How much does an ArcSight EPS finding usually cost?
Buyers under an ArcSight audit ask the same question first: how big is this going to be. An ArcSight EPS finding is rarely a single price. It is a stacked figure built from list price licenses, back maintenance, and audit cost, and the stack is exactly why the opening number looks so large.
There is no fixed dollar amount for an ArcSight EPS finding, because the size depends on the gap between measured throughput and entitlement, the list price of the relevant ArcSight products, and the length of the back maintenance period. What is predictable is the structure of the number. Once you understand how it is assembled, you can see where it inflates and where it comes down.
The three layers of the cost
Deemed license acquisition at list price
When measured EPS exceeds entitlement, the agreement treats the licensee as having acquired the additional licenses needed to cover the gap, priced at the then current list price. List price is the highest price in the market, with no negotiated discount applied, so this layer is larger than what the same licenses would have cost in a normal purchase.
Back maintenance and support
On top of the deemed licenses, the licensee must pay back maintenance and support, and first year maintenance on the new licenses. Back maintenance can reach across the period the overage is deemed to have existed, which is why a finding can carry several years of support charges on licenses you never actually bought.
The cost of the audit itself
The agreement also requires the licensee to reimburse the costs OpenText incurs performing the audit. This layer is smaller than the other two but real, and it compounds the sense that the opening figure is designed to be intimidating.
An EPS gap priced at list, multiplied across the affected products, then loaded with several years of back maintenance and the audit cost, is how a throughput overage that may not even be real becomes a finding in the millions.
Why the opening number overstates the real exposure
The opening finding assumes the EPS measurement is correct and the gap is owed in full. Both assumptions are usually wrong. If the EPS figure is a peak rather than a sustained rate, the gap shrinks or disappears, and every layer of the stack shrinks with it. If non production traffic or double counted events are in the figure, the same correction applies. Because the layers are multiplicative, a modest correction to the underlying EPS produces a large reduction in the total.
Our anonymised banking engagement, case file E-03, illustrates the scale. The opening ArcSight finding, built on EPS and connector counts, was $6.0M. After we separated burst from sustained throughput and corrected the connector inventory, the matter settled at $1.8M, a 70 percent reduction. The settlement was lower because the measurement was corrected, not because a discount was negotiated on a number that was never truly owed.
What actually determines the final figure
- The measurement basis. Sustained versus peak is the single largest lever, and it is contestable.
- The entitlement reconstruction. Entitlements are often larger than the audit assumes once every authorization is accounted for.
- The back maintenance period. The length of the period the overage is deemed to have existed is open to challenge.
- The products in scope. Confirming which ArcSight components are actually in use narrows the deemed acquisition.
Getting to the defensible number
The way to find out what an ArcSight EPS finding will really cost is to reconstruct the effective license position independently before accepting the vendor figure, then rebut the finding line by line. During the seven day notice window, take over the channel and preserve your throughput evidence. To put a defense team on the number, open a case or download the ArcSight EPS defense briefing, which walks through the EPS cost structure in detail.
Why the stack makes small corrections matter so much
The reason an ArcSight finding rewards a careful defense is arithmetic. Because the three layers compound, a correction to the base EPS figure does not subtract a fixed amount, it removes a proportional slice from every layer at once. Reduce the deemed license quantity by a third and you reduce the list price layer by a third, the back maintenance computed on those licenses by a third, and the related audit cost with it. A measurement correction that looks modest in EPS terms can therefore translate into a reduction in the total that is several times larger. This is the mathematical reason the average reduction across the audits we have defended sits at 68 percent: the corrections attack the base of a stacked number, and the stack amplifies them.
It also explains why conceding early is so costly. A buyer who accepts the opening EPS figure to move things along is not just accepting one number, they are accepting the full stack built on it. Every layer that could have been reduced is locked in the moment the base is conceded. The discipline of holding the measurement open until it is properly reconstructed is what preserves the leverage that produces the large reductions.
What a realistic settlement range looks like
We do not quote a fixed figure, because the honest answer depends on the facts, but the shape of a typical outcome is consistent. Where the opening finding was built on a peak EPS reading, an inflated connector count, or non production traffic on the meter, the defensible settlement commonly lands at a fraction of the opening number. Our anonymised banking engagement settling at $1.8M against a $6.0M opening is representative of what happens when the measurement basis is corrected rather than merely negotiated. The lesson for any buyer staring at a large opening figure is that the number on the page is the vendor position, not the exposure, and the two are usually very far apart.
Have an ArcSight finding on the table?
The opening figure is a starting position, not a settlement. The defensible number is almost always far lower. We reconstruct the effective license position before any vendor script runs, then challenge the finding line by line. To put a defense team between you and the vendor, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster go deeper on the mechanics referenced above, and each links back to the complete OpenText audit defense playbook for 2026.
- ArcSight EPS burst versus sustained measurement
- what ArcSight EPS is and how it is measured
- defending an ArcSight EPS overclaim line by line
- whether OpenText can measure peak EPS against your license
- reducing an ArcSight finding with throughput evidence
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.