How ArcSight non production and lab data is counted
Lab, test, and staging data has a way of landing inside a production finding. How ArcSight non production and lab data is counted depends entirely on whether the agreement scopes the metric to production use, and a finding inflates when development and test traffic is summed into the same figure as live operations.
Security teams run more than one ArcSight environment. There is production, and then there is the supporting estate: staging for content development, lab for parser testing, proof of concept instances, and disaster recovery standbys. Each of those generates events and registers connectors, and each can be swept into a measurement that was supposed to capture only licensed production consumption. Whether that sweep is legitimate is not a matter of opinion, it is a matter of what the agreement says.
The scope question comes first
Before any non production number is conceded, establish what the entitlement and the Additional License Authorizations actually scope the metric to. If the metric is defined against production use, then events generated in lab and staging do not count toward it, and a finding that includes them is measuring outside the license. If the agreement is silent or broad, the argument is different and turns on interpretation. Either way, the scope question is the threshold issue, and it should be settled before discussing any figure.
A finding that sums production and non production EPS, or counts lab connectors alongside live ones, can overstate consumption substantially. Where the metric is scoped to production, removing non production traffic is a correction, not a concession.
Where non production traffic hides
Non production data enters a finding through several doors. Test connectors stood up to validate new parsing rules forward real sample events. Staging environments mirror production sources for content development. Proof of concept instances run live data while a new use case is evaluated. Disaster recovery standbys may process or buffer events on a schedule. Each of these can look like production consumption to a measurement that does not distinguish environments, and distinguishing them is something only the buyer can do reliably.
- Staging and content development. Environments that mirror production sources to build and test correlation content.
- Lab and parser testing. Instances that process sample events to validate connectors and parsing.
- Proof of concept. Short lived instances evaluating a new use case on live data.
- Disaster recovery. Standbys that buffer or process events for resilience rather than primary operation.
Separate the environments with evidence
The correction is an environment map. Every connector and every event stream is tagged to the environment it belongs to, using the buyer's own infrastructure records and event flow data. Production stands on its own. Staging, lab, proof of concept, and recovery are identified and, where the metric is scoped to production, removed from the count. This is the same discipline that separates live connectors from retired ones, applied along a different axis: not whether a component is alive, but where it lives.
Reconstruct before the measurement
The strongest position is to map the environments before any vendor script runs. During the seven day notice window, take over the channel and avoid handing over an undifferentiated export that blends environments. A reconstruction that already separates production from the supporting estate means the production figure is the one on the table, and the non production traffic never becomes part of the baseline that has to be argued down later.
A recent engagement
In the banking matter recorded as case file E-03, where a combined EPS and connector finding of $6.0M settled at $1.8M, environment scope was one of the levers. Connectors and event volume from non production environments had been counted alongside production, and separating them contributed to the 70 percent reduction. The principle is straightforward: where the agreement scopes the metric to production, only production counts, and the buyer is the party with the records to prove which is which.
Settle the scope, then the number
Read the metric definition in the entitlement and the ALAs, confirm whether it is scoped to production, map every environment, and remove non production traffic where the scope allows. Done in that order, a finding that blended environments is corrected on its own terms rather than negotiated down from an inflated total.
When the agreement is silent on environment scope
Not every agreement spells out a production scope, and where the language is silent the argument shifts from fact to interpretation. Even then the buyer is not without ground. A metric described as measuring use, consumption, or operation can reasonably be read to mean live operation rather than the incidental traffic of a parser test, and the buyer can argue that lab and proof of concept activity was never the use the parties contemplated when they sized the entitlement. That reading is strengthened when the non production estate is small, clearly separated, and documented as temporary or evaluative. The point is that silence is not the same as inclusion. An audit will treat a silent agreement as licensing everything, and the buyer is entitled to contest that the broadest possible reading is the correct one.
Disaster recovery deserves its own treatment
Disaster recovery instances sit in a category of their own and are worth isolating in any environment map. A standby that buffers or replicates events purely for resilience is not adding capacity, it is protecting it, and many agreements contemplate recovery instances without charging them as independent production units. A finding that prices a disaster recovery node as a second full deployment may be charging for the same protected workload twice. Establishing which instances exist for recovery, how they relate to the primary deployment, and what the agreement says about standby and failover lets those charges be removed or collapsed. As with connectors configured for high availability, the principle is that resilience is not consumption, and a measurement that treats it as such overstates the licensed estate.
Non production data inflating your ArcSight finding?
We map every environment against the metric scope and remove non production traffic where the agreement allows, then reprice the finding. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover scope and volume mechanics. Each links back to the complete OpenText audit defense playbook for 2026.
- how ArcSight data volume metrics inflate a finding
- ArcSight EPS burst versus sustained measurement
- decommissioned ArcSight connectors still on the audit
- can OpenText measure peak EPS against your license
- reconciling ArcSight entitlements before an audit
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.