommissioned hardware still appearing in management tools, virtual desktop sessions that the contract licensed differently, or branch endpoints that were covered under a separate Symantec contract from a previous acquisition that the auditor had not been told about.

"The auditor was not wrong on the data the auditor had. The auditor was wrong on the data the auditor did not have. Producing the missing data, on our schedule and in our format, was the entire defense."Lead audit defender, The Desk

The DLP and email security findings followed the same pattern. The DLP contract distinguished enforcement endpoints from discovery endpoints with separate entitlement caps. The bank's deployment respected the distinction. The auditor's opening model did not. The email security contract used a seat count metric that the bank was inside on by a measurable margin. The auditor's opening model was using mailbox count, which the bank exceeded. The contract language was on the bank's side. The work was to surface the contract language inside a structured response, with the bank's reconciled data attached, before the auditor's opening model became the audit's working baseline.

The Restructure

The defense produced three documents over the following two months. The first was a written entitlement statement that scoped the audit to the contractually licensed estate using the contract's own metrics. The second was a written contestation of the auditor's combined DLP entitlement position, citing the contract's distinct caps. The third was a written contestation of the email security position, citing the contract's seat count metric. Each document was structured as a procurement and legal artefact, not as a technical artefact, and each was delivered through a named procurement lead to the auditor's named lead on the same schedule.

The auditor took six weeks to respond to the three documents. The response conceded the scope, conceded the DLP entitlement structure, and conceded the email security metric in part. The conceded positions cut the asserted exposure by approximately seventy percent. The residual exposure of three million four hundred thousand dollars was the remaining negotiating range. The bank countered with a settlement proposal of one million eight hundred thousand. The auditor came back at two million three hundred thousand. The final settlement closed at two million one hundred thousand dollars, written into a settlement agreement that was tied to the renewal of the Symantec endpoint contract in the following quarter.

The Outcome

The signed settlement delivered eighty one percent below the opening assertion. The follow on renewal of Symantec endpoint was negotiated as a separate workstream and closed at terms that were materially below the bank's prior contract on a per seat basis. The audit response group was retained as a standing function inside the bank's vendor management organisation, on the basis that the discipline that defended this audit was the same discipline that would protect against the next one.

The bank's vendor risk lead made one observation at the close of the engagement that is worth repeating on every Symantec audit we have defended since. The defense was not built on a confrontation with the auditor. It was built on a structured information flow that the bank controlled, that respected the contract's actual language, and that gave the auditor a credible alternative basis for the exposure model. The auditor was not asked to back down. The auditor was given a better set of facts to work from. The auditor used them.

Asserted exposure (open)$11.4M
Final settlement$2.1M
Scope reconciliation2,200 seats out
DLP entitlement contestedWon
Email security metric contestedPartial win
Exposure cut on opening81%

The takeaway

  • The audit defense begins with information control. The first informal request from the auditor is the most dangerous request in the audit, because the response usually goes out before the audit response group is constituted and shapes the auditor's baseline.
  • The Symantec audit assertion is almost always built on positions the contract does not actually support. The contract language on DLP enforcement, on email seat counts, and on combined entitlements is on the buyer side more often than not.
  • The settlement is tied to the next renewal, not separate from it. The defense outcome and the renewal posture are negotiated as a single commercial conversation, not as two.
Just received a Symantec audit notice? Write to the Desk → Two analyst calls, no pitch.

Related reading

Service · Audit Defense
Audit Defense
Practice · Symantec (forthcoming)
Symantec Endpoint & EDR
Field Notes · The Audit
The first seven days after any Broadcom audit notice
Field Notes · The Trap
The most favoured customer clause trap in Broadcom paper
Practice · VMware
Adjacent: VMware practice
Outcomes
All case studies
Correspondence Invited

Write before the quote becomes a position.

Two analyst calls. No pitch. We tell you what we would do, what the leverage actually is, and whether we are the right firm. If we are not, we will say so.
Who we work for. Buyer-side only. No reseller relationship with Broadcom. No partnership of any kind. We do not earn anything from products sold or renewed. Only from outcomes delivered against the contract.