ArcSight EPS, and the gap between burst and sustained.

ArcSight is licensed on throughput, and that makes the metric easy to inflate. An audit will reach for the highest observed events per second, treat a momentary burst as if it were the steady state, and add connector counts and lab data on top. The defensible figure is the sustained rate the platform actually carries, measured cleanly and separated from spikes. This paper sets out how to do that measurement and assemble the evidence behind it, the core of our ArcSight and security audit defense.

• How EPS is measured, and why peak burst is not the same as a sustained licensable rate
• The way connector and SmartConnector counts are tallied, and where decommissioned ones linger
• How data volume models in GB per day interact with the EPS position on the same estate
• Which non production and lab event streams fall outside the production measurement
• How to document sustained throughput from platform telemetry for a rebuttal
• A method for splitting burst from steady state before any vendor measurement script runs

In a recent engagement (E-03) an ArcSight EPS and connector finding moved from $6.0M to $1.8M, a 70 percent reduction, after we split burst from sustained. For wider context, see burst versus sustained measurement and the complete audit defense playbook.