The Situation: A Cloud-Native Company With an Oracle Bill It Did Not Plan For
A Series D cloud-first technology company — fewer than 600 employees, an entirely AWS-resident architecture, no on-premises infrastructure of any kind — received an Oracle Java SE Universal Subscription quote for $1.84M. The company's CFO assumed the rep had the wrong customer. They did not. A forensic audit found Oracle Java distributions running in 11 production AWS container images, two CI pipelines, three internal developer toolchains, and one customer-facing analytics product. None of the engineering leadership had approved deploying Oracle Java; most of them had assumed the company was running OpenJDK across the board. This was the kind of surprise Oracle Java exposure that Oracle's Java SE audit team has spent the last three years systematically surfacing inside cloud-native, AWS-resident companies.
The exposure profile mattered as much as the size of the bill. Oracle's argument, when it eventually surfaced, was that the company had downloaded Oracle JDK binaries from oracle.com after April 2019 — the date when Oracle's licensing terms changed from the BCL to the OTN agreement, requiring a paid commercial subscription for production use. The forensic record showed exactly that: 47 download events from oracle.com IP-reaching addresses, attributed to engineering and DevOps machines. Oracle's account team had been quietly building this evidence pack for nine months before the quote landed. The compliance gap was real. The Employee Metric count Oracle was using was not.
Why Cloud-First Companies Are the Highest-Risk Java SE Audit Target
Oracle's Java SE Universal Subscription, priced on the Employee Metric, is structured to make Java exposure look unavoidable: every employee counts, regardless of whether they ever touch Java. The Oracle audit playbook for cloud-first companies is therefore optimised: identify any Oracle JDK download evidence, multiply by total Employee count, present the resulting number as a back-licence claim. We have run defence engagements against this exact playbook in every quarter since the Employee Metric was introduced. The defendable position is the one that breaks the Employee Metric down to the people who actually run Java, documents the alternative JDK substitution path, and challenges Oracle's evidence on the download record itself. That is what we built here, in nine weeks, before the company's board review window closed.
Our Approach: Five Workstreams, Nine Weeks, Zero Litigation
-
Forensic Java Distribution Inventory
Across all 11 container images, two CI pipelines, three toolchains and the analytics product, we documented which Java distribution was actually running: Oracle JDK, OpenJDK build, Amazon Corretto, or Eclipse Temurin. Of the 24 production Java workloads, only 6 were running Oracle JDK. The rest were already on OpenJDK or Corretto. Oracle's bill assumed all 24 were Oracle. That single finding cut the defendable exposure by 75% before any other lever was pulled.
-
Oracle Download Evidence Challenge
The 47 oracle.com download events were forensically verified. Twenty-two were for the Oracle JDK installer used on developer machines for IDE configuration — never deployed to production. Fourteen were Oracle SQL Developer downloads, which carry a separate licensing position. Eleven were Oracle Java SE downloads attributable to production. We challenged Oracle's evidence pack on the 36 non-production events, with documented forensic timestamps and machine-image attestations.
-
Java SE Migration Plan — Corretto and Temurin
The six remaining Oracle JDK production workloads were migrated to Amazon Corretto and Eclipse Temurin under a 21-day technical migration, with regression testing run inside the company's existing CI. Two workloads went to Corretto for AWS-native security update alignment; four went to Temurin for the broader ecosystem fit. By the time we returned to Oracle's negotiation table, the company had zero Oracle Java production deployments.
-
Employee Metric Right-Sizing for a Bridge Subscription
For the historical exposure window, we negotiated a 12-month bridge Java SE Universal Subscription on a defensible Employee Metric. Oracle's opening number was 600. The defendable count, once contractors, board members and non-Java users were excluded, was 84. The bridge subscription covered the historical Oracle JDK use during migration and lapsed at the end of year one — by which point all Oracle Java was out of production.
-
Contractual Audit Moratorium
The bridge subscription terms included a 24-month audit moratorium covering the historical period and the migration window. This protected the company from Oracle re-opening the same compliance gap once the migration was complete, and it allowed engineering to move at its own pace on residual cleanup without Oracle's account team hovering.
Cloud-First Company Hit With an Oracle Java Quote?
If Oracle has surfaced Java SE exposure in your environment, the Employee Metric number on the quote is almost certainly wrong. Talk to former Oracle insiders before responding.
Request a Java SE Defence Briefing →The Results
By month three the company had moved every production workload off Oracle Java and onto Amazon Corretto or Eclipse Temurin. The bridge subscription closed at the end of its 12-month term and was not renewed. Oracle's account team made the predictable attempt to convert the bridge into a multi-year Employee Metric subscription; the audit-moratorium clause and the forensic deployment record protected the company through that conversation. Total run-rate Oracle Java spend the following fiscal year: zero.
"We are a cloud-native company. We never imagined we had an Oracle problem. The forensic walkthrough was eye-opening — and the negotiation strategy turned a near-$2M Oracle bill into a defendable, short bridge that closed itself. We are now genuinely Oracle-free and we have the paper trail to prove it."— CTO, Series D Cloud-Native Technology Company
Key Takeaways for Cloud-First and AWS-Resident Companies
What Every Cloud-Native Company Should Do With Java
- Run a Java distribution inventory before Oracle does. Container images, CI pipelines, developer machines, and customer-facing products all need to be checked individually — not assumed.
- Treat the Oracle JDK download record as the starting point of any Java SE audit defence. Forensic timestamps and machine-image attestations almost always cut the defendable exposure by half.
- Amazon Corretto and Eclipse Temurin are production-grade, drop-in OpenJDK distributions. Migration is typically a 14–28 day exercise with regression testing — far cheaper than a multi-year Employee Metric subscription.
- The Employee Metric is not the count Oracle puts on the quote. Push back, with evidence, before accepting any Java SE Universal Subscription proposal.
- Negotiate a bridge subscription, not a full subscription. A 12-month bridge with an audit moratorium covers the historical exposure and lets the company exit Oracle Java cleanly — Oracle will sign it if pressed.
Oracle Java Migration Decision Tree
Amazon Corretto, Eclipse Temurin, Microsoft Build of OpenJDK, BellSoft Liberica or Azul Zulu — which OpenJDK distribution fits your workload, and what migration path each one demands. Written by former Oracle Java team executives.
Download Free Decision Tree →