Reconciling Fortify entitlements before an audit
The single most decisive move in a Fortify audit is taken before the vendor measures anything. The buyer who has already reconciled its own entitlements against its own usage walks into the audit with a defensible number in hand, rather than reacting to whatever total the vendor's measurement produces. Reconciling Fortify entitlements before an audit is the Reconstruct phase of the method applied to application security: build the effective license position independently, against entitlements and the Additional License Authorizations, before any vendor measurement script runs.
This article sets out what reconciliation involves, the records it draws on, and why doing it first changes the entire dynamic of the audit. It supports our Fortify and AppSec audit defense practice and links up to the complete OpenText audit defense playbook for 2026.
Why reconcile first
An audit measurement is not neutral; it reads the largest plausible number out of the available data, as we describe in how OpenText measures Fortify usage in an audit. A buyer who waits for that measurement and then disputes it is negotiating downward from an inflated anchor. A buyer who has reconciled first sets its own anchor: the effective license position, built from the entitlements and the actual usage records, expressed under the correct metric. The audit then becomes a comparison between two numbers, one of them defensible, rather than a single vendor figure the buyer must chip away at.
The position built first becomes the baseline. Reconcile before the vendor measures, and the audit compares two numbers rather than starting from the vendor's.
What the reconciliation establishes
A complete Fortify reconciliation answers three questions for every license line. First, what does the entitlement actually authorize, in product and in metric, including whether each license is named or concurrent, a distinction developed in Fortify named user versus concurrent user definitions. Second, what is the genuine usage under that metric, which for Static Code Analyzer is the active code submitter population and for WebInspect is the operator and target count, kept separate as in Fortify SCA versus WebInspect licensing compared. Third, where the two diverge, and by how much. The output is an effective license position that the buyer can defend line by line.
The records that feed it
Reconciliation is an evidentiary exercise, and it draws on records the buyer already holds:
- Entitlement documents. Order forms, the Additional License Authorizations, and any amendments that define the products and metrics.
- Software Security Center directory. Account listings with roles and last authentication dates, read with the traps in Fortify Software Security Center user counting traps in view.
- Scan and submission history. The record of who actually submitted code and who ran dynamic scans, which separates submitters from viewers and from automation.
- Project and application inventory. Active versus retired projects, so decommissioned work is removed from the count.
- Deployment topology. ScanCentral, build server, and pipeline infrastructure, so service accounts are set aside per CI pipeline service accounts counted as Fortify seats.
Turning records into a position
With the records in hand, the buyer assembles the count under the correct metric, classifies and removes everything that is not a licensed consumer, and isolates non production and decommissioned activity. The result is not a negotiating position but a measured one: a figure that reflects the entitlement and the usage, supported at every line by a record. From that baseline, any line by line rebuttal of the vendor's figure proceeds from strength, as described in defending a Fortify developer seat finding line by line.
A representative outcome
In a recent engagement, the buyer reconciled its Fortify entitlements before the vendor measurement began. By reading the entitlements to fix the metric, mapping scan submission history to the active developer population, and setting aside service accounts, dormant logins, and retired projects, the buyer established an effective license position well below what an access based measurement would have produced. When the vendor figure arrived, it was met not with objection but with a documented counter position, and the finding settled close to the buyer's reconciled number. The dynamic mirrored our E-02 case file, in which a Fortify developer seat overclaim of $4.5M settled at $0.9M, an 80 percent reduction.
The advantage of measuring first
The lesson is that reconciliation is leverage. The buyer who counts first, correctly, and with evidence, controls the baseline against which everything else is measured. The work is the same work the audit would force later, done earlier and on the buyer's terms. For the methodology in full, the matching white paper sets out the seat counting approach end to end.
Reconcile your Fortify position before the vendor measures
We build the effective license position from your own entitlements and records, under the correct metric. Open a case to start the reconstruction.
Open a case →For the seat counting methodology in full, read the Fortify seat counting white paper.
If an OpenText or Micro Focus audit notice has reached your desk, the first seven days carry more weight than any week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, brought the average finding down by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.