How is Broadcom (CA) Top Secret licensed?

Top Secret for z/OS is licensed on mainframe capacity. Historically that was a MIPS based entitlement set at contract signature; Broadcom has been moving the portfolio onto its Mainframe Consumption Licensing (MCL) model, which meters against MSU consumption. Either way the charge tracks the size of the environment it protects, not the number of users or rules, so a capacity figure that no longer matches the real estate is the central cost question.

Can you switch off Top Secret to save money?

Not quickly. Top Secret, CA ACF2, and IBM RACF are the three external security managers for z/OS, and they are interchangeable in function but not in deployment: migrating from one to another is a security project touching every protected resource, not a renewal tactic. A migration can be a credible long term alternative and even a negotiation backdrop, but it has to be real and resourced to carry weight, and the risk has to be managed carefully.

What moves the Top Secret renewal number?

Reconciling contracted capacity against the MSU the estate actually runs is the first move, because shops that shrank their footprint but kept the old MIPS or MSU commitment routinely overpay. Beyond that: challenging the uplift against the real consumption trend, scrutinizing how MCL would meter your environment before agreeing to a model change, and timing the negotiation so the vendor does not control the clock. A credible RACF or ACF2 migration path in the background strengthens every one of those.

Mainframe Licensing ExpertsIndependent Advisory

① Product · Broadcom (CA) Top Secret

Top Secret: security that is hard to remove and easy to uplift.

Q: Why is Top Secret a renewal uplift target?

Top Secret is an external security manager: it sits in the path of every access decision, which makes it operationally hard to remove and therefore a dependable place for a vendor to seek increases. Since the CA acquisition, Broadcom renewals have commonly carried large uplifts and multi year commitments, and a product this embedded gives the buyer less obvious walk away leverage. That is exactly why the leverage has to be built deliberately rather than assumed.

Broadcom (CA) Top Secret protects every access decision on the systems it guards, which makes it operationally sticky and a reliable target for renewal increases. It is licensed on capacity, and the gap between contracted capacity and the MSU you actually run is where the negotiation lives.

Get expert help → Broadcom buyer side guide

№ 01

What it is

Security managerz/OS

Broadcom (CA) Top Secret is an external security manager (ESM) for z/OS, one of the three that guard the platform alongside CA ACF2 and IBM RACF. It controls authentication and authorization for every protected resource: data sets, transactions, programs, and the access decisions that sit under regulated workloads in banking, insurance, and government. Because it stands in the path of all of that, it is among the least removable products on the mainframe, which shapes everything about how it is priced and renewed.

№ 02

How it is licensed

CapacityMIPS / MSUMCL

Top Secret is licensed on the capacity of the environment it protects, not on users or rules. Historically that was a MIPS based entitlement fixed at contract signature. Broadcom has been moving its CA mainframe portfolio onto Mainframe Consumption Licensing (MCL), which meters against MSU consumption rather than a static contracted figure. Both models track the size of the machine, so the controlling question at renewal is whether the capacity you are billed for still matches the estate you actually run, and how a move to MCL would meter your specific environment.

Top Secret licensing at a glance
Attribute	Detail
Product type	External security manager (ESM)
Metric	Mainframe capacity (MIPS, or MSU under MCL)
Legacy model	Contracted MIPS set at signature
Current direction	Mainframe Consumption Licensing (MCL), MSU metered
Removability	Very low; ESM migration is a security project

Confirm which model your contract sits under before renewal; MIPS and MCL meter differently and the transition itself is negotiable.

№ 03

Cost drivers

CapacityUplift

The base driver is contracted capacity. If the entitlement was set when the estate was larger and never adjusted, the bill carries capacity the business no longer uses. The second driver is the renewal uplift itself: since the CA acquisition, Broadcom renewals have commonly carried substantial increases and multi year commitments, and a product as embedded as Top Secret gives the vendor confidence to ask. The third is bundling. Top Secret often renews inside a portfolio agreement covering several CA products, where a single capacity figure and a single uplift can obscure what each component actually costs.

№ 04

Audit traps

Capacity driftNon-prod

Top Secret exposure is mostly about capacity reconciliation rather than feature sprawl. Common traps we see at pattern level:

Where exposure hides

Contracted MIPS or MSU set higher than the estate now runs, so the bill is anchored to a footprint that no longer exists
Capacity counted on LPARs or machines where Top Secret runs but was assumed to be out of scope
Disaster recovery and test environments carrying the ESM without a clear entitlement line
A move to MCL accepted without validating how consumption would be measured against your real peak profile
Portfolio bundling that hides whether Top Secret capacity is being counted once or twice across products

№ 05

Renewal levers

5 levers

Top Secret is sticky, so the leverage is built from data and timing rather than the threat of a quick exit. The five that pay:

Buyer side levers

Reconcile capacity: prove the MSU the estate actually runs against the contracted figure, and reset a commitment that was sized for a larger footprint
Challenge the uplift: test the proposed increase against the real consumption trend rather than accepting a percentage applied to last term
Scrutinize the model change: before agreeing to MCL, model how it would meter your specific peak profile, since the transition is itself negotiable
Unbundle the portfolio: insist on seeing what Top Secret costs inside a multi product agreement so the security line can be defended on its own
Build a credible alternative: a real, resourced RACF or ACF2 migration path in the background changes the tone of the conversation, even if you never execute it

№ 06

Alternatives, where credible

Reality check

The three external security managers, Top Secret, CA ACF2, and IBM RACF, are functionally interchangeable but not casually swapped. Migrating between them touches every protected resource, every rule set, and every integration, and it is a security program with real risk, measured in quarters not weeks. That said, it is the one genuine alternative, and a serious migration plan can be both a long term cost strategy and a negotiation backdrop. The discipline is to make the alternative real enough to matter: a costed, resourced path carries weight at the table, while a bluff does not.

№ 07

Frequently asked

FAQ

How is Top Secret licensed?On mainframe capacity, historically contracted MIPS, now moving onto MSU metered Mainframe Consumption Licensing. The charge tracks the size of the environment it protects, not users or rules.

Why the renewal uplifts?It is an embedded security manager that is hard to remove, so a vendor can seek increases with confidence. Broadcom renewals commonly carry large uplifts and multi year terms.

Can you replace it to save money?Only through a real ESM migration to RACF or ACF2, which is a security project, not a renewal tactic. It can be a credible long term alternative if properly resourced.

What moves the number?Reconciling contracted capacity to actual MSU, challenging the uplift against the consumption trend, scrutinizing an MCL transition, and timing the talks so the vendor does not control the clock.

Sticky does not mean unnegotiable.

Metric explainers: Broadcom Mainframe Consumption Licensing (MCL) and MIPS explained. Sibling products: Easytrieve licensing and CA Dispatch licensing. Hub and commercial: the Broadcom buyer side guide and Broadcom audit defense.

Audit notice or renewal under 18 months out? We mobilize within 48 hours.

They expect you to pay the uplift. We help you contest it.

Get expert help →