How much does a Fortify seat overclaim finding cost
The first question most buyers ask when a Fortify finding lands is the hardest to answer cleanly: how much is this going to cost. The honest response is that the headline number in the finding is not the cost. It is the opening position, and it is built from assumptions that rarely survive scrutiny. To understand how much a Fortify seat overclaim finding costs, you have to take the headline apart into the components that actually drive it, because each component is a separate place where the number comes down.
This article breaks down the cost structure of a Fortify finding, shows which components are negotiable, and explains how a buyer arrives at the real exposure. It supports our Fortify and AppSec audit defense practice and links up to the complete OpenText audit defense playbook for 2026.
The components of the headline number
A Fortify finding on a perpetual estate is rarely a single figure. It stacks three charges. First, the alleged shortfall in seats is priced at the then current list price, as if the buyer had purchased those seats. Second, back maintenance and support is added for the period of alleged overuse. Third, first year maintenance on the newly deemed licenses is added on top. The headline is the sum of all three, and because each is a multiple of the seat count, an inflated seat count inflates all three at once.
Every seat removed from the count removes a list price license, its back maintenance, and its first year maintenance simultaneously. This is why seat count work delivers the largest reductions: it attacks all three cost components in one move.
Why the seat count drives everything
The seat count is the variable that the other components depend on, which makes it the highest leverage target in the entire finding. As covered in Fortify SCA seat overclaim, repository access versus scan submitters, the count is usually sourced from repository access rather than from actual scan submission. Replacing the access roster with a list of genuine submitters typically removes a large fraction of the seats, and with them a proportionate fraction of all three cost components. This is the mechanism behind the reductions we report.
The components that are independently negotiable
Beyond the seat count, several components can be challenged on their own terms:
- List price. The finding prices at list, but settlements rarely close at list. The negotiated price per seat is a separate lever.
- Back maintenance period. The window over which back maintenance is calculated can be disputed, particularly where usage was not continuous.
- Non production usage. Activity that the license treats differently should not be priced as production seats, as covered in Fortify non production use and license exposure.
- Audit cost recovery. The terms allow the vendor to seek reimbursement of audit costs on a finding, and the magnitude of that recovery is itself a negotiation.
From headline to real exposure
The real exposure is what remains after the seat count is reconstructed, the non production activity is scoped out, the license model is correctly applied, and the price and maintenance components are negotiated. In practice this is a much smaller number than the headline, and the distance between the two is the value of a proper defense. Our four operations, respond, reconstruct, rebut, and resolve, exist precisely to move the finding from headline to defensible exposure in a structured way.
A representative outcome
In a recent technology sector engagement, the opening finding combined an inflated seat count priced at list with back maintenance and first year maintenance stacked on top. By reconstructing the seat count around real scan submitters, scoping out non production activity, and negotiating the remaining price and maintenance components, the settlement came in at roughly one fifth of the opening claim. That outcome, our E-02 case file, illustrates how far a headline can fall once each component is addressed on its own terms.
What the headline is and is not
The headline finding is a negotiating anchor, not a bill. Treating it as a bill is the single most expensive mistake a buyer can make, because it concedes the seat count, the maintenance period, the price, and the audit cost all at once. The disciplined response is to decompose it and contest each component. For the line by line method, see defending a Fortify developer seat finding line by line.
Sequencing the reductions
Because a Fortify finding stacks several components, the order in which a buyer addresses them changes the outcome. The most efficient sequence begins with the seat count, because every seat removed strips a list price license, its back maintenance, and its first year maintenance at once. Reconstructing the count around real scan submitters therefore delivers the largest single reduction before any other argument is made. With the count reset, the buyer turns to scope, removing non production activity that the license treats differently so that the remaining seats reflect genuine production use. Only then does the conversation move to price and maintenance, where the per seat figure and the back maintenance period are negotiated against the now smaller count.
Sequencing matters because arguing price before count concedes the count, and arguing maintenance before scope leaves non production activity inside the base. A buyer who negotiates a discount on an inflated seat figure has still accepted the inflated figure. A buyer who resets the count first negotiates a discount on a defensible number, which compounds the reduction. Audit cost recovery is addressed last, once the size of the finding is settled, because its reasonableness is judged against the final figure rather than the headline. This is the logic of our four operations applied to the cost question: reconstruct the count, rebut the scope, then resolve the price and the recovery. Working the components in that order is the difference between trimming a headline and dismantling it, and it is why a structured defense reliably outperforms a line item negotiation that starts at the bottom of the stack.
The cost question, in the end, is really a structure question. A buyer who sees only the headline sees a single intimidating number. A buyer who sees the structure sees a seat count, a maintenance period, a price, and an audit cost, each contestable on its own terms and each dependent on the count beneath it. The work of a defense is to expose that structure and then take it apart in the right order. Done well, the gap between the headline and the settlement is large, and it is created not by pleading for a discount but by insisting that each component reflect what the license actually meters and what the records actually show.
Find out what the finding actually costs
We decompose the headline into seats, maintenance, price, and audit cost, then contest each one. Open a case and we will tell you what your real exposure looks like.
Open a case →For the seat counting methodology, read the Fortify seat counting white paper.
If an OpenText or Micro Focus audit notice has reached your desk, the first seven days carry more weight than any week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, brought the average finding down by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.