Carbon Black Licensing After Broadcom Acquisition

Carbon Black's Journey: From Independent Startup to Broadcom Asset

Carbon Black was founded in 2002 (as Bit9), pioneered application whitelisting and endpoint detection and response (EDR) technology, and became one of the best-regarded independent security vendors in the enterprise market. VMware acquired Carbon Black in October 2019 for approximately $2.1 billion, integrating it into its portfolio with a strategic vision of combining network and endpoint security with virtualisation infrastructure.

When Broadcom completed its acquisition of VMware in November 2023 for approximately $69 billion, Carbon Black came with the package. Broadcom's initial post-acquisition analysis identified Carbon Black as a non-core asset relative to its primary VMware infrastructure and CA Mainframe businesses. Broadcom briefly indicated it was considering selling the Carbon Black business unit, which created significant uncertainty in the customer base. Ultimately, Broadcom paused or reversed plans to divest Carbon Black, but the strategic ambiguity around the product's roadmap has had lasting commercial and technical consequences.

What Changed for Carbon Black Customers After the Acquisition

The Broadcom acquisition triggered a series of changes that directly affect Carbon Black customers' commercial position and product experience.

In one engagement, a global retail group received a Broadcom Carbon Black renewal quote 58% above their prior contract value. Redress established that the customer qualified for the legacy perpetual conversion programme and was being incorrectly migrated to subscription-only pricing. The corrected renewal saved $290,000 in year one.

End of Perpetual Licensing

Consistent with Broadcom's approach across its entire acquired portfolio, all VMware perpetual licences — including Carbon Black perpetual entitlements — were discontinued in 2024. New Carbon Black deployments are subscription-only. Existing perpetual entitlement holders retain their licence rights but face the same support restructuring challenge as other VMware perpetual customers: Broadcom has consolidated support into premium tiers at rates that represent 3 to 5 times the previous annual maintenance fees.

Product Rationalisation and Uncertainty

Broadcom significantly reduced the overall VMware product portfolio after the acquisition, eliminating hundreds of standalone products and bundles in favour of a streamlined set of core offerings. While Carbon Black Cloud survived this rationalisation as a platform, the associated product bundles, integration add-ons, and specialist modules were affected. Customers who had deployed Carbon Black as part of specific VMware security bundles found their contractual entitlements restructured.

Support Restructuring

Broadcom's standard post-acquisition support restructuring applies to Carbon Black. The previous VMware support tier structure — Standard, Production, Premier — was replaced with Broadcom's consolidated support model. The practical effect for most enterprise Carbon Black customers has been significant support cost increases at renewal, alongside changes to support hours, escalation paths, and engineering engagement availability.

For security products like Carbon Black, where rapid threat response and engineering-level support are operationally critical, these support changes have been particularly jarring. Enterprise security teams that previously had clear escalation paths to Carbon Black engineering talent now navigate Broadcom's standardised support channels.

Pricing and Subscription Structure

Carbon Black Cloud is now sold as an annual subscription priced per endpoint per year. The pricing tiers vary by product module — Carbon Black Endpoint Standard, Carbon Black Endpoint Advanced, Carbon Black Endpoint Enterprise — with enterprise pricing negotiated on a case-by-case basis for deployments above 1,000 endpoints. The transition from some legacy pricing constructs to the current per-endpoint subscription model has resulted in cost increases of 50 to 200 percent for customers moving from older commercial frameworks.

The Strategic Dilemma: Stay, Renegotiate, or Migrate?

Enterprise security teams with existing Carbon Black deployments face a three-way decision framework at renewal. Each path has distinct commercial and operational implications.

Option 1: Renew and Stay on Carbon Black

Remaining on Carbon Black is viable if the product continues to meet your functional requirements and you can negotiate commercially acceptable renewal terms. Carbon Black's core technology — particularly its behavioural detection engine, NGAV capabilities, and threat hunting platform — remains competitive. However, product investment levels and roadmap commitment under Broadcom ownership have been questioned by the security analyst community.

If choosing to stay, the renewal negotiation should be conducted with the same rigour as any Broadcom product renewal: independent benchmarking against CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint; credible migration timelines as leverage; and 12 to 18 months of lead time before contract expiry.

Option 2: Renegotiate for a Transitional Period

Many organisations are choosing to negotiate a 12 to 24 month transitional renewal on Carbon Black while executing a formal EDR replacement evaluation. This approach has merit: it avoids rushed migration decisions driven by contract expiry, provides time for a thorough PoC evaluation of alternatives, and maintains security continuity during the transition period.

The transitional renewal should be structured with no long-term lock-in — maximum 24 months, with clear data portability provisions, API export rights for threat intelligence data, and no penalties for early termination if migration completes ahead of schedule.

Option 3: Migrate to an Alternative Platform

For organisations where Broadcom's pricing changes, support quality concerns, or product roadmap uncertainty are dealbreakers, migration to a competitive EDR platform is the right strategic choice. The migration analysis must account for three cost components: the new platform licence cost, the migration and deployment cost (internal and potentially third-party), and the transition overlap period where both platforms run in parallel.

Competitive Alternatives: Where Carbon Black Customers Are Moving

The post-acquisition disruption has created significant displacement opportunity that Carbon Black's competitors have actively pursued. Enterprise security teams have a mature set of alternatives to evaluate.

CrowdStrike Falcon

CrowdStrike is the most common migration destination for displaced Carbon Black customers. Falcon's cloud-native architecture, threat intelligence depth, and consistently strong MITRE ATT&CK evaluation performance make it the benchmark against which Carbon Black is measured. Pricing is per endpoint per year, typically $8 to $20 depending on tier and negotiated discount. CrowdStrike has been actively offering migration incentives to Carbon Black customers, including deployment support and commercial concessions for competitive replacements.

SentinelOne Singularity

SentinelOne's autonomous AI-driven detection and response capability differentiates it from both Carbon Black and CrowdStrike. Its storyline patented approach to attack visualisation provides strong investigation capabilities. SentinelOne has also been competitive on pricing for Carbon Black displacement, with per-endpoint rates often 10 to 20 percent below CrowdStrike's equivalent tier for enterprise volumes. The Singularity platform's Ranger network discovery and Hologram deception capabilities are features that Carbon Black does not match in its current form.

Microsoft Defender for Endpoint

For organisations already running Microsoft 365 E5 or E5 Security, Microsoft Defender for Endpoint P2 is often the financially compelling alternative. The incremental cost for organisations already paying for the E5 suite is minimal — the feature is already included. Functional gaps versus CrowdStrike and SentinelOne remain in advanced threat hunting depth and response automation, but for organisations with Microsoft-centric environments, Defender's native integration with the M365 stack, Azure AD identity signals, and Microsoft Sentinel SIEM provides strong contextual detection capability.

The important caveat: Microsoft Defender should be evaluated on its actual capabilities rather than its included pricing. Organisations that deploy Defender inadequately or use it as a cost-avoidance shortcut, without investing in the SIEM, identity, and hunting capabilities that make it effective, often find themselves with weaker security posture despite nominal cost savings.

How to Approach Your Carbon Black Renewal Negotiation

Whether you intend to stay on Carbon Black or are using the renewal as a transition vehicle, the negotiation approach is the same. The goal is to maximise commercial terms and minimise lock-in while maintaining security continuity.

Start by assembling competitive pricing from at least two alternatives, ideally CrowdStrike and SentinelOne, including deployment cost estimates. This is not theatre — Broadcom's commercial team will probe the seriousness of your alternatives consideration, and credible PoC evidence carries far more weight than a reference to market alternatives.

Next, establish your current deployment baseline: active endpoints by type (server, workstation, cloud workload), module usage (NGAV, EDR, threat hunting), and actual vs. contracted endpoint counts. Carbon Black deployments often have significant discrepancy between contracted and active endpoint counts due to environment growth and licence non-compliance — understanding this baseline before Broadcom runs its own analysis is essential.

Challenge the support pricing directly. Broadcom's default support rate for Carbon Black at renewal is significantly above the previous VMware support rate. Benchmark it against market rates, document your support utilisation history, and be prepared to reference third-party maintenance options to create pricing pressure.

Finally, negotiate term length strategically. A 24-month maximum term provides sufficient time to complete a migration evaluation if required, while avoiding a three-year lock-in that would limit your strategic flexibility given the ongoing uncertainty around Broadcom's Carbon Black product roadmap commitment.

The Broader Broadcom Security Portfolio Context

Carbon Black does not exist in isolation within the Broadcom portfolio. Organisations that also hold Symantec Endpoint Protection licences — another major Broadcom security acquisition — should consider coordinating their renewal strategy across both products. A combined endpoint security renewal discussion (Carbon Black plus Symantec) creates portfolio-level leverage that neither product individually provides.

Broadcom's security portfolio, which also includes Symantec DLP, Symantec Web Security Service, and related products, provides genuine bundling opportunities for organisations that want to simplify their security vendor footprint. However, bundling should only be pursued if the consolidated commercial terms are demonstrably better than individual product renewals — not as a default response to Broadcom's portfolio pitch.

The key principle in any Broadcom security renewal is the same as across the broader Broadcom portfolio: the opening proposal is a starting position, not a final one. Support cost increases of 3 to 5 times the prior agreement are Broadcom's standard opening position. Well-prepared organisations with independent advisory support, credible competitive alternatives, and coordinated portfolio strategy consistently achieve materially better outcomes.