We defend ArcSight, Voltage, NetIQ and Sentinel estates against OpenText compliance findings. The opening number prices peak throughput as if it were sustained, counts every connector, and treats lab traffic as production. Each assumption falls apart on the data.
ArcSight, Voltage, NetIQ and Sentinel arrived at OpenText through the Micro Focus acquisition and are governed by the Micro Focus Additional License Authorizations. ArcSight in particular is licensed on throughput, and a SIEM finding lives or dies on how that throughput is measured. The vendor opens by reading the highest number it can find and pricing the gap to your entitlement at list, with back maintenance and audit costs stacked on top.
The central overclaim is burst versus sustained events per second. A security platform is built to absorb spikes, and a brief burst of EPS during an incident or a noisy source is not the same as the sustained rate the license is meant to cover. A finding that prices the peak as if it were continuous inflates the number dramatically. Alongside EPS, ArcSight findings overreach on:
Voltage adds token and key management metrics, and Sentinel adds its own event and volume questions, each of which can be overstated in an opening position. The defense rests on the telemetry: throughput, retention, and connector evidence that show what the platform actually sustained, not what it momentarily touched.
We take over within the seven day notice window, agree an NDA, and route every request for ArcSight throughput and connector data through a single controlled channel.
We rebuild the effective position against the Additional License Authorizations, mapping EPS, data volume, and connector entitlements before any vendor measurement runs.
We split burst from sustained EPS with throughput evidence, strip decommissioned connectors and lab data, and challenge identity user definitions line by line.
We settle on the buyer's terms and, where it serves you, convert forward into a clean OpenPass agreement with defined throughput metrics and audit protections.
The decisive material is the throughput record. Sustained EPS over a representative window, retention figures, and the live connector inventory show what the platform actually carried, and that is the only basis a defensible finding can stand on. The full sequence is set out in the four Rs and in the complete OpenText audit defense playbook.
A bank received an ArcSight finding priced at $6.0M, built on a peak EPS reading and a connector count that included decommissioned SmartConnectors. After we split burst from sustained throughput with the telemetry and reconciled the live connector inventory, the defensible figure settled at $1.8M, a reduction of 70 percent. The outcome sits within the firm average of 68 percent across more than 200 defended OpenText and Micro Focus audits.
The matching gated briefing is the ArcSight EPS audit defense paper. For the cross cutting mechanics, start with how to respond to an OpenText seven day audit notice.
ArcSight is governed by the Additional License Authorizations, which define the throughput metric the finding must respect.
Track 02Security estates often hold Fortify and ArcSight together, audited under the same authorizations.
Track 08A converted agreement turns a defended SIEM finding into clean forward terms with defined metrics.
We take over within the seven day notice window. Buyer side only. Founded in 2020 by former vendor compliance leadership. Not affiliated with OpenText Corporation.