Defending an ArcSight EPS overclaim line by line
An ArcSight EPS overclaim does not collapse because someone negotiates a discount. It collapses because every line of the finding is taken apart and tested against what the contract actually meters and what the platform actually ran. Defending an ArcSight EPS overclaim line by line is methodical work, and the discipline of doing it line by line is exactly what turns a headline number into a defensible one.
ArcSight Enterprise Security Manager and ArcSight Logger are licensed against events per second. An audit compares your entitlement to an observed EPS figure and prices the gap at list, then adds back maintenance and the cost of the audit. The opening figure is a single number presented as fact. Our job is to replace that single number with a distribution and to show, line by line, which portion of the claimed gap survives contact with the evidence and which does not.
Line one: the contractual unit
The first line of any defense is the metric definition itself. Does the entitlement meter a sustained rate, an average, or a peak, and is a burst allowance defined or implied. If the contract describes a sustained rate and the report presents a peak, the basis of the claim is wrong before any number is examined. This is the foundational argument, and it is the same one we develop in detail in ArcSight EPS burst versus sustained measurement and test in whether OpenText can measure peak EPS against your license.
A finding that prices a 50,000 EPS gap at list assumes the platform sustained the peak. If the entitlement meters a sustained rate and the peak lasted seconds during a scan, the priced gap is built on a measurement the contract does not authorise, and the line falls.
Line two: the measurement window
The second line is the window over which the figure was taken. A rate sampled at one second granularity and reported as the maximum is not the same quantity as a rate averaged over a representative operating period. The report rarely states the window, so we ask for it, and we rebuild the EPS distribution from ArcSight's own ingestion statistics to show what the sustained rate actually was. Documenting that sustained figure is its own discipline, covered in documenting sustained EPS for an ArcSight rebuttal.
Line three: the cause of every spike
The third line isolates the transients. Each spike above the sustained rate has a cause: a scheduled vulnerability scan, a backup window, a patch deployment, a denial of service event, or a misconfigured source feeding duplicate events. A spike traceable to a duplicate feed is not business load at all. A spike from a nightly scan is a transient the platform absorbs by design. We attribute each one and remove it from the operating profile, the same way we treat raw volume when we show how ArcSight data volume metrics inflate a finding.
Line four: the connector and node context
The fourth line checks whether the EPS figure was attributed correctly across the deployment. An overclaim sometimes counts throughput from decommissioned connectors or duplicates the same events across overlapping collectors. Reconciling the connector inventory, as in ArcSight SmartConnector and collector counting, can remove events that were counted twice or attributed to sources no longer in service.
Line five: repricing to the defensible figure
Once the unit is fixed, the window is established, the transients are removed, and the attribution is corrected, the gap to entitlement shrinks or disappears. The finding is repriced against a number the contract supports. The remaining figure, if any, is the only one that was ever genuinely owed, and it is settled on the buyer's terms rather than the vendor's opening position.
A representative outcome
Our anonymised banking engagement, case file E-03, opened as a $6.0M ArcSight finding built on EPS and connector counts. A significant share of the EPS overclaim came from peak readings that did not reflect sustained operation, and from connector attribution that double counted events. Defended line by line, the matter settled at $1.8M, a 70 percent reduction. The number fell because each line was corrected, not because anyone discounted a figure that was never owed.
The order of operations in a line by line defense
- Fix the unit first. If the metric is wrong, every downstream number is wrong; this line is decided before any data is examined.
- Establish the window. A peak over one second is not a sustained rate over an operating period.
- Attribute the spikes. Every transient has a cause, and most causes are not sustained business load.
- Reconcile the deployment. Decommissioned and duplicate connectors can inflate or double count the EPS figure.
- Reprice last. Only once the basis is correct does the remaining gap, if any, get a number.
Why the line by line method beats a blanket challenge
It can be tempting to respond to an EPS overclaim with a single sweeping objection that the number is too high. That rarely works, because it gives the vendor nothing specific to concede and leaves the burden on the buyer to prove a negative. The line by line method does the opposite. Each line is a discrete, evidenced argument: the metric is sustained not peak, the window was one second not an operating period, this spike was a scan, that throughput came from a decommissioned connector. Every line that lands removes a defined quantity from the claim, and the cumulative effect is a finding rebuilt from the ground up rather than haggled down from the top.
The method also matters because the remedy stacks. A deemed shortfall is priced at list, grossed up with back maintenance and a first year of maintenance, and burdened with the vendor's audit costs. Reducing the underlying EPS gap line by line reduces all of those charges together. That is why we treat the order of operations as strict: fix the unit, establish the window, attribute the spikes, reconcile the deployment, and only then reprice. A figure repriced on a corrected basis is defensible in a way that a negotiated discount on a flawed basis never is.
Have an ArcSight EPS overclaim to defend?
An EPS overclaim defended line by line almost always lands far below its opening figure. We reconstruct the effective position before any vendor script runs, then challenge each line through our ArcSight and Security audit defense. To put a defense team between you and the vendor, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security cluster go deeper on each line of an EPS defense. Each links back to the complete OpenText audit defense playbook for 2026.
- ArcSight EPS burst versus sustained measurement
- documenting sustained EPS for an ArcSight rebuttal
- whether OpenText can measure peak EPS against your license
- defending ArcSight against an inflated EPS baseline
- reducing an ArcSight finding with throughput evidence
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.