Broadcom VMware Audit: The Complete Defence Guide for 2026

Since the November 2023 close of the Broadcom acquisition of VMware, audit activity against VMware customers has become the single largest source of unplanned IT spend for mid-market and enterprise organisations worldwide. This guide is written for CIOs, CFOs, procurement leaders, and the IT directors who carry the audit pager — the people who will read a Broadcom audit letter on a Tuesday morning and need to know, by Wednesday, what to do, what not to do, and what an aggressive defence looks like.

It is a long read. We have made no attempt to shorten it, because the audits we see are not short and the defence work is not short. If you skim it now and save it for when the letter arrives, that is fine. Most clients we work with do exactly that.

We are an independent advisory. We do not sell Broadcom or VMware products. We have no partner status with Broadcom and have never received commission from them. We work exclusively on the buyer side, and over 280+ engagements we have reduced disclosed Broadcom and VMware audit claims by an average of 74% — most often by challenging methodology, scope, and entitlement interpretation rather than by buying our clients' way out.

What changed after the acquisition

The first thing every customer needs to internalise is that Broadcom is not VMware-with-a-new-logo. The commercial, contractual, and audit posture changed within ninety days of close, and continues to change as the integration matures. In practical terms, four things are different.

Perpetual licences ended for new sales. Effective December 2023, Broadcom stopped selling new perpetual VMware licences and shifted exclusively to subscriptions, primarily packaged as VMware Cloud Foundation (VCF) and vSphere Foundation (VVF). Customers with existing perpetual entitlements retained those entitlements but lost the ability to renew Support and Subscription (SnS) on the old model after their current term expired.

The product portfolio collapsed. The historical SKU catalogue, which contained more than 8,000 individual VMware product configurations, was compressed into roughly a dozen subscription bundles. Many products — including vRealize Operations as a standalone, Workspace ONE, Tanzu Application Service, and Carbon Black Endpoint Standard — were either bundled, discontinued, or divested.

Audits intensified. Broadcom Global Software Asset Compliance teams (the former VMware Compliance organisation, augmented with Symantec and CA legacy compliance teams) increased audit volume in calendar 2024 by an estimated 3x over VMware's last full year as an independent vendor. Audit letters that previously focused on simple over-deployment now include sophisticated VCF-equivalence claims, sub-capacity disputes on vSAN, and aggressive interpretations of "production use" for non-production environments.

The economics of the audit changed. Pre-Broadcom, a typical VMware true-up resolved by purchasing additional Enterprise Plus licences at SKU list. Post-Broadcom, a true-up resolves by purchasing VCF subscription — frequently sized to a customer's entire cluster footprint regardless of whether the customer ever intended to use the full VCF stack. The unit price difference between an extension of perpetual Enterprise Plus and a VCF subscription per core can be 4x or more.

The anatomy of a Broadcom VMware audit

Every Broadcom VMware audit we have seen since the acquisition follows a recognisable structure. The names of the phases vary in the contract language — "compliance review", "self-assessment", "verification", "formal audit" — but the underlying flow is consistent.

Phase 1: The trigger

Audits do not arrive randomly. The most common triggers we observe are: a lapsed SnS renewal on a perpetual estate, a recent acquisition or divestiture, a refusal to engage with Broadcom's VCF migration outreach, a public job posting that references VMware capabilities exceeding the customer's known entitlement, or simply being in a customer segment Broadcom has prioritised for the quarter. Healthcare, financial services, federal contractors, and large public sector entities are over-represented in 2025 and 2026 audit activity.

Phase 2: The soft approach

Most audits begin as a "self-assessment" or "licensing review" request rather than a formal audit notice. The letter is often phrased as a customer service gesture — Broadcom would like to "help" the customer confirm their entitlement position. This framing is deliberate. Customers who accept the soft approach typically run scripts provided by Broadcom (PowerCLI exports, RVTools outputs, vCenter inventory dumps) and submit the raw output to Broadcom for review.

The data Broadcom receives in a soft audit is the same data it would request in a formal audit. The only thing the customer gives up by accepting the soft approach is the procedural protection of the audit clause in their contract — notice periods, dispute mechanisms, scope limitations, and right to dispute findings before they become binding.

Phase 3: The formal notice

If the soft approach is declined, or if the data submitted does not satisfy Broadcom's expectations, a formal audit notice is issued. The notice is a written letter from Broadcom's compliance organisation, typically copying the customer's named account executive and a Broadcom legal contact. It invokes the audit clause in the master agreement (EULA, ELA, or order form), states the audit period, and identifies the appointed auditor — historically KPMG or Deloitte, but increasingly Broadcom's in-house team.

Phase 4: Data collection

The auditor requests deployment data covering vCenter inventories, host configurations, cluster topology, VM counts, vSAN deployment details, NSX usage, and (where applicable) Tanzu, Aria, and Workspace ONE telemetry. The scope of data collection is frequently broader than the contract permits, and this is one of the highest-leverage places to push back.

Phase 5: Findings and claim

Broadcom issues a findings report. The findings report is not a final invoice — it is an opening position. In our experience, the gap between the initial findings claim and the eventual settlement is, on average, 60-75%. The findings report contains the data that justifies the claim, the licensing rule Broadcom believes was violated, and a proposed remediation — almost always a VCF subscription purchase.

Phase 6: Negotiation and settlement

This is where independent defence delivers the largest returns. Methodology challenges, scope arguments, entitlement re-interpretations, and commercial framing of the remediation deal compound to produce settlements substantially below the opening claim.

The five mistakes that cost enterprises the most money

The following five mistakes account for an outsized share of the avoidable cost we see in Broadcom VMware audits. Each is preventable if recognised early.

Mistake 1: Treating the soft approach as a soft approach

It is not. Data shared in a "self-assessment" is admissible in a formal audit. Customers who run Broadcom-provided scripts and email the output have, in our experience, the worst eventual settlement multiples. Treat any data request from Broadcom or its representatives as if it were a formal discovery request. Have legal review the scope before any data leaves the network.

Mistake 2: Letting the auditor define "production"

VMware licensing has always required Enterprise Plus (or its modern equivalent) for production use of advanced features such as DRS, vMotion across hosts, Storage DRS, and Host Profiles. The definition of "production" is not in the EULA. Broadcom auditors will frequently assert that any environment where the feature is enabled is a production environment, regardless of business use. This is a defensible point and a common source of inflated claims.

Mistake 3: Ignoring the cluster boundary

VMware licensing is enforced at the cluster level for most features. A non-production cluster running DRS does not implicate a production cluster running standard vSphere. Auditors will often aggregate clusters into single "deployments" to maximise the SKU mismatch. Challenge any aggregation that crosses cluster boundaries.

Mistake 4: Accepting VCF as the remediation by default

The remediation Broadcom proposes will almost always be a VCF subscription sized to the customer's entire VMware footprint. This is the most expensive possible outcome for the customer. Alternative remediations exist: extension of perpetual entitlement under existing terms (where Broadcom will accept this), VVF rather than VCF (substantially cheaper for customers who do not need the full stack), or a phased migration over multiple years. Every customer should evaluate the remediation menu, not the remediation default.

Mistake 5: Not engaging an independent advisor

VMware partners, resellers, and Broadcom-aligned consultancies have commercial conflicts in an audit. They cannot reduce a customer's purchase obligation without reducing their own commission. Independent buyer-side advisors do not have this conflict.

The licensing rules that matter most

The rest of this guide gets specific. We have intentionally written this section in plain language rather than legal jargon, because the people who need to act on this content are not lawyers.

vSphere per-core licensing and the 16-core minimum

Since the April 2020 SKU update (carried forward by Broadcom), VMware vSphere is licensed per physical CPU core, with a minimum of 16 cores per CPU socket. A customer with 8-core CPUs still pays for 16 cores per CPU. This is a frequent source of confusion and overstatement. If your fleet contains 12-core CPUs, your licensing position should reflect 16-core billing per CPU — but only for the CPUs where you actually run a licensed VMware product.

vSAN capacity-based licensing

vSAN is licensed differently from vSphere — it is capacity-based, billed per raw TiB of storage in the vSAN datastore. Capacity calculations should exclude cache tier disks, host swap, and storage policies that explicitly reserve capacity for non-vSAN workloads. Auditors frequently include cache disks in their TiB total, which inflates the claim by 10-25%.

NSX edition stacking

NSX is sold in three editions: Standard, Professional, and Advanced (formerly Enterprise Plus). The features available in each edition are well documented, but Broadcom audits frequently assert that the presence of a single Advanced feature in a deployment requires Advanced licensing across the entire NSX environment. This is contractually incorrect for most older NSX entitlements and should always be challenged.

VCF and the "use of one component" argument

VCF (VMware Cloud Foundation) is sold as a bundle: vSphere, vSAN, NSX, and Aria. Broadcom's commercial position is that a customer who uses any one component of VCF in a cluster must license VCF for that cluster's entire core count. This position is novel post-acquisition and is being actively litigated by several large enterprises. Where a customer has perpetual entitlement to individual components, the VCF bundling argument should be rejected.

Sub-capacity and partitioning

VMware historically permitted sub-capacity licensing under specific conditions, most notably through hard partitioning technologies such as ESXi affinity rules combined with CPU pinning. Broadcom has narrowed the conditions under which sub-capacity is recognised, but the historical sub-capacity rules apply to entitlements purchased before the change.

What independent defence actually does

The phrase "audit defence" is overused. We want to be specific about what independent defence delivers in a Broadcom VMware audit, because the value is concrete and measurable.

Entitlement reconstruction

Most customers do not have a complete, accurate, current inventory of their VMware entitlements. Entitlements purchased through resellers, acquired with companies, transferred through divestitures, or upgraded through cumulative trade-ins frequently produce a contractual position that is more favourable than the customer's own records suggest. Reconstruction can typically reduce the gap claim by 15-30% before any methodology challenge is mounted.

Deployment data validation

The deployment data submitted to (or extracted by) the auditor is rarely clean. Snapshots include test VMs that were deleted but not garbage-collected, decommissioned hosts that remained in vCenter inventory, cluster migrations captured mid-move, and so on. Cleaning the deployment data — and forcing the auditor to use the cleaned data — produces an immediate reduction in stated deployment.

Methodology challenge

The auditor's methodology is a set of choices about how to count, how to attribute, and how to interpret. Every methodology choice is contestable. We typically file a written methodology challenge that itemises each assumption the auditor has made, requests the contractual basis for the assumption, and proposes an alternative.

Commercial framing of the remediation

Even after the licensing position is settled, the remediation deal is negotiable. List price is the opening position; we typically achieve 30-60% discount to list on the remediation, longer terms with price protection, and credits for incumbent perpetual entitlements that retain residual value.

What a 90-day defence engagement looks like

For readers who want to understand the work, here is the typical shape of a 90-day Broadcom VMware audit defence engagement from initial letter to settlement.

Days 1-7. Letter analysis. Master agreement review. Audit clause interpretation. Notice response drafted and sent. Engagement of legal counsel (in-house or external) for representation. Initial position-paper outline drafted.

Days 8-30. Entitlement reconstruction. Reseller record retrieval. Acquisition and divestiture history review. Deployment baseline established using customer-controlled data (not Broadcom-provided scripts). Initial methodology assumptions challenged in writing.

Days 31-60. Data exchange under negotiated protocol. Iterative findings rebuttal. Cluster-by-cluster entitlement vs deployment reconciliation. Sub-capacity arguments documented. Initial remediation proposals received and evaluated.

Days 61-90. Settlement negotiation. Remediation menu evaluated against business need. Commercial terms negotiated. Settlement documented. Contractual cleanup including release language, go-forward compliance plan, and entitlement update.

Special situations

Mergers, acquisitions, and divestitures

Broadcom has been aggressive in re-pricing VMware entitlements that transfer with an acquired entity. The contractual reality is that most VMware entitlements are transferable subject to Broadcom's reasonable consent. Broadcom's interpretation of "reasonable consent" has narrowed substantially, and many customers face a re-licensing event triggered by M&A activity that pre-acquisition VMware would have processed routinely.

Federal and public sector

Federal customers benefit from procurement protections (FAR, DFARS, and individual agency rules) that limit Broadcom's audit rights. State and local government customers operating under cooperative purchasing agreements (NASPO ValuePoint, OMNIA) have additional protections.

Highly regulated industries

Healthcare, financial services, and energy customers operating under HIPAA, SOX, FFIEC, NERC-CIP, or similar regimes can frequently push back on the scope of data collection on the grounds that the auditor is not authorised to receive protected data. This rarely defeats an audit, but it shapes the data-exchange protocol in ways that favour the customer.

Looking ahead: what 2026 and beyond hold

The VMware integration into Broadcom will be substantially complete by end of 2026. Three trends will shape audit activity from 2026 onwards.

First, the perpetual estate will continue to shrink as SnS lapses force customers off perpetual entitlement. Broadcom will increasingly audit the residual perpetual estate to accelerate VCF conversion.

Second, telemetry-driven audits will become the norm. VCF customers run software that reports usage directly to Broadcom. This eliminates the data-collection phase of the audit for VCF customers, but introduces new disputes over what the telemetry actually shows and how it should be interpreted.

Third, the alternative-hypervisor market is maturing. Nutanix AHV, Microsoft Hyper-V, Proxmox VE, and open-source KVM platforms now have credible enterprise stories. The credible threat of migration is, today, the single most valuable lever in a Broadcom commercial negotiation.

Negotiating the commercial settlement

By the time an audit reaches the settlement phase, the technical position has already been established. What remains is a commercial negotiation, and that negotiation has its own structure. Customers who treat the settlement phase as a continuation of the technical phase consistently leave money on the table; customers who treat it as a discrete commercial exercise with its own playbook consistently recover materially more value.

The first commercial principle is that the audit claim and the renewal opportunity are connected. Broadcom's commercial team will rarely settle the audit cleanly without also pricing the forward subscription. The two conversations need to be run in parallel, because the willingness to pay on the audit side directly drives the discount available on the subscription side. Customers who close the audit before negotiating the subscription lose the leverage; customers who insist on integrated settlement preserve it.

The second principle is that the headline claim is a starting position, not a settled number. In our engagement data across 280-plus client situations, the average final settlement lands 60-75% below the initial claim. The reduction is not a discount Broadcom offers freely — it is the result of methodology challenge, entitlement reconstruction, scope limitation, and commercial framing executed in sequence. The customers who accept the first commercial offer have not finished the work.

The third principle is that non-price terms matter as much as price. The audit settlement should include explicit language on the dispute resolution itself: a release of claims through the date of settlement, a defined audit-free window going forward, sub-capacity and partitioning recognition, written confirmation of the entitlement basis used in the calculation, and clarity on the support tier attached to any new subscription. Customers who focus only on the headline number frequently sign settlements that preserve Broadcom's ability to re-open the dispute on adjacent products.

The fourth principle is documentation. Every commercial assertion made by Broadcom during the negotiation should be captured in writing, dated, and preserved in the settlement record. The Broadcom commercial team rotates; the institutional memory of "what was agreed in the room" disappears with the people. The written record is the only defence against future re-litigation of settled terms.

Working with legal counsel during a Broadcom audit

The role of legal counsel in a Broadcom audit is more specific than it is often framed. Counsel is not running the defence — the licensing advisor is. Counsel is, however, the gatekeeper for several decisions that are properly legal in nature, and engaging counsel early prevents avoidable mistakes.

The first legal decision is privilege. Communications about the audit defence — including the licensing advisor's analysis, the methodology challenges, and the internal assessment of exposure — benefit from being structured under attorney-client privilege where possible. The privilege framing is jurisdiction-specific and requires deliberate set-up at the start of the engagement; retroactively asserting privilege over previously-shared analysis is difficult.

The second legal decision is the contractual interpretation. The licensing entitlements being audited derive from contracts — the original VMware purchase orders, ELAs, OEM agreements, and now Broadcom's transition documentation. The interpretation of those contracts is properly a legal exercise. Counsel reviews the contracts to identify the entitlement scope, the audit rights and limitations, the dispute resolution mechanics, and any provisions that limit Broadcom's commercial flexibility post-acquisition.

The third legal decision is the dispute escalation path. Most Broadcom audits settle through commercial negotiation without formal dispute escalation. A meaningful minority do not, and for those customers the escalation path — arbitration, mediation, or litigation — needs to be planned in advance. The contractual dispute resolution provisions vary across VMware contracts and matter materially to the customer's leverage in the negotiation.

The fourth legal decision is the regulatory and disclosure posture. For public companies, material settlement exposures may need to be disclosed in SEC filings. For regulated industries (financial services, healthcare, public sector), the audit settlement may have regulatory disclosure implications. Counsel manages these decisions; they should not be left to the licensing or procurement team.

The licensing advisor and counsel work together throughout the engagement. The advisor leads on technical defence and commercial strategy; counsel leads on contract interpretation, privilege, and dispute escalation. Customers who try to run the defence without counsel risk avoidable legal exposure; customers who try to run it with counsel but no licensing advisor end up with a legally clean but commercially expensive settlement.

Industry-specific defence considerations

Broadcom's audit posture varies across industries in ways that matter to the defence strategy. The pattern is not random — it reflects Broadcom's view of the willingness to pay, the strategic value of the customer relationship, and the regulatory constraints on aggressive enforcement.

Financial services customers tend to receive earlier audits, higher claims, and harder negotiating postures. The willingness-to-pay perception, combined with the regulatory pressure to resolve disputes quickly, makes financial services a priority sector for Broadcom's enforcement team. Financial services defence requires specific attention to data residency in the audit data collection, regulatory disclosure timing, and the contractual provisions around third-party access to regulated environments.

Healthcare and life sciences customers face a similar pattern, with additional sensitivity around PHI and PII in any audit data. The defence strategy needs to include a clear protocol for what data leaves the customer environment, how it is anonymised, and how it is destroyed after the audit. HIPAA and equivalent regulatory frameworks constrain the audit process in ways Broadcom's standard template does not always accommodate.

Public sector customers — federal, state, and local government — operate under contracting frameworks (FAR, DFARS, GSA Schedules, state-level equivalents) that constrain both Broadcom's and the customer's flexibility. The defence strategy in public sector includes specific attention to the contracting framework provisions, the appropriations cycle, and the political sensitivity of public-sector audit settlements.

Higher education and research institutions face a specific pricing dynamic — Broadcom's academic pricing is materially different from commercial pricing, and the application of commercial-pricing remediation to historically academic-priced deployments is a frequent point of dispute. The defence strategy includes explicit challenge to the pricing basis used in the claim.

Manufacturing, retail, and the broader middle market typically face a less aggressive Broadcom audit posture but face the same structural disadvantages in commercial negotiation. The defence strategy emphasises the licensing rules and methodology challenges, where the leverage tends to be highest for customers in these sectors.

Building audit-defensible licensing governance

The customers who fare best in Broadcom audits are not the ones with the best lawyers or the most aggressive advisors — they are the ones whose licensing position was defensible before the audit started. Building audit-defensible governance is an ongoing capability, not a one-time response. Five disciplines define the capability.

The first is entitlement record-keeping. The customer maintains a current, complete, and reconciled record of every licensing entitlement — purchase orders, ELAs, OEM bundles, prior settlements, and any verbal or email assurances that affect the entitlement scope. This record is the foundation of every audit defence; customers without it spend the first 30 days of an audit reconstructing it under time pressure.

The second is deployment visibility. The customer has accurate, current visibility into where the licensed software is deployed, what features are in use, and what hosts are running which versions. Telemetry-based deployments under VCF make this easier; legacy perpetual deployments require investment in deployment-discovery tooling. The defence requires this visibility; the audit team requires it during the data-collection phase.

The third is contract awareness. The licensing, procurement, and legal teams have a current understanding of the contractual entitlement scope, the audit rights and limitations, the dispute resolution mechanics, and the renewal provisions. This understanding lives in the contract repository and in the heads of the people who manage the relationship; it should not need to be reconstructed at audit time.

The fourth is change governance. Material changes to the deployment footprint — new clusters, new edge sites, new acquisitions, new business units — go through a licensing review before they go into production. The review confirms that the entitlement scope covers the change, identifies any required licensing actions, and creates the audit trail that supports a defensible position later. The discipline is operationally trivial; the absence of it is the single most common source of audit exposure.

The fifth is renewal preparation. The renewal cycle is treated as a structured exercise rather than a transactional one. The customer enters the renewal with a current entitlement record, a current deployment view, a defensible position on any disputes, and a renewal strategy that is informed by the broader market context. Customers who treat renewal preparation as a quarter-long exercise consistently outperform customers who treat it as a two-week procurement task.

Post-audit governance and the next renewal

The audit closing is not the end of the engagement; it is the beginning of the next cycle. Customers who treat the closing as the finish line frequently find themselves back in the same situation 18-24 months later, often with a harder negotiating posture from Broadcom because the prior dispute is in the record.

The first post-audit task is the settlement documentation. Every term agreed in the settlement — pricing, entitlement scope, audit-free window, partitioning rules, support terms — needs to be captured in the contractual record. The settlement document should be cross-referenced into the licensing record so that future teams can find it without archaeology.

The second post-audit task is the remediation execution. If the settlement involves a forward subscription, the migration to the new entitlement basis needs to be planned and executed deliberately. The transition is itself a source of risk; customers who treat it as administrative frequently find themselves out of compliance with the new entitlement structure within 12 months.

The third post-audit task is the governance update. The audit will have surfaced governance gaps — incomplete entitlement records, missing deployment visibility, unclear change-management processes. Closing those gaps is the most durable form of audit defence. Customers who fix the governance after an audit are materially less likely to face a second audit; customers who do not, frequently do.

The fourth post-audit task is the renewal positioning. The next renewal is 12-36 months away. Position for it starting now. Build the deployment record, monitor the market alternatives, maintain the relationship with the independent advisor, and avoid the commercial concessions that lock in the next round of pricing. The renewal that follows an audit is the one most likely to set the multi-year cost trajectory; treat it accordingly.

The bottom line

A Broadcom VMware audit is not a routine compliance exercise. It is a structured commercial event designed to convert your perpetual entitlement and your incumbency into a subscription contract priced to Broadcom's preference rather than yours. The defence is also structured: methodology challenge, entitlement reconstruction, scope limitation, and commercial negotiation, executed in sequence by people who understand how the audit was designed.

If you have received an audit letter, the most expensive day is the day you respond without advice. The second most expensive day is the day you accept the soft approach without contractual protections. Every day after that is recoverable.

For a confidential assessment of your position, Contact us →. We respond within one business day and provide an initial defence strategy within 48 hours of receiving the audit letter.