Documenting sustained EPS for an ArcSight rebuttal
A rebuttal is only as strong as the evidence behind it, and on an ArcSight EPS finding the evidence is throughput data. Documenting sustained EPS for an ArcSight rebuttal means assembling the throughput record that shows what the platform actually carried over time, so a finding built on a momentary peak can be brought back to the rate the license was sized against.
ArcSight reached the OpenText estate through the Micro Focus acquisition that closed on January 31, 2023, and is governed by the Additional License Authorizations rather than the OpenText EULA. EPS, events per second, is the headline metric, and the single most common inflation is the use of a short lived burst as though it were the standing load. Knowing that burst is not sustained is the argument. Documenting it, in a form that survives scrutiny, is what wins the rebuttal.
Why the rebuttal lives or dies on evidence
An EPS finding that cites a peak figure is making an empirical claim: that the platform sustained this rate in a way the license should be measured against. An empirical claim is answered with empirical evidence. A buyer that asserts the peak was momentary, without the throughput record to prove it, is trading assertions with the audit. A buyer that produces a clear, time stamped record of the rate the platform carried across the measurement window has moved the argument from opinion to data. The defensive work is to build that record before the rebuttal is written, not after.
A peak is a claim. Sustained throughput is a record. The rebuttal that wins is the one that answers a peak figure with documented throughput over time, so the measured rate reflects what the platform actually carried rather than its highest moment.
What sustained EPS evidence looks like
The exact form depends on the deployment, but a defensible throughput record generally needs a few characteristics. It should cover the full measurement window, not a convenient slice. It should be time stamped so peaks can be located and characterised. And it should distinguish the rate the platform carried in steady state from the transient spikes that any event driven system produces.
- A full window record. Throughput across the entire measurement period, so the audit cannot select a single high interval.
- Time stamped peaks. Spikes located in time and explained, so a burst is visibly a burst and not the baseline.
- Steady state rate. The sustained throughput the platform actually carried, distinguished from transient maxima.
- Source attribution. Where spikes originated, so one off events can be tied to identifiable causes rather than treated as normal load.
Reconstruct, then rebut with the record
The four Rs put documentation at the centre of the rebuttal. Respond inside the seven day notice window and control the channel so throughput data is described once. Reconstruct the effective position by assembling the throughput record and reading the authorization to confirm whether the metric is sustained rate or peak. Rebut the finding by setting the documented sustained rate against the peak the audit relied on, line by line. Resolve on terms that fix the measurement basis so the next audit starts from a settled definition of how EPS is measured rather than relitigating burst against sustained.
A recent engagement
The anonymised banking matter recorded as E-03 saw an ArcSight EPS and connector finding of $6.0M settle at $1.8M, a 70 percent reduction. The throughput record was central: separating burst from sustained, with documented evidence of the rate the platform actually carried, took the EPS component of the finding back toward the load the license was sized against. The reduction did not come from negotiating a number down. It came from showing, with data, that the measured rate was a peak and the sustained rate was lower.
Build the record before you argue
With an EPS rebuttal more than most, sequence matters. A rebuttal written first and evidenced later is weaker than a rebuttal built on a throughput record assembled at the outset. The defensive discipline is to gather the throughput data early, while the systems still hold it, to read the authorization for whether the metric is sustained or peak, and to write the rebuttal around the record rather than the other way round. Most of the reduction available on an EPS finding is realised by the buyer that can document its sustained rate, and lost by the buyer that can only assert it.
Need to evidence sustained EPS against a peak finding?
We assemble the throughput record, read the authorization for the measurement basis, and build the rebuttal around documented sustained load. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover EPS measurement and evidence. Each links back to the complete OpenText audit defense playbook for 2026.
- ArcSight EPS burst versus sustained measurement
- reducing an ArcSight finding with throughput evidence
- defending an ArcSight EPS overclaim line by line
- can OpenText measure peak EPS against your license
- what is ArcSight EPS and how is it measured
If an OpenText or Micro Focus audit notice has arrived, the opening seven days carry more weight than any week that comes after. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.