What Broadcom Did to NSX

Broadcom eliminated NSX as a standalone product in December 2023, forcing over 5,000 existing NSX customers into bundled VCF subscriptions. NSX-T Data Center (now simply branded NSX) had been deployed by thousands of enterprises for east-west firewall micro-segmentation, network virtualisation, software-defined perimeter capabilities, and cloud networking automation. Many deployments represented multi-year investment programmes with significant operational expertise built around NSX's architecture.

Under the pre-acquisition VMware, NSX was available in multiple standalone tiers: NSX Data Center Standard, NSX Data Center Professional, NSX Data Center Advanced, and NSX Data Center Enterprise Plus, each with progressively more capability and price. Customers could purchase exactly the NSX tier they needed, licensed per vCPU or per VM depending on the product and deployment model.

Broadcom ended this model in December 2023. NSX is no longer sold as a standalone product in any tier. It is now bundled exclusively within VMware Cloud Foundation (VCF). To access NSX — for any capability, in any configuration — an enterprise must subscribe to VCF. This is the most commercially impactful single change Broadcom has made to any individual VMware product.

The impact is immediate and significant for two distinct customer profiles. First, enterprises that deployed NSX Advanced or Enterprise Plus as standalone products, paying for NSX separately from their vSphere licences, now find their NSX entitlement has been absorbed into a VCF bundle that also includes vSAN, Aria management, and other components they may not need. Second, enterprises that did not deploy NSX at all but ran vSphere Enterprise Plus now find that if they want to renew their vSphere environment, any renewal path that could ever require NSX in the future locks them into VCF pricing.

NSX in the VCF Subscription: What Changed Commercially

The commercial change from standalone NSX to VCF-bundled NSX has different financial consequences depending on what an enterprise was previously paying for their VMware environment.

For Former Standalone NSX Customers

Enterprises that deployed NSX Advanced or Enterprise Plus alongside vSphere Enterprise Plus were typically paying for both products separately. The combined cost of vSphere + NSX at equivalent deployment scale was significant — typically $200 to $600 per physical server per year depending on NSX tier and vSphere configuration. The VCF subscription bundles the equivalent capabilities at a per-core cost that, for large and dense environments with active NSX deployments, can be competitive with or cheaper than the previous standalone combination.

The key variable is how extensively NSX was deployed. Enterprises that used NSX across their full vSphere footprint, enabling distributed firewall on all workloads and fully utilising NSX's networking capabilities, are in the strongest position to justify VCF pricing. The bundle provides real value because they were already paying for NSX at scale. Enterprises that deployed NSX on a subset of their infrastructure — perhaps only for PCI-DSS workloads or specific security segments — are paying VCF pricing for NSX coverage of their entire core-licensed footprint, not just the portion where NSX was active.

For Enterprises That Never Deployed NSX

Enterprises that ran vSphere Enterprise Plus without NSX face the starkest commercial impact. They are now presented with a VCF subscription that includes NSX — a product they have never deployed, never trained their teams on, and have no current plan to use — as a mandatory component of their compute virtualisation subscription.

The practical consequence is that these organisations are paying for the full-stack VCF price when their actual needs would previously have been served by vSphere Foundation or even a compute-only vSphere tier. For environments with 500 or more licensed cores, the annual cost difference between VCF (NSX included) and a hypothetical compute-only subscription could be $10,000 to $40,000 per year — a direct tax on NSX that provides no operational value.

These organisations have three choices: accept VCF pricing and begin evaluating whether NSX deployment could provide enough value to justify the cost (shifting from "paying for NSX we don't use" to "extracting value from NSX we're paying for"), negotiate to a VVF subscription that excludes NSX (which limits future NSX access), or begin evaluating migration to Nutanix or Azure VMware Solution to exit the Broadcom commercial relationship.

Paying for NSX in a VCF bundle you did not request?

We can model your true cost exposure and alternative scenarios.
Request a Cost Review →

NSX Technical Capabilities: What You Get in VCF

For CIOs evaluating whether the NSX capabilities bundled in VCF are worth extracting, this section provides a clear-eyed assessment of what NSX offers and where it delivers material security and operational value.

Distributed Firewall and Micro-Segmentation

NSX's distributed firewall is its most widely cited security capability. It enables firewall policy enforcement at the vNIC level — each virtual machine's network traffic is filtered by policy before it enters the network fabric, regardless of what physical network the host connects to. This enables micro-segmentation: the ability to isolate individual workloads or workload groups from each other at a network level, containing lateral movement by attackers who have already gained access to the environment.

For organisations with PCI-DSS, HIPAA, or equivalent compliance requirements, NSX distributed firewall is a technically superior alternative to traditional network segmentation via VLANs and physical firewalls. It provides policy consistency regardless of VM placement, automated policy application during VM provisioning, and inspection at a granularity that physical perimeter firewalls cannot match for east-west traffic.

If your VCF subscription includes NSX and you are not yet using distributed firewall for compliance-relevant workloads, this is the highest-priority capability to evaluate for immediate deployment — you are already paying for it.

Network Virtualisation

NSX Overlay networking (GENEVE encapsulation) enables logical network topologies that are entirely independent of the underlying physical network. Logical switches, distributed routers, and edge gateways can be created, modified, and deleted through API calls without physical switch reconfiguration. This is the foundation of software-defined networking for VMware environments and enables multi-cloud networking consistency when combined with Azure VMware Solution or VMware Cloud on AWS.

For enterprises with significant cloud integration requirements, NSX network virtualisation provides a common networking model across on-premises and cloud VMware environments. This capability is most valuable for organisations pursuing hybrid cloud architectures that span on-premises vSphere and cloud-hosted VMware.

What NSX Does Not Provide

NSX is a network security tool, not a comprehensive endpoint or application security platform. It does not replace perimeter firewalls for north-south traffic control, it does not provide intrusion detection or prevention at the depth of dedicated IDPS platforms, and it does not address security for workloads outside the NSX-enabled vSphere environment. Organisations that have purchased VCF and are looking to NSX to address their entire security stack will need to supplement it with additional security tooling.

What Broadcom Did to Carbon Black

Carbon Black was one of VMware's most important post-acquisition assets, acquired by VMware in 2019 for $2.1 billion. Carbon Black Cloud provided a cloud-native endpoint detection and response (EDR) platform with agent-based threat detection, behavioural analysis, and automated response capabilities. VMware positioned Carbon Black as the security anchor for its intrinsic security strategy — the idea that security would be built into the infrastructure layer rather than bolted on from outside.

Broadcom's acquisition of VMware brought Carbon Black under the same organisational roof as Symantec's enterprise security business, which Broadcom had acquired in 2019. Broadcom announced the formation of a new Enterprise Security Group, merging Carbon Black's EDR capabilities with Symantec's endpoint protection, data loss prevention, network security, and identity management portfolio. Carbon Black's standalone commercial identity was dissolved — it is now marketed as part of Broadcom's consolidated security portfolio rather than as a distinct product brand.

What This Means for Carbon Black Customers

Enterprises that purchased Carbon Black as a standalone VMware product are experiencing the consequences of this consolidation in several ways. First, product roadmap visibility has decreased. Carbon Black's development roadmap is now subordinated to Broadcom's Enterprise Security Group strategy, which balances Carbon Black's evolution against the needs of Symantec's larger installed base. Customers who chose Carbon Black for its independent development velocity and cloud-native architecture may find its roadmap evolution slower and less transparent than under VMware's ownership.

Second, commercial terms have changed. Carbon Black is no longer sold as a standalone VMware product in the traditional sense. The sales motion has shifted to Broadcom's enterprise security sales team, which approaches Carbon Black customers in the context of Broadcom's broader security portfolio. Organisations that want to expand their Carbon Black deployment may find they are being steered toward broader Broadcom security bundles that include Symantec capabilities they did not plan to purchase.

Third, integration with vSphere has become more complex, not less. The original VMware rationale for acquiring Carbon Black was to build deep integration between the hypervisor and endpoint security — an "intrinsic security" architecture where ESXi could provide Carbon Black with visibility below the guest OS level. This integration was partially developed under VMware but has been de-prioritised under Broadcom, which has focused Carbon Black's integration on the Symantec platform rather than the vSphere stack.

"Carbon Black customers paid for a cloud-native EDR platform with the expectation of deep vSphere integration. What they got under Broadcom is a product whose roadmap is now driven by Symantec's enterprise security strategy, not VMware's infrastructure vision."

Carbon Black vs the Market: Where It Stands in 2025

The EDR and endpoint protection market has evolved significantly since Carbon Black's peak as an independent company. CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint have all made material advances in detection capability, response automation, and platform integration. In independent evaluations such as MITRE ATT&CK assessments and SE Labs tests, Carbon Black Cloud has maintained a credible position but has not led the market in detection accuracy in recent years.

For CIOs evaluating whether to continue with Carbon Black under Broadcom's ownership, the relevant comparison is not between Carbon Black 2025 and what it was in 2020, but between Carbon Black 2025 and what CrowdStrike or SentinelOne offer today at comparable price points. Enterprise Carbon Black contracts typically run $25 to $40 per endpoint per year; CrowdStrike Falcon Enterprise pricing is comparable; SentinelOne Enterprise is in a similar range. The platform decision should be driven by detection capability, platform integration, and response automation quality, not by the historical VMware relationship.

Security Alternatives for Enterprises Exiting Broadcom

For enterprises that are migrating their infrastructure away from VMware — to Nutanix, Azure VMware Solution, or other platforms — the Carbon Black and NSX decisions become part of the broader platform exit strategy.

NSX alternatives for micro-segmentation: Enterprises migrating to Nutanix can leverage Nutanix Flow for micro-segmentation within Nutanix environments. Nutanix Flow provides distributed firewall capabilities comparable to NSX micro-segmentation for Nutanix-hosted workloads, without the need for a separate network security product subscription. For more advanced network security requirements, Palo Alto Networks Prisma and Zscaler Private Access provide zero-trust network access capabilities that operate independently of the underlying hypervisor.

NSX alternatives for network virtualisation: Enterprises migrating to public cloud or Azure VMware Solution benefit from the cloud provider's native networking capabilities. Azure Virtual Network provides overlay networking with policy-based routing, distributed firewall capabilities via NSGs (Network Security Groups) and Azure Firewall, and private connectivity options via ExpressRoute. For organisations that had deep NSX overlay network deployments, migrating network topology to Azure Virtual Network requires architectural planning but typically results in a simpler, more cost-effective networking model at cloud scale.

Carbon Black alternatives for EDR: CrowdStrike Falcon is the most common Carbon Black replacement in our advisory client base. It provides consistently high independent evaluation scores, broad platform integration, and strong incident response capabilities. SentinelOne is a credible alternative with competitive pricing and a strong autonomous response capability. Microsoft Defender for Endpoint is increasingly capable and offers significant cost advantages for organisations that are already deeply invested in the Microsoft security stack through Microsoft 365 E5.

The NSX Extraction Problem

One of the most technically challenging aspects of the Broadcom NSX situation is what we call the "NSX extraction problem" — the difficulty of migrating away from NSX in environments where it has been deeply deployed for micro-segmentation and overlay networking.

NSX micro-segmentation policies are written as workload-centric rules that are attached to VM security groups. When these VMs are migrated off vSphere, the NSX policies do not automatically transfer to the target environment. Enterprises that have built sophisticated NSX micro-segmentation postures — potentially covering hundreds of application tiers across thousands of VMs — face a significant policy migration project as part of any vSphere to Nutanix or vSphere to cloud migration.

The practical approach to NSX extraction involves several steps: first, document the current NSX policy posture in a vendor-neutral format (network security policy documentation rather than NSX-specific rule exports); second, map the NSX security groups to the target environment's equivalent constructs (Nutanix Flow categories, Azure NSGs, or cloud security groups); third, implement equivalent policies in the target environment before migrating workloads; fourth, validate policy parity through penetration testing or automated compliance scanning before cutover.

For large NSX environments, this process can take three to six months per application domain. CIOs planning infrastructure migrations from VMware should include NSX policy migration in their project timeline and budget from the outset — it is consistently underestimated as a migration workstream.

Decision Framework: NSX and Carbon Black Under Broadcom

Every enterprise with NSX or Carbon Black deployments faces decisions that need to be made proactively, not at the moment of the next renewal. This framework provides a structured approach.

For NSX Customers

  • Assess actual NSX deployment scope: What percentage of your vSphere environment is actually using NSX distributed firewall? What networking capabilities are actively in use? This determines your VCF bundle value extraction ratio.
  • Evaluate VCF versus VVF: If your NSX deployment is limited and your networking requirements do not require overlay networking, VVF (which excludes NSX) may be the more appropriate subscription. Accept VCF only if you have a clear plan to actively use NSX capabilities across your licensed footprint.
  • Plan NSX policy documentation: Regardless of whether you intend to remain on NSX or migrate away from it, document your current NSX policies in a vendor-neutral format. This is both a business continuity exercise and a migration enabler.
  • Model migration economics: If your organisation is evaluating Nutanix or Azure VMware Solution, build the NSX migration workstream into your project model with a realistic timeline and budget. NSX migration is not trivially quick in complex environments.

For Carbon Black Customers

  • Evaluate market alternatives at renewal: Do not auto-renew Carbon Black based on historical VMware relationship. At each renewal, compare Carbon Black against CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint on capability, integration with your current stack, and total cost of ownership.
  • Monitor Broadcom's Carbon Black roadmap: Track what Broadcom is investing in for Carbon Black versus Symantec Endpoint Security. If Carbon Black's roadmap is not keeping pace with the market, that is a signal to evaluate migration earlier rather than later.
  • Avoid Broadcom security bundle lock-in: If Broadcom's sales team presents Carbon Black as part of a broader Broadcom security bundle that includes Symantec capabilities you did not request, evaluate each component independently. Bundle expansion by a vendor in a weakened competitive position is a common tactic that can create new dependencies that are difficult to exit.

For independent advisory support on NSX migration planning or Carbon Black competitive evaluation, contact Broadcom advisory specialists or access the Broadcom Advisory Guide for frameworks and templates.