Can OpenText measure peak EPS against your license?
It is the question that decides most ArcSight findings: can OpenText measure your peak events per second and price the gap to entitlement as if you had sustained it. The honest answer is that the vendor will try, and whether it is allowed depends on what your agreement actually says about the metric.
OpenText has the contractual right to seven days notice before an audit and to copy relevant records, and the compliance team will use that access to measure throughput. What that right does not automatically grant is the freedom to define the metric however produces the largest number. Peak measurement is a methodology choice, and methodology choices are open to challenge when they do not match the contract.
What the agreement says about the metric
The starting point is always the entitlement language. ArcSight EPS entitlements are written in different ways across agreements. Some reference a sustained or average rate. Some specify a peak or maximum. Many are silent on the distinction and simply state an EPS figure. Where the language references sustained or average operation, a peak measurement is not the contractual unit, and pricing against it is a methodology the agreement does not support. Where the language is silent, the vendor will assert that peak is fair, and the buyer can assert with equal force that the operating rate is what the number was meant to describe.
If the entitlement says sustained EPS and the audit reports a one second peak, the report is measuring something the contract does not price. The gap between the two readings is the gap between the opening finding and the defensible one.
Why peak measurement is technically unsound
Even where the contract is silent, peak measurement misrepresents how a SIEM works. Every mature ArcSight deployment is engineered to absorb bursts far above its steady state through buffering, and that headroom is a design feature rather than a consumption event. A platform that processes a momentary spike and clears it has not consumed a higher licensed capacity, it has done exactly what it was built to do. Pricing the spike as sustained capacity charges the buyer for resilience the architecture provides for free.
How we contest a peak measurement
The defense proceeds through our four operations. We respond by taking over the channel during the seven day notice window so no telemetry reaches the vendor unmanaged. We reconstruct the throughput profile independently, building a distribution of EPS over the measurement window rather than accepting a single maximum. We then rebut on two fronts at once.
- The contractual front. We read the entitlement to establish whether the metric is sustained, average, or peak, and we hold the measurement to that unit.
- The technical front. We isolate the bursts by cause, separate transients from operating load, and document the sustained rate the platform actually runs at.
When both fronts land, the peak figure loses its standing as the basis of the finding, and the number is repriced against the sustained rate. This is exactly the move that reduced the EPS side of our banking engagement, case file E-03, where a combined EPS and connector finding of $6.0M settled at $1.8M after burst was separated from sustained.
What to do when a peak number appears
Do not concede a peak EPS figure as your consumption. Ask OpenText to identify the measurement basis and to point to the entitlement language that supports pricing it. Preserve your own ingestion statistics, decline to run the vendor script unsupervised, and route every exchange through a single controlled channel. The evidence that defeats a peak measurement is your own throughput data, and it is strongest when gathered deliberately. To bring in a defense team, open a case.
When the contract is silent on the metric
The hardest version of this dispute is the agreement that simply states an EPS figure without saying whether it is sustained or peak. Silence does not hand the vendor the peak by default. It opens an interpretation question, and interpretation questions are decided by what the number was reasonably understood to mean when the deal was struck. An EPS entitlement is, in commercial reality, a sizing figure: it reflects the scale of the deployment the buyer purchased capacity for, and deployments are sized to sustained load with headroom for bursts. Reading a silent entitlement to mean peak would imply the buyer agreed to be charged whenever the platform did what it was designed to do, which is not how either party understood the purchase. We make that argument directly, and we support it with the way the deployment was actually sized and operated.
Silence also cuts the other way on burden. If the vendor wants to price a peak, the vendor should be able to point to language that authorizes a peak measurement. Where it cannot, the measurement rests on an assertion rather than a contractual basis, and an assertion is exactly what a structured rebuttal is built to dismantle.
The two fronts working together
The reason we run the contractual and technical arguments in parallel is that each strengthens the other. The contractual front establishes that only a sustained rate may be priced. The technical front establishes what the sustained rate actually was. Neither alone fully resolves the finding: a contract argument without a documented sustained rate leaves the number undefined, and a technical profile without a contractual hook leaves the vendor free to price the peak anyway. Together they produce a complete answer: the contract limits the metric to sustained operation, and the evidence fixes the sustained figure. That is the position from which an inflated peak finding comes down to a defensible settlement.
Documenting the sustained rate before the vendor locks the peak
The practical lesson is that the sustained rate has to be captured, not asserted. The platform's own ingestion statistics, throughput counters, and event broker metrics record the real operating profile, and they are most persuasive when preserved early and read in context. If the only number in the room is the vendor peak, the buyer is arguing from a deficit. If the buyer can show a documented distribution of throughput across the measurement window, with the transient spikes traced to their causes, the conversation shifts to which point on that distribution the contract permits the vendor to price. That is a far stronger place to negotiate from, and it is available to any buyer who preserves the evidence during the first week rather than after the finding has hardened.
Have an ArcSight finding on the table?
Peak measurement is a position, not a settled rule. Whether it holds depends on your contract and your throughput evidence. We reconstruct the effective license position before any vendor script runs, then challenge the finding line by line. To put a defense team between you and the vendor, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster go deeper on the mechanics referenced above, and each links back to the complete OpenText audit defense playbook for 2026.
- ArcSight EPS burst versus sustained measurement
- documenting sustained EPS for an ArcSight rebuttal
- how to scope ArcSight burst allowances
- defending ArcSight against an inflated EPS baseline
- what ArcSight EPS is and how it is measured
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.