Product · Carbon Black

Carbon Black. An EDR contract under acquisition pressure.

Carbon Black moved with VMware into Broadcom in 2023 and has lived under repeated divestiture rumours since. The product remains licensed and supported, the audit motion is real, and the contract terms inherited from VMware are still binding. We assess, defend, and negotiate the Carbon Black estate.

Get My Free 48-Hr Assessment → Download the Symantec/Carbon Black Guide

How Carbon Black licensing is structured.

Carbon Black Cloud is licensed per endpoint by sensor, with editions for Endpoint Standard (formerly Defense), Advanced, Enterprise EDR (Threat Hunter), Audit and Remediation (LiveOps), and Cloud Workload for server protection. The product line was harmonised after the VMware acquisition but the underlying SKUs still reflect the legacy Bit9 and Carbon Black Response history.

Under Broadcom, the commercial motion has consolidated toward larger bundles, with the previous mid-market entry tiers either repositioned or de-emphasised. Renewal economics have moved upward in line with the broader Broadcom motion.

What auditors look at for Carbon Black.

The Carbon Black audit pulls the Cloud console sensor inventory, the sensor activation history, the feature enablement per policy, and the workload protection deployment for server estate. They reconstruct an endpoint count by edition and compare it to the entitlement on file.

Most Carbon Black disputes turn on the sensor lifecycle — proving when a sensor was deactivated, decommissioned, or replaced rather than when it last reported. The reporting-versus-active distinction is the central methodology question.

Three Carbon Black audit traps.

01
Inactive sensors counted as deployed
Sensors that have not reported for weeks may still appear in the Carbon Black Cloud console. The audit reconstruction treats them as active deployments unless the customer can prove decommission.
02
Server vs workstation classification gap
Endpoints classified incorrectly in the policy structure — server workloads under a workstation policy or the reverse — produce reclassification claims at the tier-price differential.
03
Edition uplift through feature enablement
Enabling Enterprise EDR features such as Threat Hunter queries or LiveOps remediation on policies tied to Endpoint Standard endpoints triggers an edition-uplift claim across the affected sensor population.

Defences we use in Carbon Black engagements.

Carbon Black claims are generally won on the sensor lifecycle, the edition reconciliation, and the workload-protection scope. The defences below have been used in real engagements.

Where Carbon Black savings tend to land

In documented Carbon Black engagements the largest single reduction usually comes from rejecting inactive-sensor inclusion — proving with contemporaneous evidence which sensors were decommissioned before the audit cut-off. The second largest comes from the workstation-versus-server reclassification at the buyer's favour. The third comes from contesting edition uplift where features were enabled by template default rather than by deliberate buyer configuration.

Carbon Black licensing questions.

Is Carbon Black being divested?
Broadcom has at various points been reported to be exploring a Carbon Black divestiture. As of mid-2026 the product remains a Broadcom-owned line. A future divestiture would not unwind existing entitlement obligations.
Are on-prem Carbon Black products still licensed separately?
The legacy on-prem Carbon Black Response and Bit9 App Control products carry their own entitlement under contracts originally written with the predecessor entities. Buyers running both on-prem and Cloud may have parallel contracts that need to be reconciled before audit.
How are containers and Kubernetes counted?
Container Security is licensed by the underlying Kubernetes node count, not by container count. The metric is contract-specific and audits frequently apply a broader definition.
What about VDI non-persistent endpoints?
Each non-persistent VDI endpoint is treated as a sensor by default. The sensor configuration must be set for non-persistent mode to avoid inflating the deployed-sensor count in the Cloud console.
Will an EDR audit happen alongside a VMware audit?
Sometimes. Audit scope is set by the audit clause in the underlying contract. Carbon Black audits and VMware audits are distinct in scope but the same audit team may run them in parallel where the customer has both. Scope can often be separated at the protective-response stage.

Carbon Black in audit scope?
Don't reply alone.

Send us the audit letter, the Carbon Black Cloud console export, and the original entitlement records. We will model your Carbon Black defence position within 48 hours.

Contact Us →Download the Symantec/Carbon Black Guide
Audit letter? Free 48-hr review.
Start Review →