We defend Fortify SCA, WebInspect, Fortify on Demand and developer seat estates against OpenText compliance findings. The opening number counts everyone with repository access as a licensed seat. The defensible count is far smaller, and we prove it with commit and scan evidence.
Fortify came to OpenText through the Micro Focus acquisition, and most Fortify products are governed by the Micro Focus Additional License Authorizations rather than the OpenText ECM EULA. Those authorizations define the developer seat, the scan model, and the rights that attach to each, and that definition is where a Fortify finding is won or lost. The vendor opens by counting heads against the licensed seat metric and pricing the difference at list, plus back maintenance and the cost of the audit.
The central overclaim is the gap between repository access and actual scan submission. A Fortify developer seat is meant to capture the engineers who submit static or dynamic scans, not every account that can read a source repository or open a result in Software Security Center. In a modern pipeline the population that touches code dwarfs the population that actually runs Fortify. The finding inflates where it sweeps in:
WebInspect and Fortify on Demand add their own metric questions around scan counts, assessment units, and connectivity, each of which can be overstated in an opening position. The defense begins by refusing to accept access as a proxy for use, and by holding the vendor to the seat definition written in the authorization.
We take over within the seven day notice window, agree an NDA, and channel every request for Fortify usage data through one controlled point of contact.
We rebuild the effective Fortify position against the Additional License Authorizations, mapping seats, scan models, and perpetual versus term rights before any vendor measurement runs.
We map actual scan submitters from commit and scan evidence, strip out repository readers, CI service accounts, and non production scanning, and challenge the seat baseline line by line.
We settle on the buyer's terms and, where useful, convert forward into a clean OpenPass agreement with a defined Fortify seat metric and audit protections.
The decisive evidence is the scan record. Commit history, scan submission logs, and Software Security Center activity show who actually used Fortify, and that population is the only one a seat finding can defensibly rest on. The full method is set out in the four Rs, and the wider context in the complete OpenText audit defense playbook.
A technology company received a Fortify finding priced at $4.5M, built on a developer seat count that equated repository access with licensed use. After we mapped the actual scan submitters from commit and scan evidence and removed readers, pipeline service accounts, and non production scanning, the defensible figure settled at $0.9M, a reduction of 80 percent. The outcome sits above the firm average of 68 percent across more than 200 defended audits.
The matching gated briefing is the Fortify seat counting defense paper. For the cross cutting mechanics, start with how to respond to an OpenText seven day audit notice.
Fortify usually sits in the same DevOps estate, where named versus concurrent counting raises the same questions.
Track 05Fortify is governed by the Additional License Authorizations, which set the seat definition the finding must respect.
Track 08A converted agreement turns a defended Fortify finding into clean forward terms.
We take over within the seven day notice window. Buyer side only. Founded in 2020 by former vendor compliance leadership. Not affiliated with OpenText Corporation.