Broadcom Carbon Black XDR Licensing: Post-Acquisition Pricing and Negotiation

The Carbon Black Journey Under Broadcom

VMware acquired Carbon Black in 2019 for $2.1 billion, integrating the endpoint detection and response (EDR) platform into the VMware Security portfolio alongside CloudHealth and AppDefense. When Broadcom acquired VMware in 2023, Carbon Black passed into the Broadcom Enterprise Security Group (ESG) — the same division that houses Symantec, acquired by Broadcom from Broadcom's own private equity journey through CA Technologies.

The strategic logic for Broadcom was clear: combine the prevention-first Symantec platform with Carbon Black's EDR-first, behaviour-based detection approach to create a unified extended detection and response (XDR) offering that could compete with CrowdStrike Falcon and Palo Alto Networks Cortex XDR. That combination became reality in March 2026 with the launch of Symantec CBX — announced at RSA Conference 2026 in San Francisco.

For enterprise customers with active Carbon Black Cloud subscriptions, the CBX launch creates both an opportunity and a risk. The opportunity is a more capable, unified platform that combines Symantec's prevention capabilities with Carbon Black's detection and response depth. The risk is that platform transitions in Broadcom's history have been accompanied by pricing restructuring, and the CBX launch represents exactly the kind of transition moment where contract terms need careful management.

The Carbon Black Product Portfolio Pre-CBX

Before the CBX consolidation, Carbon Black Cloud comprised four primary product tiers: Endpoint Standard (antivirus replacement with next-generation prevention), Endpoint Advanced (EDR with advanced threat hunting), Endpoint Enterprise (full XDR with managed detection and threat intelligence), and Workload (protection for virtualised and cloud workloads).

Pricing Tiers and What They Actually Delivered

Carbon Black Endpoint Standard was positioned as a next-generation antivirus replacement, typically priced at $45–55 per endpoint per year for enterprise contracts. Endpoint Advanced added streaming telemetry-based EDR, attack chain visualisation, and threat hunting capabilities at $70–80 per endpoint per year. Endpoint Enterprise incorporated the full XDR stack — correlating across endpoint, network, identity, and cloud telemetry — at $90–110 per endpoint per year for large enterprise agreements.

Carbon Black Workload — protecting VMware vSphere and AWS workloads — was priced separately on a per-workload or per-VM basis, typically $20–35 per protected workload per month. The relationship between Carbon Black Workload and VCF licensing was an area of active commercial confusion post-acquisition, with some enterprises receiving conflicting guidance about whether Carbon Black Workload entitlements were included in VCF enterprise agreements or required separate procurement.

The Broadcom enterprise agreements strategic sourcing guide covers the intersection of Carbon Black and VCF entitlements in detail — an important reference for any enterprise that purchased both products.

Symantec CBX: What the Unified Platform Means for Licensing

Broadcom's announcement of Symantec CBX in March 2026 describes a cloud-delivered XDR platform combining Symantec's prevention, Adaptive Protection, Data Security, Cloud Secure Web Gateway, and Incident Prediction capabilities with Carbon Black's EDR technology. The go-to-market model is through the Catalyst Partner Program, with full general availability planned for later in 2026.

From a licensing perspective, CBX represents a structural change rather than a simple rebranding. The key implications for enterprise buyers are as follows. First, existing Carbon Black Cloud subscriptions do not automatically convert to CBX. Customers with active Carbon Black agreements can continue on existing terms until renewal. However, Broadcom's commercial team will increasingly position CBX as the strategic platform and Carbon Black Cloud as the legacy product, applying renewal-period pressure to migrate customers upward.

Second, CBX pricing is based on a consolidated per-user or per-endpoint model that bundles prevention and EDR capabilities that were previously separate purchasing decisions. For enterprises that deployed only Carbon Black EDR (without Symantec prevention) or only Symantec Endpoint Security (without Carbon Black EDR), the CBX bundle creates an upsell dynamic — Broadcom benefits commercially from every customer who consolidates onto CBX, and will use the unified narrative to justify pricing above the sum of the individual components.

Third, CBX is launching through the Catalyst Partner Program rather than direct. This means pricing will be influenced by the channel partner's margin structure and not simply reflect Broadcom's own commercial terms. Enterprise procurement teams should request direct pricing comparisons alongside any channel quotes to ensure partner margin is not obscuring the true Broadcom commercial baseline.

Competitive Benchmarks: Carbon Black vs CrowdStrike vs SentinelOne

The enterprise endpoint security market remains intensely competitive in 2026, which is the primary leverage point for any Carbon Black or CBX renewal negotiation. Understanding the competitive landscape and what peer organisations are paying for equivalent capabilities is essential preparation for any procurement conversation with Broadcom's commercial team.

CrowdStrike Falcon Pricing

CrowdStrike positions Falcon as the premium endpoint protection platform, with 2026 commercial pricing reflecting that premium positioning. CrowdStrike's tiered packaging — Falcon Go, Pro, Enterprise, and Complete — starts at $299.95 per year for basic protection and scales to $924.95 per year for the full enterprise suite before volume discounts. Enterprise deals at 1,000+ seats typically achieve 25–35% discount from list, bringing effective per-endpoint pricing to $600–700 per year for the Enterprise tier.

CrowdStrike's market position and platform breadth — particularly the Falcon XDR, Identity Protection, and Cloud Security additions — mean that enterprises with mature security operations prefer CrowdStrike on capability grounds. However, the price premium over Carbon Black or Microsoft Defender is significant, and procurement teams with multi-vendor leverage (Defender for Endpoint as a Microsoft E5 component, plus a best-of-breed EDR) consistently achieve better commercial terms from CrowdStrike than those negotiating solo.

SentinelOne Singularity

SentinelOne competes with CrowdStrike on capability while typically pricing 15–25% below Falcon at comparable tiers. SentinelOne's autonomous response capabilities — where the platform can take remediation actions without analyst intervention — differentiate it for organisations with lean security operations teams. Enterprise pricing for Singularity Complete typically ranges from $45–65 per endpoint per year after negotiation, making it price-competitive with Carbon Black Endpoint Enterprise.

The SentinelOne competitive angle in Carbon Black negotiations is particularly effective for organisations renewing Carbon Black Endpoint Standard or Advanced — where SentinelOne Complete offers meaningfully more capability at comparable or lower price. Presenting a credible SentinelOne pilot proposal in parallel with Broadcom renewal negotiations creates the competitive tension needed to move Broadcom off initial pricing positions.

Negotiation Strategy for Carbon Black Renewals

Enterprise procurement teams renewing Carbon Black contracts in 2026 face a specific commercial context: Broadcom is managing a platform transition from Carbon Black Cloud to CBX, which creates genuine uncertainty about product roadmap and support investment. That uncertainty is your negotiating leverage.

The four elements of an effective Carbon Black renewal strategy are: competitive benchmarking, contract term flexibility, migration rights, and support level negotiation.

Competitive benchmarking means obtaining credible pricing from CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint for your specific endpoint count and capability requirements. These quotes must be genuine — not placeholder RFIs. Broadcom's commercial team can identify unsupported competitive pressure from genuine competitive evaluation, and only the latter produces meaningful commercial responses.

Contract term flexibility means avoiding long-term commitments (three years or more) while the CBX migration roadmap is unclear. One-year renewals preserve your ability to reassess once CBX is generally available and its commercial terms are established. Broadcom will push for multi-year commitments to lock in revenue ahead of the CBX transition — resist this where the migration path is undefined. The Broadcom VMware negotiation playbook includes contract term flexibility guidance applicable across Broadcom's product portfolio.

Migration rights means negotiating explicit contractual rights to migrate from Carbon Black Cloud to CBX at no additional charge (pro-rated credits for remaining Carbon Black term) when CBX becomes generally available. Without this language, migration from Carbon Black to CBX will be treated as a new commercial transaction, effectively requiring enterprises to pay twice for the transition.

Support level negotiation means scrutinising Broadcom's post-acquisition support model for Carbon Black, which has undergone the same 3–5x cost increase pattern seen across other Broadcom-acquired products. Enterprise support contracts should be separated from licence fees and negotiated on their own merit. The Broadcom compliance audit guide explains why support contract clarity is also relevant to your compliance position — support status affects your audit rights and dispute resolution options. The VCF licensing guide covers Broadcom's broader support model changes in detail.

Our Broadcom security licensing advisory team regularly advises enterprises on Carbon Black and CBX procurement. The CBX launch creates a multi-year negotiation window during which enterprise buyers have more commercial leverage than at any point since the original VMware–Carbon Black acquisition. Use it. For broader Broadcom commercial strategy, the full negotiation playbook remains the essential reference.

Author

Morten Andersen is Co-Founder of Redress Compliance with 20+ years of enterprise software licensing expertise and 500+ negotiation engagements. Morten advises enterprise security, procurement, and IT leadership on endpoint security contract strategy across Broadcom, CrowdStrike, Microsoft, and SentinelOne. Connect on LinkedIn.