Symantec licensing in 2026: what each SKU includes (and what it does not)

Broadcom Symantec licensing is a topic vendors prefer not to publish in detail. SKU names change, bundles shift, regional pricing varies. What follows is a buyer-side guide based on what we see in scoping engagements: what each major SKU typically includes in 2026, what gotchas to watch for, and how to validate entitlements before signature. This is general guidance - your reseller's quote is the authoritative source for pricing and your contract is the authoritative source for entitlements.

For context on what each product does, see the per-product pages: Endpoint Security, DLP, Cloud SWG, CloudSOC CASB, ZTNA, Email Security.

Symantec Endpoint Security (SES) - three SKUs in market

Symantec Endpoint Protection (SEP) Standard / Enterprise / Premium are the historical product names; some legacy customers still hold these on enterprise agreements. New customers don't buy these - they buy SES.

SES Standard includes: anti-malware, anti-exploit, basic firewall, basic device control, on-prem or cloud-managed. Does NOT include EDR.

SES Complete includes everything in Standard plus: EDR with retention and threat hunting, attack surface reduction, application isolation, mobile threat defense, network threat protection (IPS), advanced device control. Cloud-managed; cannot be deployed on-prem only.

SES Enterprise typically equals Complete plus extended support tier and specific enterprise features. Confirm with reseller.

Symantec DLP - modular by detection scope

DLP licensing is typically per-user with breakpoints by scope:

• Network DLP - network monitor (passive) and/or network prevent (active blocking) for outbound web, email, FTP. Per-user.
• Endpoint DLP - agent on every protected endpoint. Per-endpoint, often per-user with endpoint count factored.
• Storage DLP - discovery scanning for file shares, SharePoint, repositories. Per-TB or per-scope license.
• Cloud DLP - via CloudSOC integration, scanning SaaS data. Often bundled with CASB.
• Email DLP - outbound mail scanning, typically via Email Security.cloud or third-party MTA integration. Per-user.

EDM and IDM fingerprinting are included in standard DLP entitlement - no extra cost. The cost is engineering time to implement them properly. See our EDM/IDM deep-dive for what that involves.

Cloud SWG (WSS) - bandwidth or user based

Two common pricing models:

• Per-user - flat-rate per protected user, typically the simpler model for office workers. Includes unlimited bandwidth per user within reasonable limits.
• Bandwidth-based - pricing tiered by aggregate throughput. Less common in 2026; some enterprise data center forwarding arrangements still use this.

What's included in Cloud SWG entitlement varies by SKU:

• URL filtering and category controls: standard.
• SSL inspection: standard.
• Real-time malware analysis (CAS): standard.
• Sandboxing (deep file analysis): may be add-on or premium tier.
• Content Disarm and Reconstruction (CDR): often add-on.
• Roaming user coverage (WSS Agent): often included; verify.
• CASB inline integration: requires CloudSOC SKU.

CloudSOC CASB - discovery vs. enforcement tiers

CASB pricing is per-user and tiered:

• Discovery only - analyze firewall / SWG logs for shadow IT visibility. Cheaper; useful for assessment but not enforcement.
• Standard - discovery + inline enforcement via Cloud SWG + API connectors for top SaaS apps (M365, Google Workspace).
• Advanced / Enterprise - full UEBA, broader SaaS coverage, advanced cloud DLP integration, custom app connectors.

The most common gotcha: API connector count limits. Some SKUs limit how many SaaS apps you can connect via API (often 5 or 10). If your environment uses 30+ SaaS apps you want CASB-protected, validate the count limit during procurement.

ZTNA - per-user, with connector volume

ZTNA is per-user subscription. Common entitlements:

• Unlimited internal apps protected.
• Connector VMs for inbound proxying - typically unlimited for managed customers.
• Agent and clientless access modes both included.
• RDP / SSH / database support: standard, but sometimes per-protocol enabled.
• Session recording and audit logs: usually included; confirm retention period.

For organizations with many third-party / contractor users, ask about contractor / partner tier - some SKUs allow lower-cost per-user pricing for occasional external users.

Email Security.cloud - per-user, per-mailbox

Email Security pricing is per-mailbox or per-user (depending on contract structure). Standard tiers:

• Standard - anti-spam, AV, basic anti-phishing, URL filtering. Sufficient for most baseline needs.
• Advanced - adds attachment sandboxing, BEC / impersonation detection, URL click-time inspection, DMARC analytics. Recommended for any organization where email is a primary attack surface.
• Premium / Enterprise - adds outbound DLP integration with Symantec DLP, email continuity (mail queuing during MX outage), advanced encryption integration.

Most enterprises end up at Advanced or above. The Standard tier is too thin for organizations targeted by sophisticated phishing.

Bundle math - when bundling saves money

Broadcom offers several enterprise bundles that combine multiple products at a per-user price below the sum of standalone licenses. Common bundles:

• Endpoint Bundle - SES Complete + Endpoint DLP. Common when you want endpoint coverage across prevention and data protection.
• SSE Bundle - Cloud SWG + CloudSOC + ZTNA. Standard SSE positioning.
• Symantec Enterprise Cloud - Full stack across endpoint, network, email, cloud, ZTNA. For organizations standardizing on Symantec.

Bundle pricing is negotiated case-by-case based on user count, term length, and competitive context. As a rough heuristic, bundles save 15-35% versus sum of standalone for the same coverage.

Entitlement validation - what to ask before signing

Before contract signature, get explicit answers in writing:

1. Which SKUs are covered? Use full SKU names, not marketing names.
2. What modules / capabilities are included in each SKU?
3. What add-ons are separate? (Sandboxing, CDR, certain detection engines, premium support.)
4. How many users / mailboxes / endpoints / TBs are entitled?
5. What are the API connector limits (CASB)?
6. What is the support tier? Named contacts? SLA?
7. How is data residency handled? (Tenant region matters for compliance.)
8. What's the renewal model? Auto-renew? Co-term with other Broadcom products?

This is the "entitlement letter" - request it from your reseller. Compare it against your actual scope of work. Mismatches are easier to fix before signature than after.

Common procurement pitfalls

Buying coverage you don't deploy. Many enterprises buy SES Complete for all endpoints but only enable EDR on a subset because they lack operational capacity. The license is paid; the value is partial. Match procurement to deployment readiness.

Underbuying CASB. 5-connector CASB SKUs are tempting for cost but limit you to a small SaaS app surface. Verify your SaaS portfolio size before SKU selection.

Missing the EDR upgrade. Customers with SEP / SES Standard who want EDR need to upgrade to SES Complete. Often discovered during deployment, after procurement. Front-load this conversation.

Forgetting maintenance and support. Standard Maintenance is the baseline; Enterprise Support is faster and named. For mission-critical deployments, validate support tier matches your RTO requirements.

Wrong tenant region. For data-residency compliance, the tenant region matters. Confirm at provisioning, not after.

What this looks like with CyberKIS

CyberKIS focuses on technical implementation, not licensing - but we sit on the customer side of every procurement conversation we're part of, helping validate entitlements against deployment scope. If you're heading into Broadcom Symantec procurement and want a technical second opinion on what you're actually buying, talk to a CyberKIS engineer. For product specifics, see our Symantec services hub or the individual product pages linked above.