Symantec. The audit nobody plans for.

Symantec Endpoint Protection, DLP, PGP, ProxySG, and Messaging Gateway are now Broadcom-owned and Broadcom-audited. SEP claims are the second most common Broadcom audit we defend, and they almost always rest on endpoint counts that no one inside the customer can reconcile. We assess, defend, and negotiate the Symantec portfolio.

How Symantec licensing works under Broadcom.

Symantec is licensed primarily by endpoint count, with server versus workstation pricing differential, and per-feature add-ons for Application Control, Device Control, Network Threat Protection, and DLP. The Symantec Endpoint Security Complete suite consolidates these features but does not eliminate the historical entitlement model that most enterprises are still operating under.

Symantec contracts are notoriously difficult to read. The combination of legacy Veritas entitlement, acquired Blue Coat products, and the Broadcom commercial overlay produces a contract surface that the average IT team cannot navigate without specialist help.

What auditors verify for SEP.

The Symantec audit pulls the SEP Manager (SEPM) console export, the endpoint deployment count by group, the feature enablement matrix per policy, and the historical client-arrival logs covering the audit period. They reconstruct an endpoint count by category and compare it to the entitlement on file.

The contested numbers usually come from disconnected endpoints, decommissioned devices that still appear in SEPM, and feature uplift where DLP or Application Control was enabled by policy default rather than active subscription.

Three Symantec audit traps.

Stale endpoints in SEPM

Devices that have been re-imaged, decommissioned, or replaced often remain visible in SEPM for months. The audit reconstruction treats them as active endpoints unless the customer can prove decommission timing.

Server vs workstation reclassification

Endpoints classified as workstations in the SEPM group structure but running server workloads — or vice versa — produce reclassification claims at the price differential between the two tiers.

DLP / Application Control feature uplift

Features enabled by policy default that the contract does not entitle generate uplift claims across the entire deployed endpoint count, not just the endpoints where the feature is actively used.

Defences we use in Symantec engagements.

Symantec disputes are typically won on the endpoint-counting methodology, on the server-versus-workstation classification, and on the feature enablement evidence. The defences below have all been used to reduce a real claim.

SEPM stale-endpoint reaping window

Re-imaged device deduplication

Server versus workstation reclassification

Feature uplift challenge under telemetry methodology

Application Control policy-default exclusion

Device Control entitlement scope

DLP discover-vs-monitor entitlement boundaries

Network Threat Protection edition reconciliation

Messaging Gateway and Mail Security carve-outs

ProxySG and Web Security Service treatment

PGP and encryption module entitlement

Symantec Endpoint Security Complete (SES Complete) bundle attribution

Legacy Veritas and Blue Coat entitlement preservation

Multi-tenant managed-security-provider exemption

Affiliate, subsidiary, and divested-entity scope

True-up window and notice-period challenges

Where Symantec savings tend to land

In documented Symantec engagements the largest single reduction usually comes from rejecting the stale-endpoint inclusion — proving with contemporaneous evidence that devices appearing in SEPM had been decommissioned before the audit cut-off. The second largest comes from contesting feature uplift where the policy enabled a feature that was never actively used. The third comes from reclassifying endpoints between server and workstation tiers at the buyer's favour.

Symantec licensing questions.

Is SEP still sold standalone?

SEP standalone remains available for renewal, but Broadcom positions Symantec Endpoint Security Complete (SES Complete) as the strategic SKU. The conversion economics from SEP to SES Complete should be modelled separately from the audit exposure.

How are virtual desktops counted?

Each virtual desktop is treated as an endpoint. Non-persistent VDI deployments that re-create the endpoint at every login can produce inflated endpoint counts in SEPM unless the SEP virtual-client configuration is correctly set.

Are we audited on the SEPM count or the contracted count?

The audit compares the contracted count to the deployed count reconstructed from SEPM and the historical telemetry. Disputes are about the deployed-count reconstruction.

Does DLP licensing follow the same model?

DLP is licensed separately from SEP, by the same endpoint or user count depending on the SKU vintage. The Endpoint and Network DLP tiers have distinct entitlement rules. Audits frequently combine the two views in a way the buyer cannot reconcile without specialist help.

What about legacy Blue Coat and ProxySG?

Blue Coat products carried into the Symantec portfolio under the original Symantec acquisition are now Broadcom-audited. ProxySG, ASG, and Web Security Service appear in audits where the original Blue Coat contract is still on file.

Symantec. The audit nobody plans for.

How Symantec licensing works under Broadcom.

What auditors verify for SEP.

Three Symantec audit traps.

Defences we use in Symantec engagements.

Where Symantec savings tend to land

Symantec licensing questions.

Symantec audit letter received?
Don't reply alone.

Symantec. The audit nobody plans for.

How Symantec licensing works under Broadcom.

What auditors verify for SEP.

Three Symantec audit traps.

Defences we use in Symantec engagements.

Where Symantec savings tend to land

Symantec licensing questions.

Symantec audit letter received?Don't reply alone.

Symantec audit letter received?
Don't reply alone.