Here's What They Don't Want You to Know
The formal audit letter isn't the start of the audit—it's the end. By the time that letter arrives, the vendor has likely already collected all the evidence they need. And your team probably gave it to them willingly.
The "Friendly" Inquiry Is a Myth
It starts with a phone call. Maybe an email. A pleasant-sounding account manager "just checking in" to see how things are going. Perhaps they want to "help optimize" your environment before your renewal. Maybe they're "concerned" about a security patch and want to make sure you're protected.
This is not customer service. This is reconnaissance.
Every "helpful" question, every "routine" script they ask you to run, every "quick check" on your environment is designed to accomplish one thing: build a case file against you before you even know you're a target.
The Uncomfortable Truth
Most IT teams are helpful by nature. When a vendor asks for information, the instinct is to provide it. After all, you're partners, right? Wrong. In the context of license compliance, every piece of information you share without legal oversight is potential ammunition. The vendor's "customer success" team and their audit team share the same database.
By the time you receive the formal audit notice, the investigation is largely complete. The notice isn't an opening move—it's checkmate. They already know what you have. They just need you to confirm it.
Your Internal Emails Are Their Best Evidence
This is the section that should terrify every IT manager, every SysAdmin, and every infrastructure engineer reading this article. If you remember nothing else, remember this:
When a vendor pursues a copyright infringement case—which, as we explained in our Broadcom vs. Siemens analysis, is now the preferred legal strategy—the case goes to US Federal Court. And in US Federal Court, there is a legal process called Discovery.
What is Discovery?
Discovery is the pre-trial phase where both parties can compel the other to produce documents, communications, and evidence relevant to the case. In a software copyright case, this means every internal email, every Slack message, every Teams chat, every ticketing system note that discusses your software compliance position is potentially subject to disclosure.
Unless—and this is critical—those communications are protected by Attorney-Client Privilege.
The Nightmare Scenario
To: sarah.chen@acmecorp.com (IT Director)
Subject: RE: Broadcom Script Request
Hey Sarah,
So Broadcom asked me to run that RVTools script they sent over. I ran it and... we have a problem. It looks like we're about 500 cores over our licensed limit. I think this happened when we spun up those extra hosts for the DR project last quarter.
What do I do? Should I send them the output?
- Mike
THE CONSEQUENCE: This email is now Exhibit A in Broadcom's federal lawsuit. Mike has admitted to knowing about the over-deployment. He's documented that it happened when they "spun up extra hosts." And by saying "What do I do?"—he's demonstrated that leadership was informed and failed to remediate. This transforms a compliance gap into evidence of Willful Infringement—which dramatically increases damages and eliminates most defenses.
Why This Happens
IT professionals are problem-solvers. When they discover an issue, their instinct is to document it, escalate it, and fix it. That's good engineering practice. But it's catastrophic legal practice.
Without Attorney Involvement
- ✗ All emails are discoverable
- ✗ Slack/Teams messages are discoverable
- ✗ Internal tickets are discoverable
- ✗ Meeting notes are discoverable
- ✗ Admissions become evidence of willful infringement
With Attorney-Client Privilege
- ✓ Legal communications are protected
- ✓ Assessment findings are privileged
- ✓ Remediation discussions are shielded
- ✓ Strategy conversations stay private
- ✓ Vendor cannot access your internal analysis
The Moment You Suspect a Problem:
- 1 STOP all internal written communication about the issue
- 2 CALL legal counsel immediately—preferably specialized IP counsel
- 3 CONDUCT any compliance assessment under attorney direction
- 4 THEN—and only then—discuss next steps
The Red Flag Audit Triggers
The following scenarios are not hypothetical. These are actual tactics we have observed vendors using to collect compliance information from unsuspecting IT teams. If you encounter any of these, stop immediately and engage legal counsel before responding.
The "Optimization" Call
What they say: "We'd love to help you optimize your license usage before your renewal. Let's schedule a call to review your environment."
Reality: This is a fishing expedition to find over-deployment. They're not trying to save you money—they're trying to find out how much you owe them.
The Script Request
What they say: "Could you run this script (RVTools, PowerCLI, etc.) and share the output? It's just to check compatibility with your current setup."
Reality: You are handing them a signed confession of your exact install base. Every host, every core, every socket—documented and timestamped by your own hand.
The New Host Count
What they say: A sudden, specific question about your "Total Virtualization Host Count" or "Core counts per processor" during a routine support ticket.
Reality: Support tickets are being used as intelligence gathering. That "routine" question is feeding directly into their audit database.
The "Cluster" Question
What they say: "Are you running vSAN or VMware Cloud Foundation (VCF) features, even in test environments?"
Reality: These features often require separate licensing. "Test environments" are not exempt. If you enabled these features—even briefly, even accidentally—you may owe substantial back-fees.
The Security Patch Check
What they say: After a major CVE is announced, they "helpfully" check to see if you've patched your systems.
Reality: If you applied security patches while your support contract was lapsed, you just admitted to accessing restricted software updates illegally. Patches are part of the support entitlement—no support, no patches, no legal access.
The Phantom Feature
What they say: "We noticed some telemetry suggesting you might be using NSX or Tanzu capabilities. Just wanted to check if you need any assistance."
Reality: They're probing for features you haven't officially purchased but might have enabled "by accident." A simple API call, a configuration toggle, a default setting you didn't turn off—any of these could trigger licensing obligations you didn't know existed.
The Pattern to Recognize
Every one of these tactics has the same structure: present a helpful face while extracting incriminating information. The vendor isn't your partner in these moments. They are a potential adversary building a case. Treat every request for technical information with the same caution you would treat a subpoena—because that's exactly what it might become.
Protect Yourself Now
Do not fight this alone. Your internal IT team—no matter how talented—is not equipped to navigate the legal complexities of software copyright defense. Your general counsel—no matter how experienced in corporate law—likely does not specialize in US Copyright software litigation.
This is a specialized field. The vendors know it. They have dedicated legal teams that do nothing but pursue license compliance cases. They know every trick, every precedent, every pressure point. You need someone on your side who knows them too.
What Costif.ai Offers
Reach out to Costif.ai immediately. We work with enterprises facing exactly this situation every day. We understand the technical landscape, the compliance complexities, and—critically—we know the legal landscape.
We know the specific, high-powered Copyright and Software Audit defense lawyers you need to protect yourself. These are the specialists who have won these cases, who understand the vendor playbooks, and who know how to protect your organization.
Our Commitment: We do not take referral fees. We do not receive commissions. We simply want to ensure you have the "Big Guns" on your side before you answer that email.
The worst time to find a lawyer is when you're already in the crosshairs. The best time is right now—before the next "friendly" email arrives, before the next "helpful" script request, before the next "routine" check-in.
Don't Become Their Next Target
The silent audit is happening right now—to companies just like yours. The question is whether you'll recognize it before it's too late. Contact Costif.ai today for a confidential consultation.
Disclaimer
Costif.AI is an IT cost optimization and asset management consultancy, not a law firm. The information provided in this article is for educational and strategic planning purposes only and does not constitute legal advice. Every audit situation is unique. We strongly recommend engaging qualified intellectual property counsel to review your specific circumstances before responding to any vendor audit claims.