Defining VMware's Cross-Portfolio Security Strategy
Carbon Black gave practitioners the best view of what was happening on the endpoint. It couldn't tell them anything else.
Background
Carbon Black Cloud was VMware's endpoint security platform. Its core differentiator was telemetry: while competitors only triggered recording when something looked suspicious, Carbon Black streamed continuous behavioral data from every endpoint, all the time. That meant security practitioners could reconstruct exactly what happened on a device long before any alert fired.
It was the best view of the endpoint in the market. The problem was that it was only a view of the endpoint.
The problem
If a process tree surfaced an outbound connection to a suspicious IP, the immediate question was: did any other machine in the environment talk to that IP? Answering it meant leaving Carbon Black, opening a network telemetry tool, and starting from scratch. Then doing it again for identity. Then cloud. A complete threat picture required pivoting across multiple tools, each with its own data model, none of them connected.
SIEM platforms like Splunk existed to bridge these sources, but they were reactive, couldn't normalize data properly, and buried teams in alerts. The single pane of glass had been promised for years and never delivered.
The market was starting to name the problem: XDR, extended detection and response. No one inside VMware had decided what their answer was.
How I approached it
VMware had something most security vendors didn't: a real cross-domain portfolio. NSX covered network telemetry. Workspace ONE held identity and device posture. AppDefense monitored workload behavior. Secure State tracked cloud misconfigurations. After joining under the VMware umbrella, I started building relationships across those product teams because the cross-portfolio story was the competitive advantage Carbon Black couldn't create alone.
When I got plugged into how other teams were thinking about XDR and saw that no one had a perspective yet, I knew it was time to create one. I took the initiative to frame the strategic question and drive it to resolution.
The bet
The central question: should VMware pursue Open XDR, where Carbon Black's data feeds into external platforms so practitioners can unify their preferred tools, or Native XDR, where VMware owns the telemetry, detection, and response across its own portfolio?
My manager and I evaluated this across multiple product dimensions. Customer reception: were customers willing to consolidate on VMware, or did they want best-in-class from multiple vendors? Portfolio readiness: just because products sit under one company doesn't mean they can talk to each other. Competing investments, misaligned data structures, and different technical languages all stood in the way. Market positioning: is it stronger to market interoperability or integrated impact? Pricing and packaging: could products be bundled in tiers, or did they need to remain standalone? Competitive landscape: CrowdStrike and Palo Alto were already staking XDR ground, though CrowdStrike was talking native while largely delivering marketing at the time.
We landed on Native XDR. The play: Carbon Black would lead the charge with a shared data model first, network as the first integration priority via NSX, detection logic built on top once the products could speak to each other, and response defined last. We roadshowed the perspective to executive leadership and the other product areas. The strategy got a thumbs up to move forward.
What changed
The work produced a unified vision and working relationships that cut across a heavy, post-acquisition org structure. Carbon Black had a platform narrative instead of a point product story. The roadmap had a shape that connected endpoint security to something much larger, and product teams that had previously operated in silos had a shared frame for where they were headed together.
Strategy alignment is not the same as shipping. The products were in a tumultuous period with competing priorities and post-acquisition identity questions. After my departure in late 2021, VMware was acquired by Broadcom, who flagged Carbon Black as non-core within weeks of closing. The strategy was sound. The conditions around it were not. Those were the opportunities on the table when I left.
What I'd do differently
I would have pushed to get two products actually communicating before the strategy went wide, even a rough proof of concept of Carbon Black and NSX sharing one data model. The roadshow built alignment, but a working demo would have made the vision tangible in a way that slides never can. Executive buy-in that's grounded in a demo is harder to walk back than buy-in grounded in a deck.