The median cybersecurity salary in the U.S. sits around $120,000 — but that number is nearly useless on its own. A SOC analyst two years in earns $75,000. A cloud security architect at a Fortune 500 earns $195,000. A CISO at a mid-size fintech earns $280,000 plus equity. Understanding which role you're aiming for, which certifications move the needle, and which specializations command a premium is what turns "cybersecurity salary" from a vague benchmark into a usable career plan.
This breakdown uses 2026 compensation data from BLS, Levels.fyi, LinkedIn Salary, and Glassdoor. Where ranges differ significantly, we show both and explain why.
Cybersecurity Salary by Role and Experience Level
The field spans entry-level analysts to executive CISOs. Here's where each tier actually lands:
Entry Level ($65,000–$90,000)
Junior SOC analysts, IT security associates, and help desk staff pivoting into security typically start here. These roles are heavily certification-driven — CompTIA Security+ is often a baseline requirement. Most job postings in this range don't require a cybersecurity degree, just demonstrated competency and a relevant cert or two.
- SOC Analyst (Tier 1): $65,000–$80,000
- IT Security Analyst (entry): $70,000–$88,000
- Cybersecurity Technician: $68,000–$85,000
Mid-Level ($90,000–$140,000)
This is the largest salary band, covering most working security professionals. Roles here require 3–6 years of experience, often a CISSP, CEH, or CISM, and specialization in at least one domain. The gap between the bottom and top of this range often comes down to whether you're at a company that treats security as a cost center versus a strategic function.
- Security Engineer: $105,000–$135,000
- Penetration Tester / Ethical Hacker: $100,000–$140,000
- SOC Analyst (Tier 2/3): $88,000–$115,000
- Incident Response Analyst: $95,000–$125,000
- Cloud Security Engineer: $110,000–$145,000
- Security Consultant: $100,000–$140,000
Senior and Specialized ($140,000–$220,000)
Senior roles command a significant premium over mid-level, but the jump isn't just about years — it's about owning outcomes. Hiring managers at this level expect candidates who have built something, broken something intentionally, or led a team through an actual incident.
- Senior Security Engineer: $145,000–$185,000
- Red Team Lead: $140,000–$180,000
- Cloud Security Architect: $160,000–$210,000
- AppSec Lead: $150,000–$195,000
- Security Architect: $155,000–$200,000
Leadership ($180,000–$350,000+)
CISO, VP of Security, and Director of Information Security roles vary enormously based on company size, industry, and whether total comp includes equity. A CISO at a 200-person SaaS company might earn $190,000 base. A CISO at a publicly traded bank might clear $400,000 in total comp.
What Actually Moves Your Cybersecurity Salary
Certifications That Pay
Certifications have an outsized effect early in a cybersecurity career — more so than in most other tech fields, because they're used as a filter in automated applicant tracking systems. These are the ones that directly correlate with salary bumps based on job posting analysis:
- CISSP — adds $15,000–$25,000 median bump at mid-level. Still the gold standard for security management roles.
- CISM — similar premium to CISSP, more management-focused. Valued heavily in GRC roles.
- OSCP — the offensive security cert that actually tests skill under pressure. Red team and pentest roles increasingly require it.
- AWS Security Specialty / Azure Security Engineer — cloud security is the fastest-growing specialization. Adding a cloud security cert to a general security background can shift you from the $105K range to $135K quickly.
- CompTIA Security+ — table stakes at entry level, especially for government and DoD contractor roles (required for DoD 8570).
- ISC2 CC (Certified in Cybersecurity) — the entry cert that replaced the old SSCP path. Worth getting before Security+ as a foundation.
Specialization Premium
Not all cybersecurity roles pay equally even at the same seniority level. In 2026, these specializations command measurable premiums over "general cybersecurity":
- AI/ML Security — new enough that supply is thin. Roles focused on securing AI pipelines, detecting prompt injection, or adversarial ML are paying 15–25% above comparable general security roles.
- OT/ICS Security (operational technology / industrial control systems) — critical infrastructure demand is high, practitioners are rare. $140,000+ is common for experienced OT security engineers.
- Cloud Security — still a premium over on-prem expertise. AWS + security knowledge consistently clears $145,000 at mid-level.
- Threat Intelligence — niche but well-paid, especially at agencies and financial services firms.
Industry Matters More Than People Think
A security engineer at a bank earns significantly more than the same role at a nonprofit or mid-market retailer, even controlling for experience. Finance, defense contracting, and healthcare (due to HIPAA liability) consistently pay above-average cybersecurity salaries. Startups often pay less base but compensate with equity — which may or may not materialize.
- Financial Services: 15–25% above median
- Defense / Government Contracting: 10–20% above median (plus clearance premium)
- Healthcare: 5–15% above median
- Retail / Hospitality: at or below median
- Education: typically 10–20% below median
Cybersecurity Salary by Location
Remote work has compressed geographic salary differences, but location still matters — particularly for on-site roles and government positions. Here's the rough picture for 2026:
- San Francisco / Bay Area: $140,000–$220,000 (mid-level), highest total comp nationally
- Washington D.C. / Northern Virginia: $110,000–$175,000 (heavy government/contractor market, clearance adds $20–40K)
- New York City: $115,000–$185,000 (finance-driven demand)
- Austin / Dallas: $95,000–$155,000 (growing tech hub, lower cost of living)
- Chicago: $95,000–$150,000
- Remote (U.S.-based): $100,000–$165,000 — companies increasingly anchor remote pay to their HQ location, so where the company is headquartered still matters
Security clearances deserve specific mention for the D.C. market: an active TS/SCI clearance adds $20,000–$50,000 to cybersecurity compensation because cleared professionals are scarce and the clearance process takes 12–24 months to complete.
Top Courses to Reach the Next Salary Band
These courses are worth the time specifically because they target skills that employers are actively filtering for in 2026 — not just general "learn cybersecurity" content.
Put It to Work: Prepare for Cybersecurity Jobs
The capstone course in Google's Cybersecurity Certificate, rated 9.7/10. Focuses explicitly on job-readiness — translating skills into resume language, understanding SOC workflows, and simulating real incident response. Useful if you're at the entry-to-mid transition and struggling to articulate what you actually know.
The Official ISC2 CC Certified in Cybersecurity Exam Prep (2026)
The ISC2 CC credential is increasingly used as the baseline cert before Security+ — and this Udemy course (rated 9.5/10) is aligned with the current 2026 exam objectives. Better structured than most free prep materials and significantly cheaper than the official ISC2 training.
CompTIA SecAI+ Fundamentals: AI Cybersecurity Basics CY0-001
AI security is the highest-premium specialization right now, and this course (rated 9.6/10) covers the CompTIA SecAI+ domain — a new cert that maps directly to the AI/ML security roles paying 15–25% above general security equivalents. Worth doing before the market gets crowded.
A Practical Guide to Cybersecurity Operations Foundations
Rated 9.6/10 on Udemy. Covers the day-to-day operational reality of a security team — monitoring, alert triage, escalation procedures — which is what Tier 1/2 SOC roles actually test in interviews. More hands-on than most certification prep courses.
Building and Configuring Your Cybersecurity Attack Lab
Rated 9.6/10. Setting up and using a personal attack lab is the single best way to move from paper knowledge to demonstrable skills. Employers at the mid-to-senior level increasingly ask candidates to walk through something they've built — this course teaches you how to build the lab that makes that conversation possible.
Unspoken Rules of Cybersecurity: A CISO's 20-Year Playbook
Rated 9.5/10. Aimed at mid-level professionals who want to understand how senior practitioners and CISOs actually think about risk, budgets, and organizational politics. The soft-skills gap is real — technical knowledge gets you to $120K; understanding how to communicate risk to a board gets you to $180K+.
FAQ: Cybersecurity Salary Questions
What is the starting cybersecurity salary with no experience?
Entry-level cybersecurity roles without prior IT experience typically start at $65,000–$75,000 for SOC analyst and security technician positions. Getting CompTIA Security+ or ISC2 CC before applying is almost always necessary — employers use certs as a baseline competency filter at this level. Some candidates get in lower at $55,000–$60,000 through IT helpdesk roles and transition into security internally, which is often faster than trying to enter security directly.
Does a cybersecurity degree pay more than certifications?
At the entry level, the data says no — certifications get you hired; degrees are often just an alternative way to demonstrate baseline knowledge. At senior and leadership levels, a master's degree (especially an MSCS with a security focus or an MBA paired with CISSP) can make a difference for executive track roles. Government and certain regulated industries also have degree requirements for specific positions. For most practitioners, hands-on experience and certs outperform a degree in salary negotiations.
What cybersecurity role pays the most?
CISO and VP of Security are the highest-paid cybersecurity titles, but total comp varies wildly by company size and industry. Among individual contributor roles, Cloud Security Architects and Red Team leads consistently top $180,000+ at senior levels. AI/ML Security Engineers are emerging as one of the fastest-rising roles in 2026, with some senior positions already clearing $200,000 at tech companies.
How much does a CISSP increase your salary?
The CISSP typically adds $15,000–$25,000 to mid-level compensation when moving from a general security background. More importantly, it's a hard filter in enterprise job descriptions — many Senior Security Engineer and Security Manager roles list it as required. It's most valuable in the $100K–$130K range, where it helps candidates break into the $130K–$160K band. The impact diminishes at very senior levels where reputation and demonstrated outcomes matter more.
Is cybersecurity salary growing or stagnating?
Growing, but unevenly. General SOC analyst roles have seen modest salary growth because the supply of people with Security+ is increasing. Specialized roles — cloud security, AI security, OT security, threat intelligence — are still seeing strong compensation growth because supply isn't keeping pace with demand. The overall headline numbers look flat in some surveys because the mix is shifting toward more entry-level hiring, pulling down medians even as senior roles pay more.
Do government cybersecurity jobs pay less than private sector?
Federal government civilian roles typically pay less than comparable private sector positions — GS-13 and GS-14 roles (where most senior security analysts land) top out around $115,000–$145,000 depending on locality pay. However, government contractor roles — working for companies like Booz Allen, SAIC, or Leidos on federal contracts — can pay as well as or better than private sector, especially with a security clearance. The federal government also offers pension benefits and job stability that partially offset the salary gap.
Bottom Line
If you're trying to figure out your next move based on cybersecurity salary data, here's the honest version: entry-level roles are competitive and crowded; mid-level is where most of the opportunity is; and specialization is the most reliable lever to move from median to above-average pay.
The three moves with the highest salary ROI right now:
- Get a cloud security certification (AWS Security Specialty or Azure Security Engineer Associate) if you're already in security but on-prem-focused. Cloud security adds $20–30K to comparable roles.
- Add OSCP if you want offensive roles. Pentest and red team roles pay well and OSCP is the cert that actually filters for skill rather than test-taking ability.
- Learn the business language of risk. The gap between a $130K security engineer and a $180K security leader is less about technical skill and more about being able to translate threats into financial and operational risk for non-technical stakeholders.
The courses listed above are worth the investment not because they'll hand you a salary, but because they build the specific skills that show up on job descriptions and in interviews for the roles where the pay is.
