In an Oracle Java audit, whoever holds the better data controls the conversation, and the most valuable move you can make is to know exactly where Oracle Java runs before an LMS letter arrives. This is a buyer side guide to running that discovery on your own terms in 2026.
Discovery is the foundation of every Java defense, not a chore you run after the audit opens. Sweep your whole estate, separate true Oracle Java from the free distributions, and reconcile against your entitlements, so you arrive at any audit negotiating from data rather than reacting to Oracle's framing.
In an Oracle Java audit, whoever holds the better data controls the conversation. The single most valuable thing you can do before an LMS letter arrives is to know, in detail, where Oracle Java actually runs in your estate, because that knowledge is what lets you separate the workloads that genuinely need a license from the far larger set that can move to a free distribution or were never Oracle Java to begin with. Discovery is not a clerical chore you do after the audit opens. It is the foundation of every defense, and it is far cheaper to run on your own terms than under a deadline Oracle sets.
The stakes are higher in 2026 than they have ever been. Since January 2023 Oracle has priced Java SE on the per employee Universal Subscription, counting every full time and part time employee, every contractor, and every temporary worker, regardless of who actually uses Java. List pricing runs from 5.25 to 15.00 dollars per employee per month. The LMS audits intensified in 2026 and reach back three years. In that environment, a single unmanaged Oracle Java install discovered by Oracle can be framed as justification for licensing your entire workforce. Finding it first is how you stop that leap before it starts.
A discovery effort that holds up has to be broad, because Oracle Java hides in more places than most inventories track. The sweep has to reach physical and virtual servers, desktops and laptops, build and test environments, containers and images, cloud instances, and the Java that ships bundled inside third party applications. It is the last category that catches organizations out most often, because a vendor product can quietly install and rely on an Oracle Java runtime that no one chose deliberately. A sweep that looks only at servers, or only at what the asset register already knows about, will miss exactly the installs that create exposure.
Run your own discovery before Oracle runs its. Produce a defensible inventory you understand and can stand behind, rather than reacting to numbers Oracle assembled. The party that brings the data sets the terms of the conversation.
Finding Java is only half the task. The other half is determining which installs are Oracle Java, which require a license, and which are a free OpenJDK distribution that does not. A raw count of Java runtimes tells you almost nothing useful, because much of what runs in a typical estate is not Oracle Java at all. The valuable inventory records, for each install, the vendor and distribution, the version and update level, whether updates were taken after the points where Oracle began charging, and the workload it serves. That detail is what lets you price the real exposure rather than a worst case headline number.
Consider an anonymized logistics company that ran its own discovery before any audit contact. Its asset register listed a few hundred Java installs. The full sweep found several times that number once containers, bundled third party software, and developer machines were included. Critically, the sweep also showed that the large majority were free OpenJDK distributions, with genuine Oracle Java confined to a modest set of older workloads. Armed with that, the company migrated the migratable installs, isolated the Oracle Java that remained, and when an audit eventually opened, answered from a defensible inventory it had built itself. The figures are indicative, but the posture is what mattered: it negotiated from data rather than reacting to it.
| Layer | What a sweep finds | Bearing on exposure |
|---|---|---|
| Asset register only | Known managed installs | Understates reality |
| Full sweep | All Java, all layers | True footprint |
| After vendor split | Oracle Java isolated from free | Real licensable set |
| After reconciliation | Set mapped to entitlements | Defensible gap |
Discovery is valuable only when it feeds a decision. Once you can see the true Oracle Java footprint, the buyer side play becomes clear: isolate Oracle Java to the workloads that genuinely need it, migrate the rest to a free OpenJDK distribution, and size any residual subscription against a much smaller employee envelope. A credible, funded migration plan built on real discovery data is the single biggest lever you have in a negotiation, because it shrinks the population Oracle can price and gives you a genuine walk away. Without discovery, none of that is possible, because you cannot migrate or defend what you have not found.
When Oracle runs the discovery, the framing is theirs. Their scripts, their interpretation of what counts, and their assumptions about contractors and versions all point toward the largest defensible number. When you run discovery first, you control the framing, you find and fix the easy problems before they are visible, and you arrive at any audit with answers already prepared. The three year lookback in the 2026 audits rewards exactly this preparation, because the questions reach back further than most organizations expect, and the answers are far easier to give from a record you built deliberately than from one you assemble in a panic.
Discovery that holds up under audit is a cross functional effort, not a task left to a single team. IT and infrastructure own the technical sweep, because they hold the tooling and the access to find runtimes across servers, endpoints, containers, and cloud. Software asset management, where it exists, owns the reconciliation against entitlements. Procurement owns the commercial picture, because the exposure is ultimately a number that has to be negotiated. Legal owns the interpretation of what your agreements actually permit. When these functions work from one shared inventory, the organization speaks with a single voice in an audit. When they work in isolation, the auditor finds the seams, asking one team a question whose answer contradicts another. Naming an owner for the overall effort, with the authority to pull the functions together, is what keeps the inventory coherent and the eventual audit response consistent.
A single discovery pass captures a moment, but estates change constantly. New servers are provisioned, containers spin up and down, developers install runtimes, and vendor software updates bring new embedded Java. An inventory that was accurate six months ago may misstate your position today, and the 2026 lookback reaches back three years, so a stale record is a liability rather than an asset. The buyer side answer is to make discovery continuous: schedule recurring sweeps through the tooling you already own, flag new Oracle Java installs as they appear, and route any unexpected runtime to an owner for a decision before it becomes an unmanaged risk. Continuous discovery also turns the inventory into a governance control, because it catches the install that would otherwise have grown quietly into the surprise an auditor uses for leverage. Treating discovery as an ongoing posture rather than a one time project is what keeps a defensible position defensible.
Organizations often begin this work alarmed by a large raw count of Java installs and a notional exposure that looks ruinous. The value of disciplined discovery is that it almost always shrinks that number dramatically. Much of the raw count turns out to be free OpenJDK distributions that carry no Oracle obligation. A further portion is Oracle Java whose update history places it in a defensible position. What remains, the genuinely licensable set that exceeds your documented entitlements, is typically a small fraction of where you started. That smaller number is one you can act on: migrate most of it to a free distribution, isolate the workloads that truly need Oracle Java, and size any residual subscription against a far smaller employee envelope. The journey from the frightening number to the real one is the entire point of doing discovery first, and it is only possible when you, not Oracle, hold the data.
Even well intentioned discovery can backfire when it is done carelessly. The most common mistake is treating a raw install count as the exposure, when the genuine number is far smaller once free distributions and defensible versions are removed. Another is letting engineers answer auditor questions directly during a live audit, volunteering detail that expands the scope, rather than routing everything through a single coordinated channel. A third is running discovery once and trusting the result months later, when the estate has since changed. A fourth is recording too little detail, so the inventory cannot distinguish Oracle Java from a free distribution and the whole exercise has to be repeated. A fifth is sharing an unfinished or unreconciled inventory with Oracle, which hands the vendor a picture you have not yet interpreted. Each mistake converts a defensive asset into a liability. The corrective is the same discipline that makes discovery valuable in the first place: be complete, record enough detail to classify every install, reconcile down to the genuine gap, and keep the data and the communication under your own control until you choose to share a finished, accurate position.
Finding Oracle Java in your estate before Oracle does is the foundation of every Java defense. Sweep broadly, identify vendor and version, map each install to an owner and a workload, separate true Oracle Java from the free distributions, and reconcile against your entitlements. Do it on your own terms and you negotiate from data rather than fear. For the step by step list to run the sweep against, see the Java deployment discovery checklist, and for the tooling that does the detection, read tools for detecting Oracle Java installations. To download the full method, read our Oracle Java licensing guide for 2026.
Download our Oracle Java licensing guide for 2026 to see how to sweep your estate, separate licensable Oracle Java from the free distributions, and turn discovery into negotiating leverage.
Download the guideFixed Fee from $18,000 or Gainshare, a share of verified savings or avoided exposure with zero retainer and no risk to you. We sit between you and Oracle and we never take vendor money.
Get a QuoteWeekly intelligence on Oracle Java licensing moves and the buyer side defenses that work.