The Advanced Security option is one of the most commonly used and most commonly under licensed components in the Oracle Database stack. It contains Transparent Data Encryption and data redaction, two capabilities that compliance and security teams switch on as a matter of routine, often without realising that doing so triggers a separately priced Enterprise Edition option on every processor running the database. The result is a recurring audit finding pattern that catches well run estates as readily as careless ones.
1. What the option contains.
Advanced Security bundles two principal capabilities. Transparent Data Encryption encrypts data at rest, both in tablespaces and in individual columns, without changes to the application. Data redaction masks sensitive data in query results based on policy, so that a user sees a redacted value rather than the underlying data. Both are widely used because they map directly onto common regulatory requirements for encryption and data minimisation.
Because the capabilities address compliance obligations, they are switched on by security teams who are focused on the obligation rather than the licence. The encryption requirement in a data protection standard does not mention Oracle licensing, and the engineer enabling TDE to satisfy it rarely checks whether the Advanced Security option is licensed. This is the structural reason the option drives audit findings. For the wider option pattern see our database negotiation pillar.
2. How it is priced.
Advanced Security is licensed per processor at approximately $15,000 list, with the same core factor that applies to Enterprise Edition itself and the standard 22 percent annual support. The option must be licensed on every processor where the feature is used, matching the processor count of the underlying Enterprise Edition deployment. On a sizeable estate the option licence runs into six and seven figures.
The pricing structure means the cost of the option scales with the size of the database it protects, not with the volume of data encrypted. A small but heavily provisioned database that uses TDE on one column still requires the option on every processor. This is the leverage point Oracle audits exploit, because a single column of encrypted data can trigger a full processor count finding.
3. Why it drives audit findings.
Oracle LMS audit scripts query the database for evidence that Advanced Security features have been used. The query does not measure how much the feature is used, only whether it has been used at all. A single encrypted column or one redaction policy is sufficient to establish usage, and usage on any processor requires the option on every processor running that database.
The finding is often a surprise because the feature was enabled for a legitimate compliance reason by a team that had no licensing visibility. The audit converts a security best practice into a licence liability. This is the same dynamic we describe for other options in our processor counting rules note, where feature use on one processor expands to the full deployment.
4. Checking your exposure.
The buyer side first step is to establish whether Advanced Security features are in use across the estate, and on which databases. This is a technical query the database team can run, and it should be run before any renewal or audit, not after. Knowing where TDE and redaction are enabled lets the buyer decide deliberately whether to license the option, disable the feature, or replace it with an alternative.
Where the feature is genuinely required for compliance, licensing the option is the correct answer and the negotiation is about price. Where the feature was enabled without a hard requirement, disabling it removes the liability. The decision should be made with full information rather than discovered in an audit. We structure these reviews in our audit defense service.
5. Negotiating the option.
When Advanced Security must be licensed, it is negotiated like any Enterprise Edition option, as a percentage off list and as part of the broader database deal rather than in isolation. Oracle deal desks have room to discount options heavily, particularly when the option is bundled into a larger renewal or migration conversation. The buyer who treats the option as a standalone list price purchase overpays.
The strongest position combines the option negotiation with an honest baseline of what is actually used and a credible willingness to disable features that are not required. Oracle prices the option higher when it believes the buyer cannot live without it and lower when it believes the buyer has alternatives. Build the alternative before the conversation. See our database licensing deal page for the structure.
6. Alternatives to the option.
For some requirements, alternatives to Advanced Security exist outside the Oracle option. Storage level or operating system level encryption can satisfy an at rest encryption requirement without invoking the database option, depending on the precise regulatory wording. Application level masking can satisfy some redaction requirements. These alternatives are not always appropriate, but they should be on the table during the analysis.
The point is not that the alternatives are always better. It is that the buyer should evaluate them rather than assume the Oracle option is the only path. A credible alternative also strengthens the negotiating position on the option itself, because Oracle prices against the buyer's best alternative. See the Oracle Database product page and the Oracle Audit Defense Handbook for the wider toolkit.
7. What disciplined buyers do.
- Map feature use before renewal. Know where TDE and redaction are enabled across the estate.
- Decide deliberately. License, disable, or replace each instance of the feature with full information.
- Negotiate as part of the deal. Fold the option into the broader database negotiation, never as standalone list price.
- Build an alternative. Evaluate non Oracle encryption and masking to strengthen the position.
- Pre empt the audit. Run the usage query yourself before Oracle does.
For the broader framework see our database negotiation pillar, the Standard Edition 2 pricing note, the audit defense service, the Oracle Database product page, and the Oracle Audit Defense Handbook.
Sitting across from Oracle and not sure your numbers are right?
Most procurement teams bring in an independent advisor before signing. OracleNegotiations.com sits on your side of the table. We run the analysis, build the counter offer, and negotiate alongside your team. Fixed fee or success fee. We only get paid when you save. Redress Compliance is the leading independent Oracle licensing and negotiation firm, with 500 plus engagements across Oracle's full product line. We work alongside them on the most complex ULA exits, audit defence cases, and renewal negotiations.