Cybersecurity salary figures get inflated everywhere. Bootcamp marketing quotes median salaries that are actually 90th percentile numbers. Job postings list salary ranges with $50,000 spreads that tell you nothing. LinkedIn posts from people selling courses claim six figures within six months of starting.

The actual market is strong — genuinely strong, consistently strong, and growing. But it does not look like the marketing. This guide gives you the real numbers, the factors that move compensation, and an honest picture of what different roles actually pay at different stages of a career.

These figures are US market data as of 2026, blended across industries. Government and defence typically pay less than financial services. Startups may offer lower base with equity. Consulting and professional services pay differently from corporate in-house roles. Use these as benchmarks, not guarantees.

Salary by role — the honest numbers

ROLE LEVEL SALARY RANGE MEDIAN
SOC Analyst
Tier 1 — alert triage, basic response
Entry
$55K — $75K
$64K
SOC Analyst
Tier 2/3 — investigation, hunting
Mid
$75K — $115K
$92K
Security Engineer
Building and maintaining security infrastructure
Mid
$95K — $145K
$118K
Penetration Tester
Offensive security assessments
Mid
$90K — $150K
$115K
Cloud Security Engineer
AWS/Azure/GCP security architecture
Mid-Sr
$110K — $165K
$135K
Threat Intelligence Analyst
APT tracking, IOC analysis, reporting
Mid
$85K — $130K
$105K
Incident Responder
Breach investigation and containment
Mid-Sr
$95K — $155K
$122K
Security Architect
Program design, zero trust, enterprise security
Senior
$130K — $185K
$155K
AI Security Specialist
LLM security, prompt injection, AI red teaming
Specialist
$130K — $200K+
$160K
CISO
Chief Information Security Officer
Executive
$175K — $400K+
$240K

"The numbers bootcamps advertise are real — they are just the top end of the range, not the median. Entry-level security is well paid compared to most fields. It is not $120K on day one."

What actually moves your compensation

THE REAL SALARY DRIVERS
SPEC
SpecializationSecurity is a broad field. Specialists consistently out-earn generalists at the same experience level. Cloud security, AI security, OT/ICS security, and red team/offensive security are the highest-premium specializations in 2026. Picking a direction and going deep pays significantly more than staying broad.
CERT
Certifications — the right onesCISSP adds $15K–$25K to senior security salaries on average. OSCP significantly increases pen tester compensation. Cloud security certifications (AWS Security Specialty, CCSP) add meaningful premiums in cloud-heavy environments. Most other certifications have minimal direct salary impact.
IND
IndustryFinancial services, healthcare, and defence consistently pay above average for security talent due to regulatory requirements and high consequence of breach. Tech companies offer high base but heavy equity weighting. Government pays below private sector but offers stability and often better work-life balance.
EXP
Demonstrated hands-on experienceIn security specifically, what you can do matters more than how long you have been doing it. Candidates who can talk through a real incident they handled, a home lab they built, or CTF challenges they solved consistently command higher offers than those with equivalent experience on paper but no evidence of practical capability.
NEG
NegotiationSecurity professionals chronically under-negotiate. The demand-supply imbalance in cybersecurity gives candidates more leverage than most realize. Initial offers in security are routinely 10–20% below what the employer would pay. Knowing your market value and asking for it is one of the highest-return activities available.

Geography and remote work

SAN FRANCISCO / NYC
+30–50%
Highest base salaries. Cost of living offsets significant portion. Remote candidates increasingly competitive for these roles.
SEATTLE / DC / BOSTON
+15–25%
Strong security markets. DC especially for cleared positions which command significant premiums.
AUSTIN / DENVER / CHICAGO
+5–15%
Growing tech hubs with increasing security demand. Better cost of living ratio than coastal markets.
REMOTE — US BASED
Baseline
Remote has become the norm for many security roles. Some employers apply geographic salary adjustments. Negotiate the remote premium explicitly.
MIDWEST / SOUTHEAST
−10–20%
Lower cost of living markets. Remote roles at coastal-market rates offer strong purchasing power advantage.
UK / EUROPE
−20–40%
Strong security markets but significantly lower base salaries than US. Equity and benefits packages often more competitive. NHS pension equivalent for gov roles.

Security clearance — the hidden premium

For roles requiring US government security clearances, compensation premiums are significant and consistent. An active TS/SCI clearance can add $20K–$60K to base salary depending on the role and employer, because the 18–24 month clearance timeline represents a genuine hiring bottleneck. Cleared candidates are in perpetual short supply.

If you are considering a government or defence contractor career path, starting in a role that provides clearance eligibility early is one of the highest-return career moves available in the first five years. The clearance compound interest is real.

How to negotiate what you are worth

NEGOTIATION FUNDAMENTALS FOR SECURITY PROFESSIONALS
Always negotiate. The first offer is almost never the final offer in security hiring. Employers expect negotiation. Accepting immediately leaves money on the table that the employer was prepared to pay.
Know your number before the conversation. Use Levels.fyi, Glassdoor, LinkedIn Salary, and Dice.com to research what the role pays at comparable organizations. Walk in knowing the range you will accept, your target, and your walk-away point.
Negotiate the whole package. Base salary is one component. Signing bonus, equity, remote flexibility, professional development budget, conference attendance, and certification reimbursement all have real value. Some employers cannot move base but have significant flexibility on total package.
Certifications are negotiating leverage. CISSP, OSCP, and cloud security certifications are quantifiable signals of value. If you hold them, use them explicitly in negotiation. "Based on my CISSP and X years of experience, the market rate for this role is Y" is a credible statement.
Competing offers are your strongest leverage. If you have multiple offers, use them. "I have a competing offer at $X — is there flexibility to match or exceed that?" is the most straightforward path to a higher offer.
The skills gap is your leverage. Cybersecurity has a documented 3.5 million position global shortage. You are in a seller's market. Negotiate accordingly.

The trajectory — where compensation goes over a career

The earnings trajectory in cybersecurity is steeper than most fields if you invest in specialization and demonstrated capability. The pattern I have observed consistently across almost a decade in the field:

Years 0–2: Entry level. SOC analyst, junior security engineer, or security-adjacent IT role. $55K–$80K. Focus is building practical skills and understanding the operational environment. This is where the home lab and certifications pay off by differentiating you from other entry-level candidates.

Years 2–5: Mid level. Compensation jumps substantially as you develop a specialty and demonstrate real capability. $85K–$130K is achievable with the right specialization and employer. This is when CISSP or OSCP starts making sense if you have not already pursued it.

Years 5–10: Senior level. $120K–$175K for senior individual contributor roles. Security architects, senior penetration testers, senior cloud security engineers, threat intelligence leads. The gap between practitioners who invested in specialization and those who stayed generalist becomes significant here.

Years 10+: Principal, staff, or management track. $150K–$250K+ for VP of Security, Director of Security Operations, or CISO at a mid-size organization. CISO at large enterprises or highly regulated industries reaches $300K–$500K+ in total compensation including equity and bonus.

The AI security specialization is compressing this timeline for people who position correctly. Professionals who developed deep AI security expertise in 2024–2025 are already commanding senior-level compensation with mid-level experience, because the supply of people who genuinely understand how to attack and defend AI systems is extremely limited.

THM
TryHackMe
Building demonstrable hands-on skills is the fastest path to higher compensation. TryHackMe's structured learning paths are the most accessible way to develop and evidence those skills.
START FREE →