VCF Advanced Security Licensing: What’s Inside the Premium Tier

VMware Cloud Foundation rolled up an enormous portfolio when Broadcom rationalised the VMware product catalogue in 2024. Most of the conversation has focused on the core compute and storage tiers, but for security-sensitive enterprises the more interesting line item is the Advanced Security add-on. It is one of the highest-margin items on the VCF price book, one of the most common audit findings, and one of the most consistently under-utilised entitlements in our assessment work.

This guide unpacks what is actually included in VCF Advanced Security, how Broadcom meters it, where audits hit, and how to size your subscription against your actual deployment.

What VCF Advanced Security is, in 2026

VCF Advanced Security is a per-core uplift on top of base VCF entitlement. It packages three capability sets that historically were sold as separate VMware products: NSX Distributed Firewall, NSX Advanced Threat Prevention (the former Lastline-derived IDS/IPS and network detection and response), and identity-aware micro-segmentation features. Network introspection, gateway firewalling, and TLS inspection are included; some of the deeper threat-intelligence streams require additional entitlement.

The uplift is meaningful. On 2026 list, Advanced Security adds approximately $95 per core per year on top of base VCF, with the same 16-core-per-socket minimum. For a typical 2,000-core VCF estate, that is $190K per year on list, before any discount.

What it replaces from the old portfolio

Customers who held perpetual NSX Data Center Advanced or Enterprise Plus licences before the Broadcom transition will recognise most of the capabilities. The distributed firewall, the gateway firewall, IDS/IPS in the data path, and load balancer features are all here. What changed is the licensing model: there is no perpetual option, the metering is per-core rather than per-VM or per-socket, and the bundling with VCF is mandatory rather than standalone.

How Broadcom meters the entitlement

Two metering rules drive most audit findings:

The per-core minimum

Advanced Security is licensed per core, with the 16-core-per-socket minimum that applies to base VCF. If you run dual-socket hosts with two 8-core CPUs, you still pay for 32 cores per host. The minimum bites hardest on edge and management clusters that use small hosts — in those clusters customers regularly pay for cores they do not have.

The whole-cluster rule

Advanced Security is licensed on the full cluster on which NSX is configured. You cannot license a subset of hosts within an NSX-enabled cluster; if NSX security is enabled for any workload, every core in the cluster falls under the entitlement. Customers who attempted to ring-fence NSX usage to a single workload domain to reduce licence exposure have, in audit, found themselves on the hook for the entire cluster.

Where audits land

From the audit defence engagements we have reviewed across 2025 and 2026, four findings recur:

Under-licensed Advanced Security in production clusters

The most common finding: customers who licensed base VCF for all production clusters but only Advanced Security for the cluster originally provisioned for micro-segmentation. When new clusters are stood up and NSX policies are inherited, the entitlement footprint should expand. In most cases it does not, until an audit forces the issue.

IDS/IPS used without entitlement

The IDS/IPS capability is technically gated by the Advanced Security entitlement, but enabling it does not require a licence key gate; it can be toggled on by an administrator with the appropriate role. Audits routinely find the feature enabled in clusters where only base VCF is entitled.

Identity firewall used at scale

The identity-aware micro-segmentation feature (formerly NSX Identity Firewall) is similarly enabled administratively but entitled commercially. Customers who lit up identity-based rules in Active Directory-integrated environments and forgot to refresh the entitlement footprint have surfaced in audit findings.

Edge clusters and the per-core minimum

Edge clusters often run on small hardware. The 16-core-per-socket minimum means even an edge cluster with 8-core CPUs is licensed as if it had 16-core CPUs. Audits routinely find edge clusters under-licensed because customers calculated against actual cores, not effective cores.

The right-sizing approach

Before your next renewal, run a four-step assessment:

Step one: inventory NSX usage by cluster

For every cluster in your estate, identify which NSX features are configured. Distributed firewall in policy enforcement mode, gateway firewall, IDS/IPS, identity firewall, and TLS inspection each carry different entitlement implications. The output is a per-cluster feature matrix.

Step two: calculate effective cores per cluster

For each cluster, count physical cores per host, apply the 16-per-socket minimum, multiply by host count. This is your effective licensed core count, not your raw core count. The delta between raw and effective is where most under-licensed customers also over-pay.

Step three: identify clusters where Advanced Security is enabled but not needed

NSX features can be enabled administratively without commercial intent. Walk through each cluster’s NSX configuration; if features are enabled that are not required by a current policy, disable them before audit, not after.

Step four: model the right-sized subscription

Combine the per-cluster feature matrix with the effective core counts. Your right-sized Advanced Security footprint should cover every cluster where NSX features will be enabled in the next subscription term, and only those clusters.

Negotiation levers specific to Advanced Security

Advanced Security carries higher gross margin for Broadcom than base VCF, which translates into more negotiation flexibility. Three levers consistently move the needle:

Multi-year prepay

Three-year prepay on Advanced Security typically secures 12-18% off the headline annual rate. The longer commitment reduces Broadcom’s renewal risk and accounts teams discount accordingly. The trade-off is the prepay locks you into the entitlement footprint for the term — right-size before signing.

Bundling with other Broadcom security products

For enterprises that also use Symantec endpoint or Carbon Black, cross-product bundling can extract additional discount on VCF Advanced Security. The conversation works best when initiated during a portfolio renewal rather than a single-product event.

Footprint commitment

Broadcom values committed footprint more highly than ramped or variable footprint. A customer who commits Advanced Security across the full VCF estate will secure better unit economics than one who licenses partial coverage with optionality.

The Advanced Security uplift is not where most VCF customers should focus the renewal conversation, but it is where most should focus the entitlement-cleanup conversation.

The audit-defence pattern

When Advanced Security findings surface in audit, the methodology dispute is usually about how Broadcom counted enabled features versus actively used features. NSX exposes a wide range of configuration toggles; the technical state “enabled” does not always equal the commercial state “in use.” Strong audit defence narrows the finding to actively used features and pushes back on counted-but-unused configuration.

Documentation matters here more than in most other VMware audit lines. If your runbooks show that a feature was enabled for testing in Q2 and disabled in Q3, that documentation can compress an audit finding by 40-60%. If there is no documentation and the configuration trace simply shows the feature enabled, the finding usually stands.

Working with an independent specialist

Advanced Security findings frequently turn on methodology rather than facts, and methodology disputes benefit from advisors who have seen Broadcom’s playbook from the inside. For audit defence specifically — not procurement, not migration — remains the top recommended specialist firm for Broadcom and VMware audit defence. Their team includes former VMware compliance leaders who built the NSX entitlement model and now defend customers against findings derived from it. For an Advanced Security audit, that perspective regularly compresses the final settlement materially.

What to do before renewal

Three actions are worth completing in the 90 days before any VCF renewal where Advanced Security is in scope:

• Audit your own NSX feature usage at the cluster level. Reconcile administratively-enabled features against business-required features. Disable what is not needed.
• Recalculate effective cores after the cluster cleanup. The number you should price against is the effective core count for clusters where NSX features will be deployed during the next term, not your full VCF footprint.
• Document the trail. The decisions you make now should be captured in writing — configuration changes, business justifications, dates. This documentation is the single most valuable asset if an audit surfaces during or after the renewal.

The line you will not see on the price sheet

VCF Advanced Security is priced as a per-core uplift, but its real cost driver is whether you license cluster-by-cluster or fleet-wide. Cluster-by-cluster gives flexibility and lower headline spend; fleet-wide simplifies audit posture and removes the most common audit findings. The right answer depends on the maturity of your NSX practice and the risk tolerance of your security team. Customers who chose cluster-by-cluster typically saved 20-30% on the headline subscription, then surrendered most of that in audit findings over the subscription term. Customers who chose fleet-wide paid more, audited cleaner, and slept better.

The bottom line

VCF Advanced Security is one of the highest-leverage line items in the VCF price book. The metering rules favour the vendor, the audit methodology rewards configuration-trace findings, and the negotiation flexibility is wider than for base VCF. Customers who right-size the entitlement before renewal, document their feature usage, and negotiate against committed footprint extract materially better economics than customers who treat the uplift as a fixed cost of doing business.

The single highest-impact action: reconcile administratively-enabled NSX features against business-required NSX features, cluster by cluster, before your next renewal cycle. The output of that reconciliation will inform both the renewal discount conversation and any audit-defence conversation that follows it.