Preparing an ArcSight entitlement reconstruction
The single most effective thing a buyer can do before an ArcSight finding is finalised is to know its own position better than the vendor does. Preparing an ArcSight entitlement reconstruction means assembling the full record of what was bought, mapping it to what is deployed, and building the effective license position independently, so that when the finding arrives there is already a documented counter position to set against it.
ArcSight came into the OpenText estate through the Micro Focus acquisition that closed on January 31, 2023, and is governed by the Additional License Authorizations rather than the OpenText EULA. The EULA also makes compliance the sole responsibility of the licensee, which cuts both ways: the burden is on the buyer, but so is the opportunity, because a buyer that has reconstructed its own entitlements controls the facts the negotiation runs on. A reconstruction done before any vendor measurement script runs is the difference between defending a number and merely reacting to one.
What a reconstruction is
An entitlement reconstruction is the independent rebuild of the effective license position. It collects every relevant document, the original orders, amendments, renewals, the applicable Additional License Authorizations, and any migration or upgrade agreements, and reconciles them into a single statement of what the organisation is entitled to run and at what measured level. It then maps that entitlement to the actual deployment, so the comparison the audit will make can be made first, on the buyer's own terms and with the buyer's own evidence.
This is the Reconstruct step of the four Rs applied specifically to ArcSight. The general approach is set out in our note on reconciling ArcSight entitlements before an audit, and the reconstruction is what turns that reconciliation into a defensible position.
A reconstruction done before the vendor measures shifts the burden of proof in practice. The buyer that arrives with its own documented effective position sets the terms of the comparison rather than responding to the vendor's.
What the reconstruction assembles
A thorough ArcSight reconstruction pulls together several strands, each of which the finding will otherwise treat in the vendor's favour by default.
- The entitlement record. Orders, amendments, renewals, and the applicable authorizations, reconciled into the measured level the organisation actually holds.
- The deployment map. The live components, connectors, and data sources, separated from dormant, duplicate, or decommissioned objects, as covered in decommissioned ArcSight connectors still on the audit.
- The throughput record. The sustained, production EPS rate measured over a representative window, the foundation for any rebuttal of a peak driven finding.
- The metric definitions. What the authorization says a connector, an identity user, and the EPS metric actually are, so the count rests on the agreement rather than the console.
How the reconstruction feeds the defense
Once assembled, the reconstruction drives every later step. Respond inside the seven day notice window with a single controlled channel, so nothing reaches the vendor that has not been reconciled against the reconstruction first. Rebut the finding line by line, citing the entitlement record where the vendor counts beyond what was licensed and the throughput record where it prices a peak as the sustained rate. Resolve on terms anchored to the reconstructed position, converting forward into a clean agreement with the metric definitions written down so the next audit starts from a settled baseline rather than a blank page. The discipline of building the position first is what makes defending an ArcSight EPS overclaim line by line possible at all.
A recent engagement
The anonymised banking matter recorded as E-03 saw an ArcSight EPS and connector finding open at $6.0M and settle at $1.8M, a 70 percent reduction. The reconstruction did the heavy lifting: by reconciling the entitlement record against the live deployment and the sustained throughput before the vendor position hardened, the defense could show, document in hand, where the finding counted beyond the licensed level and where it priced peaks as steady state. The number came down because the buyer side position was built first and held throughout.
Build the position before the finding lands
With ArcSight more than most products, preparing an entitlement reconstruction is the work that decides how the rest of the engagement goes. A buyer that waits for the finding and then scrambles for documents is negotiating from weakness; a buyer that has already reconstructed its effective position negotiates from a documented counter position. The defensive discipline is to assemble the entitlement record, map it to the live deployment, measure the sustained throughput, and read the metric definitions from the authorization, all before any vendor script runs. Most of the reduction available on an ArcSight finding is set up in that preparation, long before the first line of the finding is argued.
Want your ArcSight position built before the finding hardens?
We assemble the entitlement record, map it to the live deployment, and build the effective license position independently, so the defense starts from documented facts. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover reconstruction, entitlements, and the documented defense. Each links back to the complete OpenText audit defense playbook for 2026.
- reconciling ArcSight entitlements before an audit
- defending an ArcSight EPS overclaim line by line
- decommissioned ArcSight connectors still on the audit
- reducing an ArcSight finding with throughput evidence
- what records does OpenText copy in an ArcSight audit
If an OpenText or Micro Focus audit notice has arrived, the first seven days carry more weight than any week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, reduced the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.