The median cybersecurity salary in the US crossed $120,000 in 2025 — putting it well above the national median for all occupations and ahead of most software engineering roles at the mid-level. That number gets cited constantly. What gets cited less: it's a median across wildly different roles, and the spread between the bottom quartile and top quartile is nearly $60,000. Where you land in that spread is almost entirely determined by three variables: specialization, certifications, and geography. This guide breaks down each one.
Cybersecurity Salary by Role (2026)
The "cybersecurity analyst" bucket covers at least a dozen distinct job functions. Lumping them together produces a number that's accurate for nobody. Here's how the major tracks actually pay:
- SOC Analyst (Tier 1–2): $65,000–$95,000. Entry point for most people. Heavy alert triage, SIEM monitoring, incident escalation. The ceiling is real — Tier 1 roles are increasingly handled offshore or by automation, which is why you want to move through this level quickly.
- Cybersecurity Analyst (generalist): $85,000–$115,000. Mid-career. Vulnerability management, security assessments, policy work. This is the modal role for someone with 3–6 years of experience and one or two vendor-neutral certs.
- Incident Responder / DFIR: $100,000–$145,000. Forensics, malware analysis, breach containment. Premium over generalist roles because the skill set is narrower and the on-call expectations are higher.
- Penetration Tester: $105,000–$155,000. Offensive security commands a premium, especially with OSCP or equivalent. Freelance/consulting rates often run higher than W-2 equivalents.
- Cloud Security Engineer: $125,000–$165,000. The fastest-growing segment. Combines security fundamentals with deep AWS/Azure/GCP architecture knowledge. Demand currently exceeds supply.
- Security Engineer (AppSec/Infrastructure): $130,000–$175,000. Building security in rather than bolting it on. Requires actual software development fluency — which is why comp overlaps with senior SWE ranges.
- CISO (enterprise): $200,000–$350,000+, including equity. A different career track entirely. Most paths go through VP-level security leadership, not a direct promotion from analyst.
How Certifications Affect Cybersecurity Salary
Certifications have a real but often misunderstood salary effect. They don't raise your salary by themselves — they determine which job postings you're eligible for and give you leverage in negotiation. Here's what the data shows:
CompTIA certifications
Security+ is the floor for most mid-level roles. It's DoD 8570 compliant, which means it's essentially mandatory for federal contractor roles — a segment of the market that pays reliably and often includes clearance premiums. Holders earn $85,000–$100,000 on average. CySA+ (the analyst-focused follow-on) tends to push that to $95,000–$115,000 and opens doors to SOC lead and threat intelligence roles. CASP+ is genuinely senior-level and commands $120,000+, but it's less commonly required than the lower tiers.
CISSP
The most widely recognized cert in the industry, and one of the most impactful on salary. Average CISSP holder compensation sits around $130,000–$140,000. The catch: it requires 5 years of work experience to fully certify, so it's a mid-to-late career move. You can pass the exam and become an Associate while building experience, but the full certification gate is real.
Offensive certs (OSCP, CEH, PNPT)
OSCP (Offensive Security Certified Professional) is the practical gold standard for penetration testing. Holders typically command $120,000–$155,000. CEH is theoretically similar but exam-based, and some employers treat it with skepticism — it signals you studied, not necessarily that you can execute. PNPT (TCM Security) is newer but gaining traction in smaller shops that care about practical skills over brand recognition.
Cloud-specific security certs
AWS Security Specialty, Google Professional Cloud Security Engineer, and SC-100 (Microsoft) each add $10,000–$20,000 to base comp when combined with a security background. These are multipliers on an existing security salary, not entry-level paths.
ISC² CC (Certified in Cybersecurity)
A newer, free-to-sit entry cert that lowers the barrier to a first security job. It won't move salary on its own, but it's a legitimate credential for career changers trying to get through initial screening filters.
Cybersecurity Salary by City and Region
Geography still matters, though remote work has compressed the range somewhat. The premium for being physically located in a high-cost market has shrunk, but hasn't disappeared — many of the highest-paying employers are clustered in specific metros and prefer or require on-site presence for cleared roles.
- San Francisco / Bay Area: $140,000–$185,000 (mid-to-senior). Tech companies and fintech pay at the top of the range, but cost of living offsets a significant portion.
- Washington, D.C. / Northern Virginia: $120,000–$170,000, often with clearance premiums of $20,000–$40,000. The highest density of cleared cybersecurity roles in the country. Government contractors, defense primes, and the IC all compete for the same talent pool.
- New York: $115,000–$160,000. Financial services dominate. Banks and trading firms pay well and have mature security programs. They also have demanding environments and high turnover.
- Seattle / Austin / Denver: $105,000–$145,000. Tech-adjacent markets with lower cost of living than SF or NYC. Often a better total-compensation picture when you factor housing.
- Remote (US-based): $95,000–$140,000. The range has stabilized. Fully remote roles still exist but many employers have pulled back from the 2021–2022 high-water mark of geographic pay parity.
- Midwest / Southeast (non-remote): $75,000–$110,000. Lower absolute numbers, but often with meaningfully lower cost of living. Manufacturing, healthcare, and regional financial services are the main employers.
What Actually Moves Your Salary
The path from $85K to $130K isn't usually a single big jump — it's compounding small decisions correctly over 3–5 years. A few observations from people who've navigated it:
Specialization beats seniority. A generalist analyst with 8 years of experience often earns less than a cloud security engineer with 4 years. The market prices scarcity. Pick a technical specialty — cloud security, AppSec, DFIR, OT/ICS security — and go deep rather than staying broad.
Clearances are significant. A TS/SCI clearance adds $20,000–$50,000 to base salary in cleared markets (DC metro, Colorado Springs, Huntsville). The catch is it takes 12–18 months to obtain and requires a sponsoring employer. But if you're already a US citizen and don't have disqualifying issues, it's worth pursuing.
Job changes beat raises. Median salary increase for staying at the same employer: 3–5% annually. Median increase from changing jobs within the field: 10–20%. If you've been at the same company for more than two years without a promotion, the market is likely offering you more.
Certifications matter most at the career entry points. Security+ gets you to mid-level. CISSP gets you to senior/leadership. Between those, practical skills and scope of responsibility matter more than adding additional certs. Over-certifying without deepening actual skills is a known antipattern.
Top Courses to Build Skills That Justify Higher Cybersecurity Salaries
The courses below are selected because they either build skills that directly map to higher-paying roles, or they provide the credential preparation that opens specific job categories. None of them are introductory "what is a firewall" content.
Put It to Work: Prepare for Cybersecurity Jobs
Google's capstone course in their cybersecurity certificate program. Rated 9.7 on Coursera, it focuses on applying security skills to realistic job scenarios rather than theory — which is exactly what employers test in interviews. Good for anyone making a mid-career transition who needs to demonstrate readiness, not just knowledge.
A Practical Guide to Cybersecurity Operations Foundations
Rated 9.6. This Udemy course sits squarely in SOC operations — log analysis, detection workflows, incident handling. If you're targeting Tier 2 SOC roles or threat analyst positions (the ones that actually pay above $90K), this teaches the operational muscle memory rather than exam content.
CompTIA SecAI+ Fundamentals: AI Cybersecurity Basics
Rated 9.6. AI-augmented attacks are no longer theoretical — they're in active incident reports. This course covers how AI changes the threat landscape and the defensive tooling, positioning you for the next wave of security roles before the market fully prices it in. Early mover advantage in a cert that will matter more in 24 months than it does today.
Building and Configuring Your Cybersecurity Attack Lab
Rated 9.6. Hands-on lab setup for offensive security practice. If you're pursuing OSCP or penetration testing roles, you need a reproducible lab environment. This course handles the infrastructure setup that most training programs assume you already know — removing a major friction point for self-study.
Unspoken Rules of Cybersecurity: A CISO's 20-Year Playbook
Rated 9.5. Not a technical course — a career navigation course. Covers how security programs actually function inside organizations, how to communicate risk to leadership, and how to position yourself for senior roles. The salary ceiling in security often has less to do with technical depth than with your ability to operate in organizational context. This addresses that gap directly.
The Official (ISC)² CC Certified in Cybersecurity Exam Prep (2026)
Rated 9.5. Official preparation for the ISC² CC certification — currently free to sit and aimed at career changers. If you're coming from IT support, networking, or a non-technical background, this is the most efficient path to a recognized credential that passes employer screening filters.
FAQ
What is the average cybersecurity salary in the US?
The BLS reports a median annual wage of $120,360 for information security analysts as of 2024, with the top 10% exceeding $168,900. These figures include a wide range of roles. Generalist analyst roles cluster around $90,000–$110,000 at mid-level; specialized roles in cloud security, AppSec, and DFIR push significantly higher.
How much does experience affect cybersecurity salary?
Significantly, but the relationship isn't linear. Years 1–3 (entry level): $65,000–$85,000. Years 3–7 (mid-level): $90,000–$120,000. Years 7+ with specialization: $125,000–$165,000. The biggest jumps tend to come from specialization or role changes rather than tenure alone. A Tier 1 SOC analyst with 10 years of experience may earn less than a cloud security engineer with 5 years.
Does a cybersecurity degree pay more than certifications?
At entry level, a CS or cybersecurity degree provides some advantage in getting past initial filters. Past that, certifications (particularly CISSP, OSCP, cloud security specialty certs) tend to have a more direct salary correlation. Most mid-to-senior job descriptions list certifications as preferred and a degree as optional. The highest-paid practitioners typically have both, but the certifications are doing more of the salary lifting after year 3.
Which cybersecurity specialization pays the most?
Cloud security and security engineering (AppSec/infrastructure) consistently top the compensation ranges, with senior roles reaching $160,000–$180,000. DFIR and penetration testing follow closely at $120,000–$155,000. The common thread: roles that require combining security knowledge with adjacent technical depth (cloud architecture, software development) command the highest premiums because the talent pool is smaller.
Is cybersecurity salary affected by remote work?
Yes, but the effect has moderated since 2022. Fully remote roles pay roughly 10–15% less than equivalent in-office roles in major metros. However, for someone based in a lower-cost market, fully remote still represents a significant income gain. Cleared positions are largely non-remote by definition, which is why DC-area cleared roles carry both location and clearance premiums.
How long does it take to reach a $100K cybersecurity salary?
For a career changer starting with no background: typically 2–4 years if you're systematic about it — obtain Security+ within the first year, land a Tier 1 or junior analyst role, focus on either cloud security or a technical specialty in year 2, and change employers at year 2–3 to capture the job-change premium. People who stay at their first employer and wait for raises often hit year 5 before crossing $100K. People who move strategically often cross it at year 2–3.
Bottom Line
The cybersecurity salary range is genuinely wide — $65K to $175K for individual contributors is not an exaggeration. The deciding variables are not mysterious: specialization over generalism, certifications at the right career stages, and willingness to change employers when the market is offering more than your current employer is paying.
If you're entering the field, prioritize getting a recognized entry credential (ISC² CC or CompTIA Security+) and landing any security-adjacent role. From there, pick a technical specialty within the first two years. Cloud security and AppSec have the highest demand-to-supply imbalance right now and show no signs of correcting — those are the safest bets for salary growth over the next 5 years.
If you're already in the field and stuck in the $85K–$95K range, the single highest-leverage action is usually a job change rather than additional certifications. The second-highest leverage action is adding a cloud security specialty if you're currently in a generalist role.
