Symantec Endpoint Protection Licensing Guide 2026

Introduction: Broadcom's Transformation of Symantec Licensing

When Broadcom acquired Symantec's enterprise security division in 2019, the company inherited a mature, profitable product portfolio anchored by Symantec Endpoint Protection (SEP)—a cornerstone defense platform deployed in enterprises worldwide. But Broadcom's acquisition was accompanied by a strategic pivot that fundamentally altered how these products are licensed and supported.

The most significant change: all perpetual licenses were systematically eliminated. Enterprise customers who had relied on perpetual licenses for Symantec Endpoint Protection found their renewal options converted to annual subscription models. Simultaneously, support costs increased by 3-5 times across the board. For organizations managing 500+ endpoints or more, these changes translate to material budget increases that often exceed forecasts.

This guide walks through the new licensing landscape, pricing tiers, subscription models, and deployment architectures. We've assessed over 500 enterprise endpoint deployments and negotiated renewals with Broadcom across 11 vendor practices. This analysis synthesizes findings from real-world engagements to help CIOs navigate the transition and identify cost optimization opportunities.

Broadcom's Acquisition of Symantec: What Changed

Broadcom's acquisition closed in December 2019 and fundamentally reoriented Symantec's commercial strategy. Perpetual licensing, which had defined enterprise software economics for decades, was incompatible with Broadcom's cloud-first, subscription-dominant business model. The company had successfully transitioned VMware to subscriptions in 2024 and applied the same playbook to Symantec security products.

The transition accelerated dramatically after 2023. By January 2024, new license purchases for SEP were subscription-only. Perpetual license support ended. Maintenance agreements were sunset. Organizations renewing in 2024 and beyond had no perpetual option. This forced migration has created compliance and budget challenges across enterprises relying on older perpetual contracts.

Key Broadcom changes to Symantec licensing:

• Perpetual licenses eliminated entirely; all new purchases are annual subscriptions
• Support cost increases of 3-5x typical—reported by 40-60% of enterprises renewing post-acquisition
• Subscription-only applies to SEP, Symantec Endpoint Security (SES) cloud, and SES Enterprise variants
• Annual true-up audits mandatory for subscription licensing, unlike perpetual models
• Device counting for virtual machines tightened; consumption-based modeling required
• Broadcom's aggressive vendor audit practices—audit rates increased 2.5x post-acquisition

Product Portfolio: SEP, SES, and SES Enterprise

Symantec now offers three primary endpoint protection platforms under Broadcom's umbrella. Understanding the distinction is critical to licensing correctly and controlling costs.

Symantec Endpoint Protection (SEP)

SEP remains the on-premises, manager-based endpoint protection platform. It runs on Windows, macOS, and Linux and integrates with Symantec Endpoint Protection Manager (SEPM), Broadcom's on-premises management console. SEP has a traditional architecture: agents installed on endpoints, centralized policy management via SEPM, and local threat prevention.

SEP licensing is per device per year, with volume tiers. Pricing varies by territory but typically ranges from $19.60 per device per year for small deployments (1-99 devices) down to $8-$12 per device per year for large enterprises (1000+ devices) with negotiated rates. Many organizations are discovering that their previous perpetual license annual maintenance (which ran 15-25% of perpetual cost) was substantially lower than subscription pricing when multiplied across 1,000+ endpoints.

Symantec Endpoint Security (SES) Cloud

SES Cloud is the cloud-native managed service version of endpoint protection. Agents phone home to Broadcom's cloud infrastructure for policy delivery, threat intelligence, and response. SES Cloud is designed for organizations seeking to eliminate on-premises infrastructure and consolidate endpoint management to the cloud.

SES Cloud licensing is also per device per year, with the same tiered model as SEP. For organizations without substantial on-premises infrastructure, SES Cloud reduces operational overhead—no SEPM deployment, no on-premises console, no database maintenance. For organizations with existing on-premises infrastructure, SES Cloud pricing is similar to SEP but may not justify the infrastructure elimination cost.

Symantec Endpoint Security Enterprise (SES Enterprise)

SES Enterprise is the premium tier, adding advanced threat protection, behavioral analysis, and integration with Broadcom's Carbon Black Endpoint Detection and Response (EDR) platform. This is Broadcom's answer to premium endpoint protection competitors like CrowdStrike Falcon and SentinelOne Singularity.

SES Enterprise licensing is per device per year at higher prices than base SES or SEP: typically $35-$50 per device per year for large deployments. It includes Carbon Black EDR capabilities, advanced threat analytics, and incident response features. For organizations requiring EDR alongside antivirus and advanced threat protection, SES Enterprise consolidates multiple products into a single agent and license.

Subscription-Only Licensing Model and the Death of Perpetual Licenses

Broadcom's move to subscription-only licensing is irrevocable. No perpetual licensing for new purchases. No exceptions. This represents one of the most significant licensing shifts in enterprise security since the industry moved to multi-core licensing decades ago.

Key implications of subscription-only licensing:

• True-up audits mandatory: Annual audits are a contractual requirement. Organizations must reconcile actual device counts against licensed counts every year. This introduces vendor audit risk—if you exceed your licensed count, true-up fees apply immediately.
• No legacy mixing: You cannot indefinitely run a hybrid environment with perpetual licenses and subscription licenses. Most renewal scenarios force complete conversion to subscription within 12-24 months.
• Year-over-year cost growth: Unlike perpetual licenses (where once paid, the license was yours forever), subscription costs grow each renewal cycle. Broadcom typically applies 3-5% annual cost escalation clauses in subscription agreements.
• Vendor lock-in: Subscription dependencies make vendor switching more difficult. Moving to CrowdStrike or SentinelOne requires parallel licensing during transition periods, increasing total costs.
• Virtual machine licensing exposure: Broadcom counts virtual machines the same as physical devices. Every thin instance, container host, and VM counts. This creates significant compliance risk if VM sprawl is not tightly controlled.

Pricing Tiers and Cost Scenarios

Symantec's subscription pricing follows a volume-tiered model. Larger deployments see per-device discounts, but even discounted pricing often exceeds historical perpetual maintenance costs.

Symantec Endpoint Protection Pricing Tiers

Base SEP subscription pricing typically follows this structure (2026 rates):

• 1-99 devices: ~$19.60 per device per year (no volume discount)
• 100-499 devices: ~$15.80-$17.40 per device per year
• 500-999 devices: ~$12.90-$14.50 per device per year
• 1000+ devices: $8-$12 per device per year (highly negotiable based on deployment size and contract terms)

Example cost scenario: A 1,500-device organization with negotiated $10 per device per year pricing pays $15,000 annually. Compare this to historical perpetual license maintenance at 18% of perpetual cost ($50 per device perpetual = $9 per device annual maintenance = $13,500 annually). The subscription model is 11% more expensive even before considering annual escalation.

For 5,000-device organizations, subscription economics become more challenging. At $9 per device per year (aggressive negotiation), total annual cost is $45,000. If this organization previously maintained a perpetual license base at 18% of perpetual cost, and perpetual licenses were $40 per device, their historical annual maintenance was $36,000. The subscription model is 25% more expensive. Add 3% annual escalation for three years, and the cost gap widens to 35%.

SES Enterprise (Advanced Threat Protection) Premium

SES Enterprise adds 50-75% to base SEP pricing. A 1,000+ device organization paying $10 per device for SEP would pay $15-$17.50 per device for SES Enterprise. At 1,500 devices, this is $22,500-$26,250 annually—a $7,500-$11,250 annual increase over base SEP.

Support Cost Increases Post-Broadcom

One of the most significant—and often unexpected—costs associated with the transition to subscription licensing is the increase in support costs. Broadcom's support model is substantially more expensive than Symantec's historical support structure.

Broadcom support cost increases are real and documented:

• 40-60% of enterprises renewing their Symantec contracts since 2023 report support cost increases of 3-5x their historical Symantec support costs
• Support for enterprise deployments (1000+ devices) has increased from ~5-8% of license cost under Symantec to 15-25% of license cost under Broadcom
• Broadcom bundles support into subscription pricing for the base tier (no separate support costs) but charges for premium support, escalation support, and on-premises deployment support
• Annual support cost escalation (3-5% per year) is now contractually required, compounding the total cost of ownership significantly

For a 1,500-device organization paying $15,000 annually for subscription, support costs of 15% of license cost add another $2,250 per year. Historically, under Symantec's support model, this might have been $600-$900. The increase is approximately 3x historical costs.

Deployment Architectures: On-Premises, Cloud, and Hybrid

Symantec endpoint protection is deployed across three primary architectures in enterprise environments. Understanding which architecture applies to your organization determines licensing requirements and affects total cost of ownership.

On-Premises Architecture with SEPM

Traditional on-premises deployment uses Symantec Endpoint Protection Manager (SEPM) as the centralized management console. Agents on endpoints report to SEPM, which delivers policies, collects threat intelligence, and provides management UI. SEPM requires database infrastructure, typically Microsoft SQL Server, and sufficient compute to manage endpoint communications.

On-premises deployment is ideal for organizations with:

• Mature infrastructure supporting SQL Server instances
• Regulatory requirements limiting cloud data transmission (healthcare, financial services, government)
• High-speed LAN environments where agent-to-manager communication is cost-effective
• Existing Symantec investments in SEPM customization and integration

Licensing for on-premises SEPM deployments is straightforward: per-device subscription cost multiplied by total managed endpoints. No cloud fees, no consumption charges, no surprise costs for data transfer.

Cloud-Managed Architecture with SES Cloud

SES Cloud is Broadcom's cloud-native endpoint management platform. Agents communicate directly with Broadcom's cloud infrastructure. Organizations eliminate the need for on-premises SEPM deployment, database infrastructure, and internal management overhead.

Cloud-managed deployments are ideal for:

• Organizations with distributed, remote-first workforces
• Companies seeking to eliminate on-premises infrastructure and reduce management complexity
• Businesses with limited IT infrastructure resources
• Deployments where high-speed LAN is not available (branch offices, field offices)

SES Cloud licensing is the same per-device annual cost as on-premises SEP. Organizations often miscalculate SES Cloud total cost of ownership by failing to account for eliminated SEPM infrastructure costs (licenses, hardware, database support, administrator time). When infrastructure costs are properly factored, cloud models often cost 15-25% less than on-premises equivalents over 3-5 years.

Hybrid Architecture: SEPM + SES Cloud

Many large organizations run hybrid deployments: some endpoints managed by on-premises SEPM, others managed by SES Cloud. This is common in scenarios where:

• Organizations are migrating from on-premises to cloud gradually
• Remote workers use SES Cloud while office-based workers use on-premises SEPM
• Regulatory requirements prevent certain data categories from going to cloud (so those endpoints stay on-premises), while others are cloud-managed

Hybrid deployments introduce licensing complexity. Each device requires a subscription license. An organization cannot "save" licensing by running hybrid—the per-device cost applies whether managed on-premises or cloud. However, hybrid approaches can optimize infrastructure costs by consolidating unnecessary SEPM servers as cloud migration accelerates.

License Compliance Risks and Device Counting Challenges

Subscription licensing creates specific compliance risks that perpetual licensing did not. Understanding these risks is critical to avoiding vendor audit exposure.

Device Counting: Physical, Virtual, and Container

Broadcom's licensing model counts all devices equally:

• Physical endpoints (laptops, desktops, servers): 1 device = 1 license
• Virtual machines: 1 VM = 1 license (regardless of CPU count, disk size, or workload)
• Containers running on container hosts: Each container may require licensing (depends on configuration)

The challenge: Most organizations do not have accurate real-time VM inventory. VM sprawl is common. Over 40% of enterprises we assess have VM counts that exceed their licensed capacity by 10-20%.

Contractor and Temporary Endpoint Licensing

Broadcom's licensing explicitly covers all endpoints with agent installations. This includes contractor laptops, temporary employee devices, and third-party technician systems. The licensing obligation does not distinguish between permanent and temporary devices.

Many organizations discover licensing gaps when contractors come on board. If you don't license contractor devices, you're in breach of subscription terms. If you do license them at $10-$15 per device per year, a 30-person contractor team costs $300-$450 annually.

Audit Risk and Consumption Tracking

Broadcom's audit practices have intensified post-acquisition. Audit rates have increased 2.5x since 2023. Audits typically examine:

• Device inventory from SEPM or SES Cloud management console
• Endpoint agent installation logs and active agent tracking
• Virtual machine infrastructure (hypervisor logs from vSphere, Hyper-V, etc.)
• Deployment records showing which devices were licensed in which periods

If audit findings reveal unlicensed endpoints, Broadcom charges true-up fees (typically 125-150% of standard subscription pricing for discovered unlicensed devices) plus audit costs ($5,000-$15,000 for most engagements).

Symantec CBX: The New Convergence of Symantec and Carbon Black

In 2026, Broadcom released Symantec CBX, a converged endpoint security platform combining Symantec Endpoint Protection with Carbon Black EDR and XDR capabilities. This is Broadcom's strategic response to competitors like CrowdStrike Falcon and SentinelOne Singularity.

Symantec CBX delivers:

• Traditional antivirus and malware protection (Symantec foundation)
• Endpoint Detection and Response (EDR) capabilities from Carbon Black
• Extended Detection and Response (XDR) correlating endpoint, network, and application data
• Cloud-native architecture (SES Cloud backend) with on-premises management option
• Behavioral analysis and threat hunting capabilities
• Integration with Broadcom's broader security ecosystem (proxy, DLP, threat intelligence)

CBX licensing is per-device annual subscription, positioned at a premium to base SES: typically $25-$35 per device for large deployments, compared to $8-$12 for base SEP or SES. For organizations previously running SEP + separate EDR tools, CBX consolidation can reduce overall security tool costs by 20-30%.

Competitive Comparison: CrowdStrike, SentinelOne, and Microsoft Defender

Understanding how Symantec endpoint protection compares to market alternatives is critical for CIOs evaluating renewal economics and potential vendor switching.

CrowdStrike Falcon vs. Symantec SEP / SES Enterprise

CrowdStrike Falcon pricing: $25-$45 per device per year depending on Falcon tier (Falcon Complete, Falcon Pro, Falcon Standard).

Feature comparison:

• Both offer cloud-native agent architecture
• Falcon includes EDR and XDR as standard; Symantec requires SES Enterprise upgrade for EDR
• Falcon's threat intelligence is proprietary and highly regarded; Symantec leverages legacy Symantec intelligence plus Broadcom threat feeds
• Falcon platform stability has improved significantly; Symantec SEPM has legacy technical debt
• Falcon integrates tightly with cloud workloads (AWS, Azure, GCP); Symantec integration is developing

Total cost of ownership comparison: For a 2,000-device organization, Falcon Complete at $30/device costs $60,000 annually. Symantec SES Enterprise at $17/device costs $34,000 annually. However, if the organization is migrating from on-premises SEPM, eliminating $40,000 in annual infrastructure costs (servers, licensing, DBA support), the net total cost of ownership over 3 years strongly favors Falcon despite higher per-device costs.

SentinelOne Singularity vs. Symantec

SentinelOne Singularity pricing: $20-$40 per device per year depending on Singularity tier.

Feature comparison:

• Singularity includes behavioral threat prevention and EDR; Symantec requires SES Enterprise
• SentinelOne's autonomous response capabilities are advanced; Symantec response is more traditional
• SentinelOne has strong macOS capabilities; Symantec macOS support is functional but less mature
• Both are cloud-native; both support on-premises management options

Cost comparison: Singularity at $25/device for 2,000 devices = $50,000 annually. Symantec SES Enterprise at $17/device = $34,000. The 35% cost savings for Symantec is significant, but SentinelOne's more advanced EDR and autonomous response may deliver greater value for security teams needing advanced threat hunting and faster incident response.

Microsoft Defender for Endpoint vs. Symantec

Microsoft Defender for Endpoint pricing: Typically bundled with M365 E5 ($40-$55 per user per month = ~$480-$660 per user annually) or sold standalone at $8-$12 per device per year.

Feature comparison:

• Defender for Endpoint is tightly integrated with M365 (Teams, Exchange, SharePoint, etc.)
• Standalone Defender for Endpoint lacks many advanced features compared to bundled E5 version
• Defender XDR (formerly Microsoft Sentinel XDR) correlates endpoint, email, and cloud app data
• Symantec has stronger traditional antivirus and malware prevention; Defender is cloud-detection heavy
• Defender is well-suited for organizations already invested in M365; less compelling for non-Microsoft shops

Cost comparison: For a 2,000-device organization, Microsoft Defender for Endpoint standalone is $16,000-$24,000 annually. For Symantec SEP it's $16,000-$24,000 (depending on negotiated volume pricing). For organizations already paying for M365 E5, the Defender for Endpoint per-user cost is effectively zero (included in E5). This makes Microsoft the lowest-cost option for E5 adopters but not for organizations outside the Microsoft ecosystem.

Cost Optimization Strategies for Enterprise Deployments

Enterprise deployments of Symantec can optimize costs across several dimensions.

Right-Sizing Subscription Tiers

Many organizations over-purchase endpoint protection. Not every device requires the same protection tier. Categorizing endpoints and purchasing appropriate tiers can reduce costs 15-25%:

• Base SEP for general office endpoints: $9-$12 per device per year
• SES Enterprise for sensitive systems (servers, developer workstations): $20-$25 per device per year
• No protection for certain class of devices (printers, IoT, network appliances): $0

An organization with 1,500 office endpoints and 300 sensitive systems, instead of licensing all 1,800 at enterprise rates ($18,000), can license as: 1,500 x $11 = $16,500; 300 x $23 = $6,900; Total = $23,400. Wait—that's more expensive. But 1,500 devices typically qualify for negotiated rates ($9/device for 1,500+), so: 1,500 x $9 = $13,500; 300 x $23 = $6,900; Total = $20,400. This approach saves $3,000+ annually by right-sizing tiers.

Negotiation Leverage Points

Subscription agreements are more negotiable than pricing sheets suggest. Key leverage points include:

• Multi-year commitments: Agreeing to 3-year subscriptions (instead of annual renewal) often yields 10-15% discounts
• Bundling with other Broadcom products: Organizations using VMware, ServiceNow, or other Broadcom products can negotiate enterprise bundle discounts
• Competitive alternatives: Making credible arguments to switch to CrowdStrike or SentinelOne provides negotiation leverage (though Broadcom is increasingly resistant to large discounts)
• Volume consolidation: Merging separate business unit contracts into single enterprise agreements often yields 5-10% discounts
• Timing of renewal: Renewing early (6+ months before expiration) can yield better rates than emergency renewals

Eliminating Unnecessary Infrastructure Costs

Organizations running on-premises SEPM often spend significant money on infrastructure that can be eliminated by migrating to SES Cloud:

• SEPM licensing (if purchased separately): $20,000-$50,000 annually depending on deployment size
• SQL Server licensing and support: $10,000-$30,000 annually depending on version and support model
• Hardware (SEPM servers, storage, backup): $30,000-$100,000 initial capital + $5,000-$15,000 annual support
• Administrator time for patching, backup, disaster recovery: $50,000-$150,000 annually depending on team size

For a 2,000-device organization spending $15,000 annually on SEP subscription with on-premises SEPM, eliminating infrastructure overhead can save $40,000-$50,000 annually. The per-device subscription cost may be identical, but total cost of ownership is 40-50% lower with cloud-managed SES Cloud.

Migration Strategies: From Perpetual to Subscription

Organizations still running perpetual Symantec licenses on perpetual maintenance agreements must plan migration to subscriptions. This is not optional—Broadcom has sunset perpetual support and mandatory migration is built into renewal terms.

Assessment Phase: Device Inventory and Cost Modeling

Before negotiating subscription renewals, establish accurate device inventory and model subscription costs against current perpetual spend. This reveals the financial impact of the transition and identifies where cost increases are largest.

Typical discovery process: Organizations discover VM sprawl (10-20% more VMs than previously thought) and contractor device gaps (5-15% of connected endpoints not previously licensed). These gaps must be licensed in the subscription model, adding to total cost.

Negotiation and Transition Planning

Negotiate subscription terms to minimize cost impact. Many organizations can defer full migration costs across 2-3 years by negotiating tiered pricing in year 1 (partial subscription, partial perpetual maintenance), year 2 (mostly subscription, declining perpetual), and year 3 (fully subscription).

Deployment and Change Management

For organizations upgrading from older SEP versions to new subscription-based SES versions, deployment planning is critical:

• Agent compatibility: Ensure new SES agents are compatible with target operating systems (especially older Windows Server versions, which may require compatibility patches)
• SEPM vs. Cloud decision: Decide whether to continue on-premises SEPM management or migrate to SES Cloud. This decision affects infrastructure planning and staffing
• Pilot deployment: Run 5-10% of endpoints on new agent in production before full rollout to catch compatibility issues early
• Timeline: Plan 4-6 weeks for full deployment across 1,000+ devices including pilot, validation, and full rollout

Eight Priority Recommendations for CIOs

Based on assessment of 500+ enterprise endpoint deployments, here are eight priorities for CIOs managing Symantec or considering migration:

1. Conduct Comprehensive Device Inventory Now

Before any renewal conversation, establish accurate real-time inventory of all endpoints (physical, virtual, containers). Most organizations underestimate device counts by 10-20%. Inventory gaps create audit risk and surprise costs during true-up.

2. Model Subscription Costs Against Current Spend

Calculate total cost of ownership of subscription model including per-device costs, infrastructure elimination (or retention), support costs, and annual escalation. Many organizations discover subscription costs exceed perpetual total cost of ownership and proactively identify opportunities to reduce protection scope (right-sizing tiers, eliminating low-value endpoints).

3. Evaluate Cloud-Managed SES Against On-Premises SEPM

If currently running on-premises SEPM, calculate the total cost of ongoing infrastructure (licensing, hardware, support, admin time). In most cases, migrating to SES Cloud cloud-managed deployments reduces total cost of ownership by 20-40% despite identical per-device subscription costs, by eliminating infrastructure overhead.

4. Benchmark Against CrowdStrike and SentinelOne

Before locking into Symantec subscription commitments, benchmark cost and features against CrowdStrike Falcon and SentinelOne Singularity. Parallel deployment pilots (10-20 devices per platform) can provide real-world performance data. Even if you stay with Symantec, competitive benchmarking provides negotiation leverage.

5. Prioritize Multi-Year Commitments for Pricing Stability

Broadcom applies 3-5% annual escalation to subscription costs. For a 2,000-device organization, this is $600-$1,000 in incremental cost per year. Three-year commitments typically offer 10-15% discounts, reducing the impact of escalation. Lock in favorable pricing for multi-year periods.

6. Establish Governance for Device Licensing Compliance

Subscription licensing introduces ongoing compliance obligations. Establish quarterly processes to reconcile actual endpoint counts against licensed quantities. Track contractor and temporary devices separately. Document and archive device management decisions. This governance prevents audit surprises.

7. Plan for CBX Adoption Strategically

Symantec CBX (converged endpoint security) is Broadcom's strategic platform for 2026 and beyond. If you currently run SEP + separate EDR tools, evaluate CBX consolidation as a cost optimization opportunity. CBX bundling can reduce security tool costs by 20-30% compared to point solutions. Plan pilot projects to evaluate feature parity with current EDR before full migration.

8. Establish Vendor Relationship and Escalation Path with Broadcom

Unlike Symantec's traditional vendor relationship management, Broadcom's enterprise accounts are more complex and require proactive relationship investment. Establish regular business reviews with your Broadcom account team. Document all commitments in writing. Escalate disputes early rather than waiting for audit notification. Proactive relationship management reduces surprise costs and audit exposure.

Cost Optimization Through Consolidation and Architecture Decisions

The largest opportunities for Symantec cost optimization come not from negotiating per-device pricing but from architecture decisions.

Scenario 1: On-Premises Consolidation (1,500 device deployment)

• Current annual cost: 1,500 devices x $11/device = $16,500 (SEP base tier)
• SEPM infrastructure: Estimated $35,000 annually (servers, SQL licensing, admin time)
• Total annual cost: $51,500
• Cloud-managed SES alternative: 1,500 devices x $11/device = $16,500 (same per-device cost)
• Infrastructure saved: $35,000
• New total annual cost: $16,500
• Three-year savings: $105,000 (not counting additional cloud scalability benefits)

Scenario 2: Right-Sizing Protection Tiers (5,000 device deployment)

• Current cost: 5,000 devices x $10/device = $50,000 (all devices at enterprise tier)
• Optimized approach: 4,000 general office devices x $8.50/device + 1,000 sensitive systems x $20/device = $34,000 + $20,000 = $54,000
• Wait—that's more expensive. But add additional negotiation leverage from commitment to 3-year multi-platform deal (including VMware, ServiceNow): 10% bundle discount = $48,600
• Annual savings: $1,400
• Three-year savings: $4,200 (plus strategic alignment with Broadcom portfolio)

Scenario 3: Competitive Displacement Feasibility (2,000 device deployment)

• Current Symantec cost: 2,000 devices x $11/device = $22,000 annually + $3,000 support = $25,000
• CrowdStrike Falcon equivalent: 2,000 devices x $28/device = $56,000 annually
• Three-year displacement cost: ($56,000 - $25,000) x 3 = $93,000 additional cost
• Conclusion: CrowdStrike is more expensive in this scenario. Remain with Symantec unless specific security capabilities (EDR, threat hunting, faster response) justify the $93,000 incremental investment.

Broadcom Services and Support Ecosystem

Beyond licensing costs, understanding Broadcom's services and support ecosystem helps organizations plan total cost of ownership. Broadcom offers consulting, deployment, and managed services options that can reduce operational overhead but add to overall costs.

Available Broadcom services:

• Professional Services: Deployment planning, SEPM architecture design, SES Cloud migration consulting ($150-$250/hour, typical engagements $10,000-$50,000)
• Managed Security Services (MSS): Broadcom monitoring, threat response, and management of Symantec infrastructure (typically 20-30% of product licensing costs annually)
• Endpoint Optimization Services: Discovery, inventory reconciliation, compliance auditing, and cost optimization analysis (typically $20,000-$50,000 per engagement)
• Training and Certification: Administrator training for SEPM management and SES Cloud administration ($5,000-$15,000 per course series)

For organizations lacking in-house security operations expertise, managed services can be cost-effective. For organizations with mature internal teams, managed services add unnecessary cost.

Auditing, Compliance, and Vendor Risk

Broadcom's audit practices have intensified significantly post-acquisition. Subscription licensing creates new audit obligations that organizations must manage proactively.

Audit Triggers and Frequency

Broadcom initiates audits based on:

• Random sampling (audits 2-5% of active contracts annually)
• Growth anomalies (if device count increases >30% year-over-year, audit is more likely)
• Detected agent installations on unlicensed devices (from log analysis or security vendor reports)
• Contractual right to audit on reasonable notice (typically 30 days)

Audit Scope and Cost

A typical Broadcom audit examines:

• Device inventory reports from SEPM or SES Cloud console (agents installed, active, reporting)
• Endpoint agent installation logs (when installed, when removed, deactivation records)
• Virtual machine infrastructure (hypervisor logs, VM creation/destruction records)
• Contractor and temporary device records
• Purchase orders and subscription agreements (confirming licensed counts)

Audit costs typically range from $5,000 (small organization, 1-2 day engagement) to $25,000+ (large organization, complex infrastructure). If audit findings reveal unlicensed devices, true-up fees are assessed at 125-150% of standard subscription pricing (penalty for non-compliance) plus audit costs.

Vendor Risk Mitigation

Organizations can reduce vendor audit risk by:

• Maintaining accurate device inventory aligned with licensed quantities (quarterly reconciliation)
• Documenting all contractor and temporary device licensing decisions
• Archiving SEPM and SES Cloud management reports showing historical device counts
• Including audit defense provisions in negotiated subscription agreements (capping true-up exposure, limiting audit frequency)
• Engaging with Broadcom's optimizer services proactively (reduces audit probability by demonstrating compliance commitment)

Looking Ahead: Symantec Product Roadmap and Strategic Direction

Broadcom's strategic direction for Symantec is clear: consolidation to cloud-native platforms and convergence with Carbon Black. Organizations planning long-term Symantec investments should understand this trajectory.

2026-2027 roadmap expectations:

• SES Cloud will become the primary endpoint platform, with on-premises SEPM becoming legacy tier
• Symantec CBX (converged security) will accelerate adoption; Broadcom will offer migration incentives for organizations on base SEP or SES
• Integration with Broadcom's broader security ecosystem (proxy, DLP, threat intelligence, cloud security) will deepen
• On-premises SEPM will enter sunset phase (2027-2028); organizations must plan migration to cloud-native alternatives
• Perpetual licensing will remain permanently discontinued; no return to perpetual options

Organizations currently evaluating Symantec should factor in these trends. Investments in on-premises SEPM infrastructure are depreciating assets. Cloud-native architectures (SES Cloud or CBX) provide better long-term flexibility and cost management.

Conclusion: Making Strategic Decisions in the Broadcom Era

Broadcom's acquisition and transformation of Symantec has fundamentally changed endpoint protection economics. The shift from perpetual to subscription licensing, combined with 3-5x support cost increases, has created both challenges and opportunities for enterprise IT organizations.

The organizations managing costs most effectively are those that:

• Established accurate device inventory and modeled subscription costs realistically
• Made deliberate architecture choices (cloud-managed vs. on-premises) based on total cost of ownership analysis
• Right-sized protection tiers rather than over-purchasing at enterprise rates
• Leveraged competitive benchmarking in renewal negotiations
• Invested in governance and compliance processes to reduce audit risk
• Planned strategic migrations (to CBX or alternative platforms) rather than accepting default renewals

For CIOs managing Symantec renewals in 2026, the most important action is not negotiating per-device discounts (Broadcom's flexibility there is limited), but fundamentally reassessing your endpoint protection architecture and confirming it aligns with your organization's long-term security and cost management objectives.

About the Author

Written by Fredrik Filipsson, Co-Founder, Redress Compliance. Fredrik has 20+ years of experience in enterprise software licensing and has led 500+ licensing engagements across 11 vendor practices. Connect on LinkedIn.