How OpenText measures ArcSight in a self assessment
Many ArcSight audits do not begin with a vendor script at all. They begin with a self assessment questionnaire, a request that you measure your own deployment and report the numbers back. How OpenText measures ArcSight in a self assessment matters because the form is built to elicit the broadest possible reading, and whatever you write down becomes the baseline the vendor works from. The self assessment is not a neutral survey. It is the first move in the measurement.
Under the OpenText approach, compliance is treated as the sole responsibility of the licensee, and the seven day notice gives the vendor the right to request and copy relevant records. A self assessment is how that responsibility is operationalised early: rather than deploy a script immediately, the compliance team asks you to populate EPS figures, connector counts, data volumes, and node inventories yourself. The risk is that the questions are framed around peak readings and raw counts, and a buyer who answers literally hands over an inflated baseline that is far harder to walk back later.
What the self assessment asks, and why the framing matters
An ArcSight self assessment typically asks for events per second, the number of SmartConnectors or collectors, total ingested data volume, the number of ESM and Logger instances, and the user populations attached to identity views. Each of those questions has a defensible answer and an expensive answer. EPS asked without a window invites a peak; we treat that exactly as we do in ArcSight EPS burst versus sustained measurement. Connector counts asked as a raw inventory invite decommissioned and duplicate entries. Volume asked at raw ingestion invites duplicates and test data. The form rarely defines its terms, so the conservative answer for the vendor becomes the default unless you supply the definition.
A self assessment that asks for "maximum EPS observed" and "total connectors deployed" will, answered literally, return a peak rate and a raw inventory. Those two figures, accepted as the baseline, can drive a finding that no sustained operating profile would ever support.
Why a self assessment baseline is hard to reverse
Once you have reported a number on a self assessment, the burden shifts. The vendor treats your figure as an admission and asks you to justify any reduction from it. That is the opposite of the position you want. It is far easier to scope the measurement correctly before you answer than to argue a recorded number down afterward. This is why we insist that no self assessment goes back to the vendor without reconstruction first, the same discipline we describe in reconciling ArcSight entitlements before an audit.
How the four operations apply to a self assessment
We respond by taking over the questionnaire during the seven day notice window, so the form is answered through a single controlled channel rather than by whoever received the email. We reconstruct the real position from ArcSight's own ingestion statistics, connector inventory, and node configuration, classifying every figure against the contractual definition. We rebut the framing of the questions themselves where they invite a peak or a raw count, supplying the sustained rate, the active connector list, and the normalised volume instead. We resolve by reporting figures that are accurate and defensible, so the baseline the vendor works from is the one the contract supports.
Answering each question on defensible terms
For EPS, we report a sustained rate with the measurement window stated, not a one second high water mark. For connectors, we report the active production inventory, excluding decommissioned and duplicate entries, the same way we handle a challenge to an ArcSight connector headcount. For data volume, we report a normalised figure and note any duplicate or non production sources. For nodes, we distinguish production from high availability standby and non production instances. Each answer carries its definition with it, so the number cannot be reinterpreted upward.
A representative pattern
In a recent engagement, a self assessment had already been partially completed with peak EPS and a raw connector count before we were engaged. Reconstructing the sustained rate and the active connector inventory reset the baseline to a defensible figure, and the eventual finding tracked the corrected numbers rather than the questionnaire's first draft. The pattern is consistent with our anonymised banking matter, case file E-03, where a $6.0M ArcSight finding settled at $1.8M, a 70 percent reduction, after the measurement basis was corrected.
The questions to ask before you answer the questions
- Is a window defined? If an EPS or volume question has no window, it is asking for a peak; supply the sustained figure and state the window.
- Is the term defined? If connector, user, or node is undefined, supply the contractual definition with your answer.
- Is the data clean? Exclude decommissioned connectors, duplicate sources, and non production instances before reporting.
- Who is answering? One controlled channel, not the inbox the request happened to land in.
What the self assessment cannot compel
It is worth being precise about what the seven day notice and the audit clause actually authorise. OpenText may request and copy records relevant to compliance, and the EULA places the responsibility for compliance on the licensee. That is a meaningful obligation, but it is not an obligation to answer a questionnaire in whatever framing the vendor chooses, nor to report a peak when the contract meters a sustained rate, nor to count decommissioned infrastructure as live. The licensee responds with accurate, relevant information; it does not have to adopt the vendor's most expensive interpretation of an undefined term.
Treating the self assessment this way changes the posture from compliance theatre to controlled disclosure. We answer every question that is properly within scope, we answer it accurately, and we attach the contractual definition to each figure so the number cannot be reinterpreted upward later. The questionnaire is met fully and on terms the agreement supports, which is exactly the position a buyer wants to be in when the finding that follows is built on those very answers.
Been asked to complete an ArcSight self assessment?
The self assessment is the baseline, and the baseline is where the finding is decided. We answer it on terms the contract supports, after reconstructing the real position, through our ArcSight and Security audit defense. To put a defense team between you and the questionnaire, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security cluster go deeper on the measurement questions a self assessment raises. Each links back to the complete OpenText audit defense playbook for 2026.
- what records OpenText copies in an ArcSight audit
- reconciling ArcSight entitlements before an audit
- ArcSight EPS burst versus sustained measurement
- how to challenge an ArcSight connector headcount
- preparing an ArcSight entitlement reconstruction
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.