ArcSight EPS: burst versus sustained measurement
When an OpenText audit lands on ArcSight, the single number that decides the size of the finding is events per second. The dispute is almost never whether you generate events. It is whether the vendor is allowed to price you on the highest second you ever recorded. Burst versus sustained measurement is where an ArcSight EPS finding either holds or collapses.
ArcSight Enterprise Security Manager and ArcSight Logger are licensed against ingestion rate. The license entitles a defined number of events per second, and the audit compares that entitlement to observed throughput. The trap is that observed throughput is not a single value. A security platform that ingests forty thousand events per second on an average business day will spike far higher during a vulnerability scan, a backup window, a denial of service event, or a misconfigured log source that loops. If the vendor measures the peak and prices the gap to entitlement at list, the finding inflates against a number you never sustained and never designed for.
What burst EPS and sustained EPS actually mean
Sustained EPS is the rate your platform processes over a meaningful window, the rate your architecture was sized for and the rate that reflects real operational load. Burst EPS is a momentary spike, often lasting seconds, that the system absorbs through buffering and then clears. Every mature SIEM is engineered to tolerate bursts well above its steady state. That tolerance is a design feature, not a license consumption event.
The licensing question is which of the two the agreement actually meters. In many ArcSight engagements the entitlement language references a sustained or average rate, or is silent on the distinction, while the audit report quietly presents a peak. A peak figure pulled from a one second high water mark is not the same measurement the contract describes, and the difference between the two can be the difference between full compliance and a multi million dollar gap.
A platform sized for 40,000 sustained EPS may record a 90,000 EPS one second spike during a nightly scan. Pricing the 50,000 EPS gap at list, then adding back maintenance and audit cost, produces a finding built entirely on a transient the system was designed to absorb.
Why the vendor measurement defaults to the peak
OpenText runs a global software compliance team with executive sponsorship, and the measurement scripts that compliance managers deploy are built to capture the most conservative reading for the vendor. Peak capture is conservative for them and expensive for you. The script samples at a fine interval, records the maximum, and reports it as the consumption figure. Unless someone challenges the methodology, the highest second of the measurement period becomes the basis of the claim. This is precisely why we insist on reconstructing the effective license position before any vendor measurement script runs, so the comparison is made on terms the contract supports rather than terms the script prefers.
How we separate burst from sustained in a rebuttal
Defending an ArcSight EPS finding on the burst versus sustained line follows the four operations of our method. We respond first, taking over the channel so no raw telemetry reaches the vendor unmanaged during the seven day notice window. We then reconstruct the throughput profile independently using the platform's own ingestion statistics, the connector throughput counters, and the event broker metrics. From there we rebut.
- Establish the contractual unit. We read the entitlement to determine whether the metric is sustained, average, or peak, and whether a burst allowance is defined or implied.
- Profile the real load. We build a distribution of EPS over the measurement window, not a single maximum, and isolate the bursts by cause: scans, backups, log loops, and one time incidents.
- Disqualify the transients. A spike caused by a misconfigured source feeding duplicate events is not sustained business load, and a one second high water mark is not a capacity the platform was licensed to run continuously.
- Reprice to the defensible figure. Once the sustained rate is established, the gap to entitlement shrinks or disappears, and the finding is repriced against a number the contract actually supports.
A representative outcome
Our anonymised banking engagement, case file E-03, began as a $6.0M ArcSight finding built on EPS and connector counts. A significant share of the EPS overclaim came from peak readings that did not reflect sustained operation. After we split burst from sustained and documented the real throughput profile, the matter settled at $1.8M, a 70 percent reduction. The number fell because the measurement basis was corrected, not because anyone negotiated a discount on a number that was never owed.
What to do when the EPS number looks too high
If an audit report shows an EPS figure that does not match how your platform was sized, treat it as a peak until proven otherwise and do not concede the measurement. Preserve your ingestion statistics, do not run the vendor script unsupervised, and route every request through a single controlled channel. The throughput evidence that wins this argument lives in your own systems, and it is strongest when it is gathered deliberately rather than handed over reactively.
Why burst tolerance is built into ArcSight by design
Every serious event ingestion platform is engineered with headroom. Connectors buffer, queues absorb, and the manager drains the backlog once a spike passes. ArcSight is no exception. The reason the architecture tolerates a burst far above its steady state is that real security telemetry is bursty by nature: a scheduled vulnerability scan, a patch deployment, a sudden attack, or a single chatty source can all push the rate up for a short period. A platform that could only ever run at its average rate would drop events the moment anything interesting happened, which would defeat the purpose of a security monitoring system. So burst capacity is not spare licensing you quietly consumed. It is the safety margin the product was sold with.
This matters to the licensing argument because it reframes what a peak represents. A peak is evidence that the platform did its job under load, not evidence that you operated at a higher licensed tier. When the vendor prices a peak as sustained consumption, it is charging for resilience the buyer already paid for in the original sizing. We make that point explicitly in a rebuttal, because it moves the discussion from a raw number to what the number actually describes.
The questions that decide a burst versus sustained dispute
When we open an ArcSight EPS engagement, four questions usually settle the matter, and they are worth asking the moment a finding arrives.
- What is the contractual unit? Does the entitlement reference a sustained rate, an average, or a peak, and is a burst allowance defined or implied anywhere in the agreement or the Additional License Authorizations?
- Over what window was the figure taken? A rate measured over one second is not the same as a rate measured over a representative operating period, and the window the script used is rarely stated in the report.
- What caused the spikes? Bursts traceable to scans, backups, or a misconfigured source feeding duplicate events are transients, not sustained business load, and each cause can be documented and removed from the operating profile.
- What was the real sustained rate? Once the transients are isolated, the rate the platform actually runs at emerges, and it is almost always comfortably closer to entitlement than the peak the report relied on.
Answering those four questions with the platform's own ingestion data is the substance of the rebuttal. The vendor opened with one number. We replace it with a defensible distribution and let the contract decide which point on that distribution may be priced.
Have an ArcSight finding on the table?
An EPS finding priced on a peak is the most common and most reducible ArcSight overclaim we see. We reconstruct the effective license position before any vendor script runs, then challenge the finding line by line. To put a defense team between you and the vendor, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster go deeper on the mechanics referenced above, and each links back to the complete OpenText audit defense playbook for 2026.
- What ArcSight EPS is and how it is measured
- whether OpenText can measure peak EPS against your license
- documenting sustained EPS for an ArcSight rebuttal
- how to scope ArcSight burst allowances
- how much an ArcSight EPS finding usually costs
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.