How are Top Secret and RACF licensed differently?

Broadcom (CA) Top Secret is a standalone external security manager licensed on MSU capacity, commonly negotiated as a named line item inside a Broadcom portfolio agreement and increasingly offered under Broadcom Mainframe Consumption Licensing (MCL). IBM RACF is delivered as the IBM Security Server component of z/OS, so its cost rides inside the z/OS MLC entitlement and is reported through SCRT sub-capacity rather than negotiated as a separate product. That structural difference, a discrete Broadcom line item versus a cost folded into the z/OS stack, is the core of the decision.

Why are buyers migrating from Top Secret to RACF?

The pattern we commonly observe is cost driven. Broadcom (CA) renewal uplifts of 30 to 80 percent on portfolio agreements push some estates to evaluate moving security into the IBM stack, where RACF is already entitled as part of z/OS. Migrations rose through 2024 and 2025 for exactly this reason. The trigger is rarely a feature gap, since all three z/OS external security managers are functionally close. It is the renewal number and the desire to remove a separate vendor line item.

Is a Top Secret to RACF migration worth it?

It depends on whether you treat it as a security program or a cost line. The external security manager mediates every access decision on z/OS, and the rules, exits, profiles, and operational procedures around Top Secret represent years of accumulated policy, so migration is a major staged project with real risk. It is justified where a wider consolidation into the IBM stack is happening anyway, or where the Broadcom renewal is untenable. For many estates the more reliable value is using the credible RACF alternative as leverage to discipline the Top Secret renewal rather than executing the move.

Top Secret vs RACF: The Migration Question

Top Secret vs RACF: the migration question.

Broadcom (CA) Top Secret and IBM RACF are two of the three external security managers for z/OS. Top Secret is a separate Broadcom line item priced on MSU. RACF rides inside the z/OS stack you already own. As Broadcom renewal uplifts climb, more buyers ask whether to migrate. The security manager is the deepest switch on the platform, so the answer turns on leverage and program risk, not the feature sheet.

If the only driver is the Broadcom (CA) renewal number, prepare the RACF migration as a credible, costed alternative and use it to discipline the Top Secret renewal before you commit to moving. Top Secret and RACF both secure z/OS to the same standard, and the external security manager mediates every access decision through rules and exits built up over years, so a migration is a staged security program with real operational risk, not a cost exercise. Migrate when consolidation into the IBM stack is happening anyway, when Broadcom support direction makes the incumbent untenable, or when a fully scoped RACF program clears its own risk bar. Otherwise the prize is usually a better deal on Top Secret, won because the RACF option is real and ready.

Top Secret vs RACF, the licensing and switching levers compared
Dimension	CA Top Secret	IBM RACF
Vendor	Broadcom (CA)	IBM
Delivery	Standalone external security manager	IBM Security Server component of z/OS
Licensing metric	MSU capacity	z/OS MLC, sub-capacity via SCRT
Contract vehicle	Broadcom portfolio agreement or MCL	Inside the z/OS stack entitlement (IPLA / MLC)
Negotiated as	Named Broadcom line item	Bound into the z/OS position
Renewal pattern	Uplifts of 30 to 80 percent commonly observed on uncapped portfolios	Moves with z/OS capacity and sub-capacity reporting
Migration direction	Source: rules, exits, and profiles to translate out	Target: RACF database, profiles, and exits to build
Switching cost	Very high either way; the security manager is the deepest dependency on z/OS

Top Secret vs RACF, the licensing and switching levers compared

Dimension

CA Top Secret

IBM RACF

Vendor

Broadcom (CA)

IBM

Delivery

Standalone external security manager

IBM Security Server component of z/OS

Licensing metric

MSU capacity

z/OS MLC, sub-capacity via SCRT

Contract vehicle

Broadcom portfolio agreement or MCL

Inside the z/OS stack entitlement (IPLA / MLC)

Negotiated as

Named Broadcom line item

Bound into the z/OS position

Renewal pattern

Uplifts of 30 to 80 percent commonly observed on uncapped portfolios

Moves with z/OS capacity and sub-capacity reporting

Migration direction

Source: rules, exits, and profiles to translate out

Target: RACF database, profiles, and exits to build

Switching cost

Very high either way; the security manager is the deepest dependency on z/OS

For most estates this is a renewal and leverage question first, and a migration question only when the program clears its own bar. Use it this way:

Stay on Top Secret and negotiate if

Years of rules, exits, automation, and audit posture are built on Top Secret, as they almost always are
A scoped and costed RACF migration plan gives you a credible lever you can put on the table
Right sizing the licensed MSU and choosing the Broadcom vehicle deliberately captures most of the available saving without the program risk

Genuinely plan the move to RACF if

You are consolidating security into the IBM stack and want it inside the z/OS entitlement you already pay for
The Broadcom (CA) renewal is untenable and a wider IBM negotiation lets the migration cost ride on a program already funded
A full migration plan, including profile translation, exit rework, parallel running, and cutover, clears your security risk governance on its own merits

Either way, treat the migration as a security program with its own risk governance, never as a line on a cost spreadsheet, and use the RACF option primarily to discipline the Top Secret renewal you actually face.

How do they license differently?Top Secret is a Broadcom line item on MSU capacity, often inside a portfolio or MCL deal. RACF rides inside the z/OS MLC entitlement via SCRT, with no separate product line.

Why are buyers migrating?Cost. Broadcom (CA) uplifts of 30 to 80 percent push some estates to move security into the IBM stack, where RACF is already entitled. Migrations rose through 2024 and 2025.

Is the migration worth it?Only as a strategy or consolidation play, never as a pure cost line. The security manager is the deepest dependency on z/OS, so plan it with full risk governance.

What is the first move?Scope and cost the RACF migration as a credible alternative, then use it to discipline the Top Secret renewal before deciding whether to execute.

The switch you can credibly make is the leverage. Build it, then decide.

Related comparison: ACF2 vs Top Secret vs RACF for the full three way view, and BMC vs Broadcom. Explainers: MSU explained and the MSU baseline. Hubs and commercial: the Broadcom (CA) buyer side guide, the IBM buyer side guide, and Broadcom (CA) license negotiation. If a renewal uplift is already on the table, see responding to a Broadcom renewal uplift.

Top Secret vs RACF: the migration question.

The verdict

Head to head

Who should pick which

Frequently asked

Top Secret renewal climbing? The RACF option is your leverage.