Broadcom has restructured VMware's compliance programme since the 2023 acquisition. Audit volumes are rising, exposure calculations have changed, and the stakes are higher than ever. Here is the complete defense playbook for 2026.
When Broadcom completed its $69 billion acquisition of VMware in November 2023, it inherited a large but underperforming compliance function. Within twelve months, Broadcom restructured the compliance team, centralised audit authority, and began a systematic programme of licence reviews targeting medium and large enterprise accounts.
The key changes from the VMware era include a move to core-based licensing for vSphere (replacing the processor-based model), mandatory subscription transitions that create new compliance gaps, and significantly tighter contractual definitions of what constitutes "use." Customers who have not updated their licence position since the acquisition are at particular risk. Understanding the new audit landscape is the first step in any software audit defense strategy.
Customers transitioning from perpetual VMware licences to VCF/VVF subscriptions have a window during which both old and new entitlements overlap. Broadcom auditors have targeted this transition period as a source of "double use" claims — asserting that customers deployed more workloads than their subscription tier covers. Documenting the transition timeline in detail is critical.
Broadcom does not audit randomly. There are specific commercial and technical signals that significantly elevate audit risk. Understanding these triggers helps you assess your current exposure and prioritise remediation before a formal notice arrives.
| Trigger Category | Specific Signal | Risk Level |
|---|---|---|
| Commercial | Renewal negotiation that reduces contract value significantly | HIGH |
| Commercial | Exploring VMware alternatives (Nutanix, Proxmox, Hyper-V) | HIGH |
| Commercial | Missing or late subscription renewal payments | HIGH |
| Technical | vCenter reporting more active hosts than licensed | HIGH |
| Technical | Rapid vSphere environment growth without corresponding licence purchase | MEDIUM |
| Technical | Use of advanced features (NSX, vSAN, Aria) without documented entitlement | MEDIUM |
| Organisational | M&A activity where VMware licences were not reviewed at close | MEDIUM |
| Organisational | Periodic compliance review cycle (typically 3–5 years for larger accounts) | MEDIUM |
| Contractual | Broadcom-initiated licence true-up clause triggered in contract | MEDIUM |
| Referral | Former employee report or partner referral | HIGH |
VMware audits under Broadcom follow a structured process. Knowing each phase in advance allows you to respond strategically rather than reactively. Many enterprises make costly mistakes in the early phases — particularly by providing data prematurely or making verbal admissions during initial calls.
Broadcom issues a formal audit letter citing the relevant audit rights clause in your EULA or subscription agreement. The letter requests consent to proceed and lists the preliminary scope. Do not respond without legal review.
Broadcom's compliance team requests deployment reports from vCenter, vROps, or a self-assessment questionnaire. This phase carries the highest risk of over-disclosure. All responses should be reviewed by counsel before submission.
Broadcom presents an initial exposure calculation — typically based on current list pricing with no discount applied. This figure is a negotiating anchor, not a final liability. Challenge the methodology, pricing basis, and period covered.
Most audits settle before proceeding to formal dispute resolution. Broadcom's primary interest is converting exposure into forward subscription revenue. Settlement packages typically include a discounted true-up, multi-year commitment, and audit release.
The single most important thing you can do upon receiving an audit notification — before submitting any data — is to prepare an accurate internal licence position. This is your own assessment of entitlements versus deployments, conducted under legal privilege. It forms the basis of your defense and your settlement position. A detailed guide to how to prepare a licence position before an audit is essential reading.
For VMware specifically, your licence position needs to address:
A common mistake is proactively disclosing potential compliance gaps to Broadcom before they have been identified by the auditor. Never volunteer information beyond what is contractually required. Your legal counsel should review all communications — including preliminary calls — before you engage.
Broadcom's initial claim is almost always inflated. The exposure calculation it presents in Phase 3 typically uses current list pricing without discount, assumes the maximum possible deployment scope based on your data submission, and applies the longest possible look-back period. There are multiple grounds to challenge this calculation:
The vast majority of VMware audits under Broadcom resolve through a negotiated settlement — not litigation. Broadcom's commercial goal is to accelerate subscription revenue, not to maximise a single settlement payment. Understanding this incentive gives you negotiating leverage.
Broadcom values multi-year committed subscription revenue. A settlement that includes a three-year VCF or VVF subscription commitment will be received more favourably than a cash payment for historical exposure, and will typically result in a lower effective total cost.
Any settlement must include a comprehensive release of all claims for the audit period. Broadcom's initial offer may include a partial release or carve-outs for specific products. Push back for a full, unconditional release covering all VMware products in the audited environment.
If you are evaluating VMware alternatives, make this known during settlement negotiations. The credible threat of migration — demonstrated by a concrete evaluation timeline or a signed PoC with a competitor — puts Broadcom in a position where accepting a discounted settlement is commercially preferable to losing the account entirely.
As part of the settlement, negotiate for locked pricing on the subscription commitment and capped annual escalations (ideally CPI-linked, maximum 3–5%). Broadcom has significant pricing power post-acquisition; locking in rates at settlement is worth material concessions on the historical true-up amount.
If agreeing to a multi-year subscription as part of the settlement, negotiate portability of workloads to a third-party cloud and a termination-for-convenience right with no more than 90 days' notice and no penalty beyond the remaining committed term.
Enterprise clients that engage independent VMware negotiation advisors consistently achieve better outcomes than those that negotiate directly. An advisor brings benchmarking data, established relationships with Broadcom's commercial leadership, and negotiation experience that most internal procurement teams lack for this specific scenario.
Broadcom's initial settlement proposal is a negotiating position. In our analysis of concluded audits, the initial claim is typically reduced by 40–60% through structured negotiation. Do not accept any offer without independent validation of the underlying exposure calculation.
Verbal agreements during audit discussions carry no weight. All terms — including the historical release, the forward commitment scope, pricing, escalation caps, and exit rights — must be documented in a formal settlement agreement before any payment is made or subscription is activated.
The best defense against a VMware audit is a proactive compliance programme that keeps your licence position current and well-documented. Reactive audit defense is expensive and stressful; proactive management is not. Key steps include conducting an annual internal licence review, maintaining vCenter deployment reports as evidence of entitlement coverage, documenting all subscription transition activities with timestamps, and ensuring all M&A events trigger an immediate licence review. Aligning this discipline with your broader software audit defense strategy reduces the risk of a formal audit and strengthens your position if one occurs.
If you are approaching a VMware renewal or subscription conversion in addition to managing an audit, see our guide to negotiating with Broadcom after the VMware acquisition for tactics specific to commercial negotiations outside the audit context.
Not all audits require external advisors. A straightforward audit involving a well-documented environment and a modest exposure figure can often be resolved by an informed internal team. However, you should strongly consider engaging an independent VMware negotiation consultant if any of the following apply:
In cases with significant exposure, an experienced advisor typically achieves savings that are multiples of their fee. The top-ranked firms in our evaluation have specific VMware audit experience and can often leverage existing Broadcom relationships to accelerate settlement on favourable terms.
Our network of independent VMware audit defense specialists can review your exposure, challenge Broadcom's methodology, and negotiate a settlement that protects your interests.
Describe your audit scenario and we will match you with advisors who have handled similar cases.