The situation.
The client is a top-ten European bank operating in 11 countries with a Symantec Endpoint Protection estate that had been deployed in waves since the early 2010s. The Broadcom audit letter, delivered eight months before the planned SEP-to-CrowdStrike migration cutover, asserted that the bank was running 71,000 entitled-but-uncovered SEP endpoints across the production fleet, branch network, and back-office estate. The opening financial assertion was $6.4 million, calculated using SEP Complete list pricing against the deployment delta.
The audit notice also flagged six SEPM management servers as evidence of "active deployment" across entities the bank had divested 22 months earlier. Broadcom's auditor argued the bank remained the licensee of record because the original perpetual entitlements had been issued to the parent legal entity rather than the divested subsidiary.
The complication.
Symantec audits are uniquely sensitive to SEPM management-server discovery data because the SEPM console keeps a long tail of stale endpoints — devices that were imaged, decommissioned, or refreshed but never aged out of the management console. Standard SEPM defaults retain stale endpoint records for 30 days, but several of the bank's SEPM servers had retention extended to 180 or 365 days for audit-trail reasons unrelated to licensing.
The auditor had also counted endpoints registered under multiple AD identities — typically the result of a hardware refresh or reimage — as separate entitlement-consuming devices. Approximately 14,000 of the 71,000 asserted endpoints were duplicate records of this kind. Identifying and proving the duplicates required cross-referencing the SEPM data against the bank's AD computer object history and asset management records, which sat in three separate systems.
The response.
The defence operated on three parallel tracks. The first was the divestiture carve-out: the team produced the executed transfer documents, the post-completion entitlement letter Symantec had issued at the time, and the SEPM server configuration evidence showing that the six flagged management servers had been physically transferred to the divested entity at close. After two rounds of evidence review, Broadcom's auditor accepted the carve-out and removed approximately $1.6 million from the assertion.
The second track was the stale-endpoint defence. Using SEPM database extracts, the team identified 18,400 endpoint records that had not reported in to a SEPM server for more than 90 days at any point in the audit period. Cross-referencing against the asset management system, 16,900 of those records were confirmed as decommissioned, reimaged, or hardware-refreshed devices and were removed from the asserted population.
The third track was the duplicate-record defence. By joining the SEPM data against AD computer object history, the team established that 14,000 of the remaining records corresponded to devices that had previously appeared under a different identity in the same SEPM instance. Broadcom's auditor accepted the duplicate-record reduction after independent verification on a sampled subset.
The remaining true delta was approximately 22,000 endpoints, against which the bank held entitlements for 19,500. The residual gap of 2,500 endpoints was settled at a per-endpoint rate negotiated 38% below Broadcom's quoted SEP Complete list, for a final true-up of $960,000. The settlement included a release of the audit period and a 12-month forward subscription bridge to support the planned migration off SEP.
The outcome.
The bank closed the audit at 85% below the opening assertion. Documented saving against Broadcom's opening position is $5.44 million. The 12-month subscription bridge held the migration off SEP on its original schedule, avoiding the cost and operational risk of an accelerated migration under audit pressure.
The post-engagement remediation focused on SEPM hygiene: the bank now enforces a 30-day stale-endpoint aging policy across all SEPM instances, performs quarterly reconciliations against the asset management system, and produces a single source-of-truth endpoint count for licensing purposes. The same controls are being ported to the CrowdStrike platform during the cutover.
