How to scope ArcSight burst allowances
Event driven systems spike, and a licensing model that did not allow for spikes would be unusable. Knowing how to scope ArcSight burst allowances means reading the authorization for the tolerance it grants around short term peaks, so an EPS finding built on a momentary spike can be held to the sustained rate the license actually measures.
ArcSight reached the OpenText estate through the Micro Focus acquisition that closed on January 31, 2023, and is governed by the Additional License Authorizations rather than the OpenText EULA. EPS, events per second, is the headline metric, and security telemetry is bursty by nature: an incident, a scan, a misconfigured source can drive a transient spike far above the normal load. The defensive question is what the authorization says about burst, because the rate that matters for the license is the sustained one, and a burst allowance is the contractual room that confirms it.
Why a burst allowance exists at all
A metric that measured the single highest instantaneous rate a platform ever reached would penalise normal operation, because every event driven system produces peaks. Licensing models generally accommodate this by distinguishing a sustained rate from short lived bursts, whether through an explicit burst tolerance, an averaging window, or a measurement basis that does not treat a momentary spike as the licensed figure. Scoping the burst allowance means establishing, from the authorization, exactly how that distinction is drawn for your agreement, because that is the boundary a finding has to respect.
A burst allowance is the contractual recognition that spikes are not the licensed rate. Scoping it from the authorization sets the boundary the finding must respect, so a momentary peak cannot be treated as the figure the license measures.
What scoping the allowance involves
Scoping a burst allowance is a reading exercise followed by an evidence exercise. The reading establishes what the authorization permits. The evidence establishes how the actual load sits against it.
- The measurement basis. Whether the metric is a sustained rate, an average over a window, or a peak, as the authorization defines it.
- The burst tolerance. Any explicit allowance for short term peaks above the sustained rate, and the conditions attached to it.
- The averaging window. The period over which the rate is measured, which determines whether a spike is absorbed or counted.
- The actual load profile. The throughput record showing where peaks sit relative to the sustained rate and the allowance.
Reconstruct the rate against the allowance
The four Rs put the authorization at the centre. Respond inside the seven day notice window and control the channel so the load profile is described once. Reconstruct the effective position by reading the authorization for the measurement basis and burst tolerance, then setting the throughput record against it to show the sustained rate. Rebut the finding line by line where it treats a spike as the licensed figure, citing the allowance the authorization grants. Resolve on terms that fix the measurement basis and the burst treatment so the next audit starts from a settled boundary rather than relitigating peak against sustained.
A recent engagement
The anonymised banking matter recorded as E-03 saw an ArcSight EPS and connector finding of $6.0M settle at $1.8M, a 70 percent reduction. Splitting burst from sustained was central, and scoping the allowance, establishing what the authorization tolerated around peaks, gave the throughput evidence a contractual frame to sit in. The reduction came from reading the agreement and the load together, so the measured rate reflected the sustained load the license was sized against rather than its highest moment.
Read the allowance before conceding the peak
With burst allowances more than most aspects of an EPS matter, the finding depends on whether anyone reads what the authorization actually permits. A buyer that concedes a peak figure without checking the burst tolerance is giving up a contractual protection it already holds. The defensive discipline is to scope the allowance from the authorization first, to document the sustained load against it, and to hold the finding to the licensed rate. Most of the reduction available on a burst driven EPS finding comes from establishing that the authorization recognised spikes for what they are, and that the sustained rate, not the peak, is the figure the license measures.
Facing an EPS finding built on a momentary spike?
We scope the burst allowance from the authorization, document the sustained load against it, and hold the finding to the licensed rate. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover EPS, burst, and sustained measurement. Each links back to the complete OpenText audit defense playbook for 2026.
- ArcSight EPS burst versus sustained measurement
- documenting sustained EPS for an ArcSight rebuttal
- can OpenText measure peak EPS against your license
- what is ArcSight EPS and how is it measured
- defending ArcSight against an inflated EPS baseline
If an OpenText or Micro Focus audit notice has arrived, the first seven days matter more than any week that comes after. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.