Symantec Enterprise Under Broadcom: Security Licence Changes Explained

The Broadcom Symantec Acquisition: What Actually Changed

Broadcom acquired Symantec's enterprise security business in 2019 for $10.7 billion. For the first few years, enterprise customers experienced modest changes — product names shifted, support portals changed, and account teams were reorganised. The real disruption began in 2023 and accelerated sharply through 2024 and into 2025, as Broadcom applied the same playbook it used on CA Technologies and VMware: eliminate perpetual licensing, force subscription consolidation, and push customers into multi-year enterprise agreements.

The Symantec portfolio that enterprises rely on is broad: Symantec Endpoint Security (SES), Symantec Data Loss Prevention (DLP), Symantec Cloud Access Security Broker (CASB), Symantec Secure Web Gateway (SWG), Symantec Email Security, and the Symantec Integrated Cyber Defence Platform (ICD). Each of these previously offered a mix of perpetual and subscription licensing. By 2024, perpetual options had been eliminated for new purchases across the board.

The shift was not simply cosmetic. Broadcom restructured the entire commercial model: new bundling requirements mean that customers who previously purchased individual modules now face minimum-tier subscription packages that bundle capabilities they may not need. Pricing metrics changed from per-device or per-user to tiered subscription tiers that inflate costs at scale.

The Five Core Licence Changes Enterprises Are Facing

1. End of Perpetual Licences

As of 2024, Broadcom no longer sells new perpetual licences for any Symantec security product. Customers with existing perpetual licences retain the right to use those licences, but without an active support and maintenance contract, they receive no product updates, no new threat intelligence feeds, and no technical support. Broadcom has made renewal of perpetual maintenance intentionally difficult — quoting escalated prices to incentivise migration to subscriptions. The practical outcome is that enterprises clinging to perpetual licences are either paying premium maintenance rates or running unsupported products.

2. Mandatory Subscription Bundles

Symantec products are now sold in two primary tiers: Symantec Endpoint Security Enterprise and Symantec Endpoint Security Complete. The "Complete" tier adds EDR, SIEM integration, and advanced threat analytics that many endpoint security buyers do not need. Broadcom defaults to pitching the Complete tier, which drives higher per-unit costs. Customers who need only core endpoint protection find they must negotiate explicitly to be placed on the Enterprise tier — and even then, per-unit pricing often exceeds what they paid under perpetual plus maintenance.

For DLP customers, the packaging change is more severe. The previously modular DLP product — where enterprises could license Network DLP, Endpoint DLP, or Cloud DLP independently — is now consolidated into a single DLP suite. Customers who previously deployed only endpoint DLP are forced to pay for the full suite, including network and cloud components, even if those components are not deployed or needed.

3. Multi-Year Contract Requirements

Broadcom strongly pushes — and in practice often requires — three-year subscription terms. Annual renewals exist technically, but the discounting structure makes multi-year deals far more attractive on paper. The problem with three-year Symantec subscriptions is that they lock customers into a pricing baseline that is then subject to escalation at renewal. Enterprises that signed three-year deals in 2022 or 2023 are now discovering that their renewal quotes contain 30 to 50 percent uplift on the already-elevated subscription prices.

4. Telemetry and Compliance Visibility

Unlike the VMware acquisition — where compliance challenges centred on core count and deployment sprawl — Symantec's challenge is different. Broadcom has visibility into Symantec deployments through the Symantec Integrated Cyber Defence Manager (ICDm) telemetry platform. Enterprises running SES Cloud automatically report their deployment footprint back to Broadcom. Before your next renewal conversation starts, Broadcom already knows your deployment scale, the features you are using, and where you may be running products outside your licensed scope. This is analogous to the CSSM telemetry risk in the Cisco world, and buyers must conduct an internal consumption audit before entering any renewal discussion.

5. Price Escalation at Renewal

The most reported pain point is the magnitude of renewal increases. Community forums and enterprise procurement channels document increases of 200 to 400 percent for Symantec product renewals under Broadcom. A financial services firm using Symantec DLP reported Broadcom pushing them from a perpetual model with annual maintenance into a three-year DLP subscription covering all modules — at a total cost higher than their previous five-year spend. These are not exceptional cases; they reflect Broadcom's systematic approach to extracting value from its installed base.

Key Symantec Products and Their Licensing Changes

Symantec Endpoint Security (SES)

SES is now sold exclusively as a cloud-managed subscription. On-premises SEP (Symantec Endpoint Protection) can still be run for customers with existing perpetual licences, but the product is in maintenance mode — no new features, diminishing threat intelligence updates, and aggressive Broadcom pressure to migrate to SES Cloud. The migration itself is not free: SES Cloud pricing is typically significantly higher than the per-device costs enterprises were paying for on-premises SEP plus maintenance.

Broadcom offers two tiers — SES Enterprise and SES Complete — with the Complete tier including advanced analytics, extended detection and response (XDR) integration, and additional cloud workload protection capabilities. Enterprise buyers who do not need XDR should negotiate to stay on the Enterprise tier and push back on automatic upsell to Complete.

Symantec Data Loss Prevention (DLP)

DLP pricing under Broadcom has shifted from per-module perpetual licensing to a unified subscription covering all deployment scenarios: endpoint, network, and cloud. Enterprise customers with large user populations — 10,000 seats or more — typically had efficient per-module economics under the old model. Under the new Broadcom subscription model, the bundled DLP suite can represent a 3x to 5x increase in annual spend for mid-tier deployments. The key negotiation lever for DLP is establishing a per-user rate with a defined tier threshold, and securing price protection language for the first renewal cycle.

Symantec CASB and Secure Web Gateway

CASB and SWG (previously known as Blue Coat Proxy SG, which Symantec acquired before Broadcom took over) have been consolidated into the Symantec Secure Access Cloud and Web Security Service (WSS) offerings. These are now subscription-only, priced per user with bandwidth tiers for SWG. Enterprises that relied on the Blue Coat hardware-based proxy architecture face additional complexity: the hardware is EOL, and migration to the cloud-based WSS incurs both subscription cost increases and migration project costs.

How Broadcom Approaches Symantec Renewals

Understanding Broadcom's commercial playbook is essential before entering any renewal discussion. Broadcom's Symantec sales organisation operates differently from the legacy Symantec commercial team. Several patterns are consistent across renewal engagements we have observed:

• Late-stage urgency creation: Renewal quotes are frequently delivered with short response windows — sometimes 30 days or less — to prevent customers from running a proper competitive evaluation or seeking independent advice.
• Bundle upsell as the default: Initial quotes almost always include the higher-tier bundle and additional modules. Customers must actively negotiate down to their actual consumption requirements.
• Legacy discount elimination: Any discount from the original Symantec commercial relationship is treated as not binding. Broadcom resets to list price and works backwards from there — not from your historical rate.
• Cross-portfolio pressure: Customers who also run VMware VCF or CA mainframe products may be offered cross-portfolio ELA bundling. This can appear attractive but carries significant long-term cost implications. Our guidance on Broadcom enterprise agreement strategic sourcing covers the risks of cross-portfolio bundling in detail.
• Fiscal year leverage: Broadcom's fiscal year ends October 31. Renewals timed for September or October will encounter the most willing-to-deal sales representatives. Renewals in Q1 (November to January) offer less leverage.

Negotiation Strategies for Symantec Renewals

Build Your Consumption Baseline Before Broadcom Does

Before any commercial discussion, extract your actual Symantec deployment data from ICDm or your endpoint management platform. Understand exactly how many endpoints are running SES, which DLP modules are active, how many users pass through CASB or SWG, and whether any deployed licences are unused. Broadcom has this data — you need it too. Under-utilisation is a negotiation lever: if you are paying for 10,000 SES seats and only 7,500 are active, that 25 percent gap is the starting point for a right-sizing negotiation.

Run a Competitive Evaluation

The single most effective lever in a Symantec renewal is a credible competitive evaluation. CrowdStrike Falcon, Microsoft Defender for Endpoint (included in M365 E5 for customers already in the Microsoft ecosystem), and SentinelOne have each captured significant market share from Symantec since the Broadcom acquisition. You do not need to migrate — you need Broadcom to believe you might. A documented competitive quote from an alternative vendor will typically shift the Broadcom commercial discussion materially.

Negotiate the Right Contract Terms

Price is important, but contract terms often matter more over a three-year subscription term. Key terms to negotiate include: price protection for years two and three of a multi-year deal (cap annual increases at CPI or a fixed percentage), right to reduce licence counts at each anniversary (not just at renewal), migration credits if you exit to another product, and data export rights with no lock-in on your DLP policy configurations and incident archives. Our broader guidance on Broadcom VMware negotiation playbook principles applies equally to Symantec commercial terms.

Consider the Broadcom Portfolio ELA — Carefully

If you also run VMware VCF or CA mainframe products, Broadcom will likely propose a Portfolio License Agreement (PLA) that bundles Symantec alongside those products. A PLA can offer genuine savings — typically 15 to 25 percent off combined list pricing — but the traps are significant. PLAs eliminate your ability to negotiate individual product renewals independently, bundle products you may not use at full subscription rates, and reset your renewal leverage to a single enterprise-wide event. Only consider a Broadcom PLA if you have thoroughly modelled the TCO across all three product lines over the full PLA term. See our analysis of the Broadcom software portfolio covering CA, Symantec, and mainframe for a full assessment of where PLAs make sense.

Alternatives Worth Evaluating

Broadcom's commercial strategy has accelerated customer evaluation of alternatives across the Symantec product portfolio. The decision to stay or migrate is never purely commercial — migration costs, integration complexity, and staff retraining are real factors — but the competitive market has never been better for Symantec alternatives:

• Endpoint Security: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Trellix (formerly McAfee Enterprise). For organisations in the Microsoft ecosystem, Defender for Endpoint included in E5 often makes economic migration to Symantec alternatives compelling.
• DLP: Microsoft Purview (for Microsoft-centric organisations), Forcepoint DLP, Proofpoint Enterprise DLP. The DLP market has matured significantly, and alternatives now match or exceed Symantec DLP's capabilities in most enterprise deployment scenarios.
• CASB/SWG: Netskope, Zscaler Internet Access (ZIA), Palo Alto Prisma Access. These cloud-native SASE platforms have won significant business from Symantec SWG and CASB customers post-acquisition.

For enterprise customers considering alternatives, our VMware alternatives comparison guide provides a methodological framework for structuring a vendor evaluation that can be applied to Symantec alternatives equally. And for organisations facing audit risk during a product transition, our guidance on audit risks under Broadcom licensing is essential reading before any migration plan is finalised.

What to Do Before Your Next Symantec Renewal

The Broadcom Symantec renewal process rewards preparation and penalises passivity. Enterprises that enter renewal discussions without benchmarking data, a competitive alternative on the table, and experienced negotiators consistently pay more than necessary. The starting checklist before any Symantec renewal engagement:

1. Audit your actual Symantec deployment footprint — endpoints, users, modules active vs licensed.
2. Pull ICDm telemetry data to understand exactly what Broadcom already knows about your deployment.
3. Obtain competitive quotes from at least two alternative vendors in each product category you deploy.
4. Identify your fiscal year alignment with Broadcom's October 31 close — time renewal discussions accordingly.
5. Engage independent Broadcom advisory support before responding to any Broadcom commercial proposal.
6. Review whether a Broadcom PLA is appropriate given your broader Broadcom footprint — do not accept a PLA under time pressure.

About the Author

Morten Andersen is Co-Founder of Redress Compliance, with 20+ years of enterprise software licensing experience across 500+ client engagements. Morten specialises in Broadcom commercial negotiations across the VMware, Symantec, and CA Technologies portfolios. Recognised by Gartner as a leading independent adviser in enterprise software procurement. Connect on LinkedIn.