Reducing an ArcSight finding with throughput evidence
The single most persuasive document in an ArcSight defense is your own throughput data. Reducing an ArcSight finding with throughput evidence means using sustained event flow records to replace the peak assumptions and registry counts that an audit relies on, and it is the evidence the buyer holds and the vendor does not.
An ArcSight finding is built on assumptions about how much the platform processes and how many components consume it. Those assumptions are drawn from configuration data and short measurement windows, and they tend toward the high end because the high end is what configuration and peaks produce. Throughput evidence is the corrective, because it shows what the platform actually sustains over time rather than what it touched at its busiest second or what it has registered over its life.
Why throughput evidence outweighs a vendor measurement
The compliance team measures with the access and the window it has. The buyer measures with the full operational history. Events per second, data volume over time, and connector activity all leave a continuous record in the buyer's own monitoring, and that record covers far more than any audit snapshot. When a finding asserts a peak EPS figure or a registry headcount, sustained throughput data from the buyer is the higher quality evidence, and a finding contradicted by the operator's own continuous record is hard to defend on the vendor side.
A finding sized on peak EPS or a configuration count assumes the worst moment is the normal one. Sustained throughput data shows the real operating level, and the gap between peak and sustained is frequently the gap between the finding and the settlement.
The throughput records that move a finding
- Sustained EPS over time. A continuous record of events per second that distinguishes brief bursts from the level the platform actually runs at.
- Data volume trends. Ingestion measured over days and weeks rather than at a single peak, separating active volume from retention.
- Connector activity. Event flow per connector that separates live components from registered artifacts.
- Environment tags. Throughput attributed to production against non production, so scope can be applied where the metric allows.
How the evidence is assembled into a rebuttal
Throughput data on its own is not a defense. It becomes one when it is reconstructed into an effective license position and reconciled against the entitlement. The reconstruction takes the continuous records, separates sustained from burst, live from dead, and production from non production, and produces a corrected measurement that maps to the metric the agreement defines. That corrected measurement is then priced against the entitlement, and the finding is rebutted line by line with the buyer's own data behind every adjustment.
Capture the evidence inside the notice window
OpenText gives seven days notice before an audit. That window is when the throughput evidence should be secured, because it is the buyer's own data and the buyer controls when and how it enters the process. Taking over the channel, routing everything through a single point, and preparing the sustained records before any vendor script runs means the measurement on the table is the buyer's continuous record, not a vendor snapshot taken at a moment of the vendor's choosing.
A recent engagement
The banking matter recorded as case file E-03 is the clearest illustration. A combined EPS and connector finding of $6.0M settled at $1.8M, a 70 percent reduction, and throughput evidence was the engine of that result. Sustained EPS records separated burst from the real operating level on the volume side, and connector activity data separated live components from registered ones on the count side. Neither argument relied on assertion. Both rested on the operator's own continuous throughput record, which the finding had no comparable answer to.
The throughput record is the buyer advantage
Every ArcSight finding is, at bottom, a claim about how much the platform is used. The party that operates the platform holds the definitive record of that use, and the party that audits it does not. Reducing a finding is largely a matter of bringing that record to the table in a form the vendor cannot dismiss: continuous, attributed to environment, and reconciled against the entitlement. Done well, the throughput evidence does not argue the finding down, it replaces the finding's assumptions with measured fact.
Preserve the data before it ages out
Throughput evidence has a shelf life, and that is a practical risk buyers underestimate. Monitoring systems roll off detailed records on a retention schedule, and the granular event flow data that would defeat a peak assumption can be summarised or discarded before the audit reaches the measurement stage. The implication is that the seven day notice window is not only when the channel is taken over, it is when the evidence is preserved. Capturing and exporting the sustained records at full granularity early protects the buyer from arriving at the rebuttal stage with only coarse summaries that no longer separate burst from sustained. Treating throughput data as a perishable asset to be secured immediately is part of responding well in the first week.
Match the evidence to the metric
Throughput data is only persuasive when it is expressed in the unit the agreement uses. A finding built on events per second is answered with sustained EPS, a finding built on data volume is answered with ingestion over time, and a finding built on connector counts is answered with per connector activity. Producing the right metric matters because evidence in the wrong unit invites the vendor to dismiss it as irrelevant. The reconstruction therefore does two things at once: it measures actual consumption, and it expresses that consumption in the same dimension the finding uses, so the comparison is direct and the gap between the vendor assumption and the measured reality is impossible to talk around. That alignment is what makes throughput evidence decisive rather than merely suggestive. It is also why the reconstruction is built to mirror the finding line for line, so that for every figure the vendor asserts there is a measured counterpart in the same unit, and the discussion narrows to a direct comparison the buyer is positioned to win.
Have throughput data and an ArcSight finding that ignores it?
We turn your sustained event flow records into a reconstructed license position and rebut the finding line by line. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover the measurement evidence behind a reduction. Each links back to the complete OpenText audit defense playbook for 2026.
- ArcSight EPS burst versus sustained measurement
- defending an ArcSight EPS overclaim line by line
- can OpenText measure peak EPS against your license
- how ArcSight data volume metrics inflate a finding
- reconciling ArcSight entitlements before an audit
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.