ArcSight & Security · Track 03

Defending ArcSight against an inflated EPS baseline

Every ArcSight finding starts from a baseline, a measured rate the vendor treats as your usage, and if that baseline is wrong everything downstream is wrong with it. Defending ArcSight against an inflated EPS baseline means challenging the measured starting figure itself, because a baseline built on peaks, lab traffic, or a poorly bounded window will price the whole finding far above the sustained rate the license is sized to carry.

ArcSight entered the OpenText estate through the Micro Focus acquisition that closed on January 31, 2023, and is governed by the Additional License Authorizations rather than the OpenText EULA. EPS, events per second, is the headline metric, and the baseline is the number the audit pins to your environment as the rate it claims you consume. Because the EULA makes compliance the sole responsibility of the licensee, the buyer carries the burden of demonstrating the correct figure, which is exactly why the baseline must be contested rather than accepted.

What a baseline is and how it goes wrong

A baseline is a measured rate produced from logs, a measurement utility, or a self assessment, and presented as representative of normal operation. It goes wrong when the method behind it does not match the metric the authorization defines. A baseline taken from the single busiest minute of an incident, from a window that happened to include a one time data migration, or from an environment that includes non production traffic will sit well above the rate the platform sustains in ordinary use. The vendor then prices the finding from that elevated number, and the gap between it and the real sustained rate is pure inflation.

The distinction between a peak and a sustained rate is the foundation, and it is worth reading our note on ArcSight EPS burst versus sustained measurement alongside this one. The baseline is where that distinction either holds or collapses.

The mechanic

An inflated baseline is the wrong starting number. Reset it to the sustained, production, properly windowed rate and every figure priced from it falls in proportion, before any line item of the finding is even argued.

What inflates a baseline

A handful of method choices push the baseline above the defensible rate. Each is a point to interrogate in the measurement itself.

Peak as baseline. Using the highest instantaneous rate rather than the sustained rate as the representative figure.
A short or badly placed window. Measuring over a period that captures a spike, an incident, or a migration rather than normal operation.
Non production traffic counted in. Including lab, test, or development feeds in a baseline that should reflect licensed production use, a point we develop in how ArcSight non production and lab data is counted.
Duplicate or transient sources. Counting feeds that were briefly active, or counted twice during a migration, as part of the steady state.

Reset the baseline with throughput evidence

The four Rs are built for this. Respond inside the seven day notice window and route the measurement through a single controlled channel, so the baseline is produced once, on terms you can see, rather than handed to the vendor to construct unobserved. Reconstruct the correct figure by reading the authorization for the measurement basis and then producing your own throughput record over a representative window. Rebut the vendor baseline line by line where it rests on peaks, bad windows, or non production traffic. Resolve on terms that fix the measurement method so the baseline cannot be reinflated at the next audit. The evidence step is decisive, and our note on reducing an ArcSight finding with throughput evidence covers how to assemble it.

A recent engagement

The anonymised banking matter recorded as E-03 saw an ArcSight EPS and connector finding open at $6.0M and settle at $1.8M, a 70 percent reduction. Resetting the baseline was central: the opening figure rested on a measurement that did not separate burst from sustained, and producing a throughput record over a representative window established the rate the platform actually carried. Once the baseline was corrected, the priced finding came down with it, because every charge had been calculated from the inflated starting number.

Contest the baseline before anything else

With an EPS matter more than most, defending ArcSight against an inflated baseline is the move that determines the size of everything that follows. A buyer that argues individual line items while conceding the baseline is negotiating down from the wrong number. The defensive discipline is to treat the baseline as the first thing to test, to read the authorization for the measurement basis, and to produce throughput evidence that establishes the sustained production rate. Most of the reduction available on an EPS finding is realised the moment the baseline is reset, because the finding is only ever as large as the rate it is built on.

Is your ArcSight finding built on the wrong starting rate?

We test the baseline first, read the authorization for the measurement basis, and produce throughput evidence that resets the finding to the sustained rate. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.

Get The Number Down →

Related field notes

These notes from the ArcSight and Security audit defense cluster cover EPS measurement, baselines, and throughput evidence. Each links back to the complete OpenText audit defense playbook for 2026.

If an OpenText or Micro Focus audit notice has arrived, the opening seven days matter more than any week that comes after. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, reduced the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.