Carbon Black Licensing After Broadcom

Carbon Black, the endpoint security platform Broadcom acquired as part of the VMware deal, has experienced one of the more turbulent licensing transitions in the Broadcom portfolio. Originally a standalone company, then a VMware product line, now part of Broadcom's Symantec enterprise security business unit, Carbon Black has been re-positioned, re-priced, and re-bundled multiple times since 2023.

For enterprises with Carbon Black deployments — whether Carbon Black Cloud, Carbon Black EDR (the on-premise platform formerly known as Cb Response), or Carbon Black App Control — understanding the current licensing structure is essential to managing renewal costs, maintaining audit defensibility, and making informed decisions about platform consolidation. This article walks through what has changed, what to expect at your next renewal, and how to position effectively against Broadcom's evolving commercial posture.

The pre-Broadcom Carbon Black licensing model

Under VMware ownership (2019-2023), Carbon Black licensing was relatively straightforward. Carbon Black Cloud was sold per endpoint, per year, with tiering based on which security modules were enabled — Endpoint Standard, Advanced, Enterprise EDR, Container, Workload, Audit & Remediation. On-premise Carbon Black products (EDR and App Control) were sold per agent with separate server licensing.

VMware bundled Carbon Black aggressively into VMware Cloud Foundation and into vSphere security promotions, which led many enterprises to acquire Carbon Black almost incidentally as part of a broader VMware purchase. This bundling created significant "shelfware" — Carbon Black licences that were owned but never deployed — which is now becoming an audit and commercial issue under Broadcom.

What Broadcom has changed

Broadcom has implemented several changes to Carbon Black licensing since closing the VMware acquisition:

Repositioning under Symantec. Carbon Black has been moved out of the VMware product portfolio and into Broadcom's Symantec enterprise security business unit. The practical effect is that Carbon Black is now sold by Broadcom's Symantec sales team, on Symantec contract paper, with Symantec support processes. This has caused significant transition friction for customers whose primary Broadcom relationship is on the VMware side.

New SKU bundling. Broadcom has restructured the Carbon Black SKUs into a smaller number of bundled tiers, similar to its broader Symantec portfolio strategy. The granular module-by-module pricing of the VMware era is being phased out in favour of tiered bundles, which often forces customers to pay for capabilities they don't use.

Subscription consolidation. Carbon Black is now positioned as part of Broadcom's Enterprise Security Suite (ESS) — a broader bundle that combines Symantec Endpoint Protection (SEP), DLP, CASB, and other security products. The bundling can be commercially attractive for customers using multiple Symantec products, but it complicates the cost analysis for customers who use only Carbon Black.

Tightened audit posture. Broadcom's Symantec security audit team has begun examining Carbon Black deployments more systematically. The audit focus is typically on agent counts, environment counts (production, staging, DR), and on whether deployed modules match licensed modules.

The key compliance traps

Carbon Black has several specific licensing pitfalls that enterprises commonly fall into:

Agent count drift

Carbon Black agents are licensed per-endpoint, but most enterprises have endpoint counts that drift continuously — new joiners, contractors, virtual desktops spun up for short-term projects, servers brought online for development environments. Without active management, the deployed agent count routinely exceeds the licensed count by 10-30% within a contract cycle. Under Broadcom's audit posture, that drift becomes a direct compliance exposure.

Module activation

Carbon Black Cloud has modular licensing — Endpoint Standard, Advanced, Enterprise EDR, Workload, Container — and each module is separately licensed. Many enterprises have activated modules in their environment that exceed their licensed tier, often unintentionally because module activation can occur as part of administrator workflow without an explicit licensing prompt. This is a common audit finding and a common source of inflated audit claims.

Environment proliferation

Carbon Black deployments often span multiple environments: production, pre-production, DR, training. Each environment with active agents counts against your licence pool. Enterprises that stood up additional Carbon Black instances during incident response (a common pattern after major security events) often forgot to retire those instances and now find themselves over-deployed.

Acquired entitlements

If your organisation acquired companies that used Carbon Black, the acquired entitlements need to be formally transferred to your master agreement. Broadcom does not automatically recognise acquired Carbon Black licences as part of the acquirer's entitlement pool; transfer requires documentation and approval.

The renewal trajectory

Carbon Black renewals under Broadcom typically show 30-80% price increases over the prior VMware-era contract, before any negotiation. The increase is driven by a combination of subscription model pricing, SKU consolidation forcing higher-tier purchases, and bundling pressure pushing customers toward the broader Enterprise Security Suite.

Customers who push back effectively — by demonstrating clean compliance, by presenting credible competitive alternatives (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint), and by negotiating multi-year terms with locked pricing — typically reduce the increase to 10-25% over prior pricing. Customers who do not push back end up paying the headline number, which on large estates can mean seven-figure swings.

The competitive landscape

The endpoint security market has consolidated significantly since Carbon Black was acquired. The leading commercial alternatives now include:

CrowdStrike Falcon. Market leader for cloud-native EDR. Aggressive in displacement campaigns, particularly against Carbon Black customers frustrated with Broadcom transitions.

SentinelOne Singularity. Strong AI-driven EDR with autonomous response. Frequently positioned as the "modern" alternative to legacy EDR platforms.

Microsoft Defender for Endpoint. Bundled with Microsoft 365 E5 licences, which makes it functionally free for many enterprises already on the Microsoft enterprise agreement. Significant displacement risk for Carbon Black accounts.

Palo Alto Cortex XDR. Strong fit for enterprises already invested in the Palo Alto security stack.

Each of these vendors will actively quote against Carbon Black renewals, and the competitive pressure is real. Even customers who ultimately renew with Broadcom benefit from running a structured competitive evaluation, because the resulting quotes are leverage in the Broadcom negotiation.

Audit defence for Carbon Black

Carbon Black audit defence has specific characteristics that distinguish it from VMware infrastructure audits. The technical analysis focuses on agent telemetry, console configuration, and module activation logs rather than on host-level inventory. The contract analysis focuses on Symantec contract paper rather than VMware contract paper. And the negotiation dynamic involves Broadcom's Symantec security organisation, which has different commercial reflexes than the VMware Cloud Foundation team.

Independent audit defence advisors with depth in both the VMware-era Carbon Black contracts and the current Broadcom Symantec structure are still relatively rare. — the firm we most often recommend for Broadcom defence — has built specific practice depth in Carbon Black and the broader Symantec portfolio, which is why they are typically the right call for Carbon Black audit situations.

The on-premise question

Many enterprises still run on-premise Carbon Black (EDR, App Control) alongside or instead of Carbon Black Cloud. Broadcom's strategic direction for on-premise Carbon Black is unclear. The products continue to be sold and supported, but new feature development has slowed, and Broadcom's commercial focus is clearly on the cloud platform and on the broader Enterprise Security Suite.

Enterprises with significant on-premise Carbon Black estates should be planning their migration strategy now — whether that means moving to Carbon Black Cloud, migrating to a competitor, or running the on-premise platform for a defined sunset period while a replacement is selected. Doing nothing is increasingly the highest-risk option.

The bottom line

Carbon Black under Broadcom is more expensive, more bundled, and more aggressively audited than Carbon Black under VMware. The fundamental product remains capable, but the commercial environment has changed enough that every enterprise with a significant Carbon Black footprint should be actively re-evaluating their position.

Three actions are worth taking immediately: run a clean inventory of deployed agents, modules, and environments against your current entitlement; benchmark your current Carbon Black spend against quotes from CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint; and engage independent advisory support if your renewal is within 12 months or if you have received any audit-style outreach from Broadcom's Symantec team. The cost of getting Carbon Black right is much lower than the cost of getting it wrong.

Frequently asked questions

What is the difference between Carbon Black Cloud and Carbon Black EDR?

Carbon Black Cloud is the SaaS-delivered endpoint security platform, with telemetry processed in Broadcom's cloud infrastructure. It is the strategic direction for the product line and where new feature investment is concentrated. Carbon Black EDR (formerly Cb Response) is the on-premise platform — deployed in the customer's own data centre with customer-managed servers. The on-premise platform continues to be sold and supported, but new feature development has slowed materially. Most enterprises starting fresh with Carbon Black today are deploying Carbon Black Cloud rather than the on-premise alternative.

Can Carbon Black be unbundled from the Enterprise Security Suite?

Yes, but the standalone pricing is typically less favourable than the bundled pricing. Broadcom's commercial preference is to sell the Enterprise Security Suite, and the bundle pricing reflects that preference. Customers who use only Carbon Black and have no need for SEP, DLP, or the other ESS components should still ask for standalone pricing as a negotiation baseline, but should expect the bundle to be quoted as the recommended path.

How does Carbon Black licensing handle ephemeral cloud workloads?

Carbon Black Workload (the SKU specifically for server and cloud workloads) is licensed based on protected workload counts rather than persistent endpoint counts. Ephemeral workloads — containers, short-lived VMs, autoscaled cloud instances — are handled through specific telemetry and entitlement rules that differ from persistent server licensing. Customers running heavily autoscaled environments should verify that their Carbon Black Workload entitlement matches their actual peak workload counts, not their average steady-state counts.

What are the competitive alternatives most likely to displace Carbon Black?

CrowdStrike Falcon is the most aggressive Carbon Black displacement competitor, particularly in mid-to-large enterprise. SentinelOne Singularity is strong on autonomous response capabilities and is a frequent alternative for technology-forward security organisations. Microsoft Defender for Endpoint is particularly compelling for Microsoft 365 E5 customers who effectively get it bundled. Palo Alto Cortex XDR competes well where the customer is already invested in the Palo Alto security stack. Each of these will quote aggressively against Carbon Black renewals.

Is the on-premise Carbon Black platform being deprecated?

Broadcom has not formally announced an end-of-life for the on-premise platforms, but the strategic direction is clearly toward Carbon Black Cloud and the broader Enterprise Security Suite. Enterprises with significant on-premise Carbon Black deployments should be planning their migration approach now — whether that means moving to Carbon Black Cloud, migrating to a competitor, or running the on-premise platform for a defined sunset period while a replacement is selected.