Broadcom's acquisition changed Carbon Black's commercial positioning from an independent endpoint security product to a component of a broader Broadcom security portfolio. Understanding the new licensing structure, pricing model, and competitive alternatives is essential for organisations facing Carbon Black renewals in 2026 and beyond.
VMware Carbon Black was acquired by VMware in 2019 and subsequently passed to Broadcom as part of the larger VMware acquisition in 2023. Under VMware's ownership, Carbon Black was positioned as a cloud-native endpoint and workload security platform and was actively cross-sold to VMware's virtualisation customer base. Under Broadcom, the product has been repositioned within the Broadcom Security portfolio, which now includes Carbon Black Cloud, Symantec Endpoint Security (another Broadcom acquisition), and the Broadcom Enterprise Security Platform.
The commercial implications of this repositioning are significant for organisations renewing Carbon Black subscriptions. Broadcom has rationalised Carbon Black's go-to-market approach, reducing the direct sales and customer success resource available to Carbon Black customers compared to the VMware era. Support quality concerns have been documented by customers across the post-acquisition period. Broadcom has also introduced bundling pressure — incentivising Carbon Black renewals as part of a combined Broadcom security portfolio purchase that may include Symantec products the organisation was not previously using.
For organisations renewing Carbon Black subscriptions, understanding this context is essential: you are not renewing with the same commercial organisation you purchased from, and the leverage dynamics have changed. For broader VMware commercial context, see the Broadcom VMware Licensing Guide.
Carbon Black Cloud renewals often arrive with bundled Broadcom security portfolio proposals that include Symantec Endpoint Security components. Evaluate these bundles critically — the all-in pricing can look attractive but may include products you do not need, and the individual Carbon Black pricing within the bundle is typically opaque. Disaggregate the components before accepting any bundled proposal.
Carbon Black Cloud is structured around several distinct product offerings that address different security use cases. Understanding which tier you actually need — versus which tier Broadcom proposes — is the foundation of cost control:
| Product | Use Case | Key Features | Indicative Price per Endpoint/Year |
|---|---|---|---|
| CB Endpoint Standard | Next-gen AV replacement | NGAV, behavioural prevention, device control | £28–45 |
| CB Endpoint Advanced | AV + EDR | NGAV + endpoint detection & response, investigation | £48–72 |
| CB Endpoint Enterprise | Full EDR + threat hunting | Advanced + threat hunting, MITRE ATT&CK, container security | £70–110 |
| CB Workload Standard | Server/VM workload protection | NGAV for servers, agentless scanning | £35–55 per workload |
| CB Workload Advanced | Server workload EDR | Workload EDR, vulnerability assessment, agentless | £60–90 per workload |
| CB Container Security | Container/Kubernetes protection | Runtime protection, image scanning, policy enforcement | Variable (node-based) |
Indicative list pricing. Negotiated enterprise pricing typically 20–40% below list for volume commitments. Broadcom's initial renewal proposals are generally at or above list pricing.
One of the most frequent over-licensing scenarios in Carbon Black environments is applying Endpoint licences to server workloads or vice versa. The commercial and technical distinction matters:
Carbon Black Endpoint products are designed for user-facing endpoints — Windows workstations, laptops, macOS devices. The agent is designed for interactive user environments with low performance overhead requirements for the end-user experience. Endpoint licences are priced per device and typically include device control features relevant to desktop management.
Carbon Black Workload products are designed for server environments, including physical servers and virtual machines. The Workload offering includes agentless scanning capabilities that are particularly relevant for VMware vSphere environments — Carbon Black Workload can perform security scanning of VMs without an agent installed in the guest, using the VMware integration layer. This agentless capability is unique to the Workload product and represents one of the strongest technical differentiators for organisations with large VMware estates.
Organisations that have deployed Endpoint licences on server workloads (a common default) may be overpaying for features they do not use, or using a product that is not optimally configured for the server environment. Audit your Carbon Black deployment to ensure Endpoint and Workload products are correctly matched to device types — in some environments, this audit reveals opportunities for tier downgrades or product substitution that reduce annual spend by 15–25%.
Broadcom's post-acquisition commercial strategy involves cross-selling Carbon Black and Symantec Endpoint Security as a combined Broadcom Enterprise Security Platform. Customers renewing Carbon Black may receive proposals that include Symantec products — with an all-in bundle price that appears to offer significant value compared to purchasing Carbon Black alone at renewal pricing.
Before accepting a Broadcom security bundle, evaluate three questions carefully:
Do you actually need Symantec? If your organisation has already invested in Microsoft Defender for Endpoint (included in Microsoft 365 E5 or as an add-on), Microsoft Sentinel, or another SIEM/XDR platform, Symantec may be duplicative. Accept a bundle that includes security tools you have no pathway to deploy and you are paying for shelfware. See our analysis of Microsoft Security licensing for context on what M365 E5 already provides.
What is the implicit per-product price? Broadcom's bundle proposals frequently obscure the per-product economics. Request a line-item breakdown showing the individual list price for each component and the bundle discount applied to each. Calculate whether you would achieve better pricing by negotiating Carbon Black standalone and purchasing Symantec separately if actually needed.
What are the exit rights? Bundle agreements may have different renewal and cancellation terms than standalone product agreements. Ensure you understand what happens to your Carbon Black subscription if you need to exit the Symantec component, or vice versa. Avoid contractual structures that lock all security products into a single renewal event without individual product exit rights.
Several organisations have reported accepting Broadcom security bundles under the assumption that the bundle pricing represented a genuine discount relative to Carbon Black standalone renewal pricing — only to discover at subsequent renewal that Broadcom used the bundle as an opportunity to reset the per-endpoint price upward for Carbon Black, with the bundle discount applied to the higher base price. Always compare bundle pricing against your historical Carbon Black unit cost, not just the current standalone renewal proposal.
The competitive endpoint security market in 2026 is highly developed, and Carbon Black faces credible competition from multiple vendors on both price and capability. This competitive landscape is the primary source of negotiation leverage in Carbon Black renewals.
| Platform | EDR Capability | Indicative Price (endpoint/year) | Key Differentiator vs CB |
|---|---|---|---|
| Carbon Black Cloud Advanced | Strong | £48–72 | vSphere agentless workload protection |
| CrowdStrike Falcon | Best-in-class | £55–85 | Threat intelligence, largest dataset |
| Microsoft Defender for Endpoint | Strong | Included in M365 E5 | M365 integration, zero marginal cost for E5 customers |
| SentinelOne Singularity | Strong | £40–65 | AI-native, autonomous response, competitive pricing |
| Palo Alto Cortex XDR | Strong | £55–80 | SIEM/XDR integration, network context |
| Trend Vision One | Good | £30–50 | Lower cost, broad platform coverage |
Indicative list pricing. All vendors provide volume discounts for enterprise commitments. Microsoft Defender pricing assumes existing M365 E5 licensing.
The most significant competitive consideration for many organisations is the Microsoft Defender for Endpoint overlap. Organisations licenced for Microsoft 365 E5 already have enterprise-grade EDR included at no marginal cost. In many environments, a well-configured Microsoft Defender deployment provides equivalent or superior protection to Carbon Black Advanced for user endpoints — meaning Carbon Black is paying for capabilities already available in the existing Microsoft investment. Our Microsoft Security E5 analysis covers this in detail.
Facing a Carbon Black renewal under Broadcom?
For some organisations, the combination of Broadcom support quality concerns, pricing increases, and the availability of capable alternatives makes a Carbon Black replacement evaluation worthwhile. The decision framework centres on three questions:
Do you use Carbon Black's VMware integration? Carbon Black Workload's agentless scanning of VMware VMs is a genuine technical differentiator with no direct equivalent in non-VMware-integrated alternatives. If your workload protection strategy relies on this capability, replacing Carbon Black requires either accepting an agent-based alternative for server protection or migrating the underlying infrastructure to a platform that supports alternative agentless scanning. This dependency increases migration complexity and cost significantly.
Is Microsoft Defender for Endpoint a genuine alternative? For organisations with M365 E5, Defender for Endpoint represents a zero-marginal-cost alternative to Carbon Black for user endpoint protection. If a Defender pilot demonstrates equivalent detection and response capability for your threat model, the economic case for paying for Carbon Black on user endpoints is difficult to sustain. Server workloads may still require Carbon Black Workload or an alternative if the agentless vSphere integration is needed.
What is the migration cost and risk? Endpoint security replacements require coordinated agent deployment across the estate, tuning of detection policies to reduce false positives, SOC workflow updates, and typically a parallel-run period. Budget a minimum of 6 months and proportionate project resource for any endpoint security platform replacement at enterprise scale. The economics must show payback within a 2–3 year horizon to justify the migration investment over continuing to optimise the Carbon Black subscription cost.
Our advisors have navigated Broadcom security portfolio renewals across many enterprise environments. Get independent benchmarks and renewal strategy before engaging Broadcom.