New Broadcom audit wave alert.

A new wave of Broadcom audit activity is materially under way across the VMware customer base in 2026 — broader in scope than the 2024 and 2025 cycles, faster in tempo, and increasingly portfolio-wide rather than product-specific. This alert consolidates what we are seeing in the engagements we currently support, the signals customers should treat as audit-precursor events, and the defensive posture that produces the best outcomes when the formal notice arrives.

If your organisation has any VMware, Symantec, CA Technologies, or Carbon Black entitlement and has not refreshed its audit-readiness posture in the last six months, treat this article as a prompt to do so this week, not next quarter.

What the current wave looks like

Volume is up, not down

Across the engagements we have visibility into, the volume of audit-relevant Broadcom communications — formal audit notices, soft enquiries with audit-relevant data requests, compliance review requests tied to renewal conversations — is materially higher in 2026 than in 2025. The increase is consistent across regions, with EMEA and the Americas leading and APAC catching up through Q1 2026.

Scope has broadened from VMware to portfolio

The wave's defining feature is that audit-relevant communications increasingly include data requests across the full Broadcom-acquired portfolio: VMware product usage, Symantec endpoint and DLP deployment, CA Technologies product entitlement, and Carbon Black workload coverage. Customers who think their exposure is "VMware-only" are increasingly receiving portfolio-scope data requests under what looks like a routine compliance enquiry.

Timing clusters around fiscal quarter-ends

The current wave's timing clusters around Broadcom's fiscal quarter-end cadence. Soft enquiries land in the weeks leading up to quarter-end, formal audit notices land in the weeks following, and the compliance conversation often runs in parallel with a renewal proposal. The clustering is operationally rational from Broadcom's perspective: it concentrates the commercial close around the same fiscal events. From the customer's perspective, it produces the worst possible negotiation environment.

Signals that an audit may be imminent

Soft enquiry as audit precursor

The most consistent precursor signal is a soft enquiry — typically framed as an operational or routine compliance check — that asks for product usage data, entitlement inventory, or environment topology information. Soft enquiries do not invoke the audit clause but the data requested is audit-relevant. In 2026, a meaningful fraction of soft enquiries are followed within sixty to ninety days by a formal audit notice that references the data the customer voluntarily provided.

Account-team rotation

A change of account team — particularly the appointment of a senior account director or a compliance-focused contact — frequently precedes a formal audit notice by one to two quarters. The rotation is rational: a fresh account team can press the customer on commercial questions without the relational friction of an incumbent account director. Customers who observe an account-team change should treat it as a leading indicator and refresh their audit-readiness posture.

Channel-partner transition

Customers transitioning from a deprioritised channel partner to direct Broadcom engagement — or to a different strategic partner — frequently see their audit posture re-evaluated as part of the transition. The new account contact has no historical context for the customer's commercial relationship and tends to apply the current commercial playbook without the softening that incumbent relationships sometimes provide.

Renewal proposal arrives unusually early

A renewal proposal that arrives materially earlier than the contractual renewal date — three or four quarters in advance rather than one — often signals that the account team is positioning for a bundled commercial event that includes a compliance settlement. Customers receiving an unusually early renewal proposal should anticipate that a compliance conversation is queued behind it.

The data requests we are seeing

VMware usage telemetry

Current data requests typically include vCenter inventory exports, ESXi host counts and core counts, NSX deployment topology, vSAN cluster sizing, and Aria Operations utilisation data. The breadth of the request varies, but the trend is toward broader rather than narrower asks.

Symantec endpoint and DLP coverage

Symantec data requests typically ask for endpoint protection deployment counts, DLP policy coverage, and entitlement reconciliation against historical procurement. The reconciliation typically extends back further than customers expect.

CA Technologies entitlement

CA data requests focus on Automic, Clarity, and Rally entitlement reconciliation, with particular attention to user counts, environment sprawl, and unbundled add-on capability usage.

Carbon Black workload

Carbon Black requests cover sensor deployment counts, workload protection coverage, and cloud-environment reconciliation.

Defensive posture: what to do if a soft enquiry lands

Do not respond reflexively

The single most important guardrail is that no usage data leaves the organisation in response to a Broadcom request — regardless of how the request is framed — without licensing-lead sign-off. The operational instinct to respond quickly to a vendor request is exactly what the soft-enquiry framing is designed to exploit.

Validate the contractual basis

Before any response, validate the contractual basis for the request. Audit clauses have specific scope, notice, and process requirements. Soft enquiries that are framed as routine compliance checks often request data well outside what the audit clause permits. The contractual position is the first lever the defence partner uses to scope the response.

Engage defence support before responding

If your organisation does not already have a defence partner engaged, identify and engage one before responding to the soft enquiry. The cost differential between responding well and responding poorly to a soft enquiry is consistently a multiple of the cost of the defence engagement.

Document the methodology of any data provided

Where data is provided, document the methodology used to generate it — the scope of the inventory, the timestamps, the inclusion and exclusion rules, the assumptions made. The methodology documentation becomes the basis for challenging any later Broadcom reconciliation that uses the data in unexpected ways.

Defensive posture: what to do if a formal audit notice lands

The first 48 hours matter most

The first 48 hours after a formal audit notice are the highest-leverage window for the customer. Decisions made in that window — about scope, methodology, communication channel, and defence engagement — shape the rest of the engagement. The defensive posture is to slow the operational tempo, not accelerate it.

Centralise communication immediately

From the first 48 hours forward, all Broadcom audit communication should flow through a single named customer-side contact, ideally accompanied by external defence counsel and a licensing advisor. Distributed responses across infrastructure, procurement, and security teams produce inconsistencies that Broadcom's compliance team will exploit.

Scope the audit explicitly

The first substantive engagement with the auditor should establish the audit's scope in writing — products covered, environments included, timeframe of the reconciliation, methodology to be applied. Audit scope is the single largest lever for the customer; an audit scoped too broadly almost always produces a larger claim than the same audit scoped tightly.

Validate every assertion

Every assertion the auditor makes about entitlement, deployment, or compliance position should be validated independently by the customer. The reconciliation methodology used by Broadcom's compliance team produces a starting claim that consistently overstates the customer's actual exposure by a material margin.

What outcomes we are seeing in the current wave

Across the audits we are currently supporting, the typical pattern is that the starting claim — the headline number the auditor presents at the close of the data-gathering phase — overstates the final settled position by 50-80%. The compression from starting claim to settled position is driven by methodology challenge, scope narrowing, and contractual-position validation. Customers who engage defence support before the formal audit notice arrives consistently land at the lower end of that range; customers who engage after the notice arrives or attempt to manage the audit internally land at the higher end.

The 90-day outlook

If the current pattern holds — and the engagement flow through Q1 and Q2 2026 suggests it does — the wave will not abate over the next 90 days. Expect more formal audit notices, broader portfolio-scope data requests, and continued clustering around fiscal quarter-ends. Customers who have not refreshed their audit-readiness posture in the last six months should treat the next 30 days as the window to do so.

Closing

The 2026 Broadcom audit wave is not a transient spike. It is the operating environment that the rest of the post-acquisition trajectory will produce. Customers who plan against that environment — soft-enquiry guardrails, audit-readiness posture, defence-partner engagement before the formal notice, contractual-position clarity — land materially better outcomes than customers who treat each audit communication as a one-off operational event. The cost of preparation is a small fraction of the cost of an unprepared audit settlement.

Industry-specific patterns we are seeing

Financial services

Financial-services customers face one of the most active audit-cadence profiles in 2026. The portfolio depth typical of financial-services estates — combinations of VMware, Symantec, CA, and Carbon Black — concentrates audit exposure, and the regulatory overlay around data handling adds operational friction to any audit response. Financial-services customers should expect to be in the leading edge of the 2026 audit wave and should prepare accordingly.

Healthcare

Healthcare customers face the audit-cadence acceleration with additional complexity around clinical-system change-control. The operational tempo of healthcare estates does not support fast audit-response cycles, and audit timelines that work for commercial enterprises produce material risk in healthcare. The defensive posture is to set explicit response cadence expectations early in the audit engagement, supported by clinical-system change-control documentation.

Public sector

Public-sector customers — federal, state, and local — face the 2026 audit wave with procurement-rule overlays that affect both response and settlement. Procurement rules around vendor data sharing, contract clause modification, and settlement structures all add complexity that experienced defence support handles materially better than self-managed audit response.

Manufacturing and industrial

Manufacturing and industrial customers with operational-technology overlap face audit-response complexity around environments that cannot easily be inventoried via standard discovery tools. The data-collection methodology in these environments is materially more nuanced than in pure-commercial estates, and the negotiation around what counts as a licensable deployment is one of the highest-leverage audit-response questions.

The audit-phase playbook

Pre-notice phase

The pre-notice phase — before any formal audit communication has been received — is the most valuable preparation window. Soft-enquiry guardrails, entitlement-map maintenance, contractual-position review, and defence-partner identification should all be in place before any audit-relevant communication arrives. The work done in this phase materially affects the outcome of every subsequent phase.

Notice phase

The notice phase — the first 48 to 72 hours after a formal audit notice or a substantive soft enquiry — is where the customer establishes the operating posture for the rest of the engagement. Communication consolidation, scope assertion, defence-partner activation, and methodology articulation all happen in this phase.

Data-gathering phase

The data-gathering phase typically extends across multiple months. The customer's posture in this phase is to provide accurate, scope-appropriate data through documented methodologies, while validating every auditor request against the agreed scope and rejecting requests that exceed it. Discipline in this phase is the single largest determinant of the claim that emerges at the close.

Claim and settlement phase

The claim and settlement phase is where the starting position from the auditor — typically materially overstated relative to the customer's actual exposure — is compressed through methodology challenge, scope clarification, and contractual-position validation. Customers with strong defence support compress the starting claim by 50-80%; customers without defence support compress it materially less.

Communication discipline through an audit

Internal communication

Internal communication discipline matters as much as external. The audit conversation should be visible to a defined audit-response team, and only that team should be authorised to communicate with the auditor. Distributed communication across functions produces inconsistencies that the auditor's compliance team will exploit, often to the customer's material detriment.

External communication

External communication should flow through a single named customer contact and through documented written channels rather than informal verbal exchanges. Verbal exchanges that are not formally recorded produce ambiguity that does not survive the eventual claim conversation.

Outlook through year-end

The audit wave currently under way is not a transient cycle. Customers should plan against a sustained elevated audit cadence through the rest of 2026 and into 2027. The defensive playbook that produces the best outcomes is the same playbook that produces good outcomes in any audit environment: contractual clarity, scope discipline, methodology rigour, and experienced defence support engaged early. Customers who put that playbook in place now will produce better outcomes through 2026 than customers who put it in place after the formal notice arrives.