$124,910. That’s the BLS median for information security analysts and it’s technically accurate and functionally useless for anyone trying to actually budget a cybersecurity hire. The range underneath that median runs from $70K for a Tier 1 SOC analyst who watches dashboards all day to $700K+ for a CISO at a public company who answers to the board and hasn’t had a relaxing weekend since the last breach hit the news cycle. We place cybersecurity professionals through KORE1 all the time. And the salary conversation has gotten strange in the past couple years. Not harder. Strange. Budgets that were competitive in 2023 now get zero responses. Hiring managers approve $120K for a “cybersecurity engineer” and then discover that anyone with a CISSP laughs at $120K because they fielded three offers last week and the lowest one was $145K. The gap between what companies budget and what candidates accept has never been wider in my recruiting career, and I’ve been doing this a while.
This guide pulls from the BLS, Glassdoor, ZipRecruiter, PayScale, Built In, ISC2, and CyberSeek. I cross-referenced everything because no single source gets cybersecurity comp right on its own. The job titles are inconsistent across the industry, the experience levels overlap weirdly, and half the salary surveys don’t distinguish between someone doing GRC work in a spreadsheet and someone reverse-engineering malware at 2am. Both are “cybersecurity.” One pays $90K. The other pays $180K.
What Cybersecurity Engineers Earn in 2026, by Experience Level
Same caveat I put on every salary guide. PayScale skews low because of who fills out their surveys. Built In skews high because their sample over-represents well-funded tech companies. Glassdoor wraps in bonuses and equity that inflate what looks like a “base salary” number. ZipRecruiter reflects posted ranges, which are what companies wish they could pay, not necessarily what candidates accept. So I composited all of them.
| Source | Average / Median | Range | Notes |
|---|---|---|---|
| BLS (SOC 15-1212) | $124,910 median | $70K – $186K | May 2024, 182,800 employed |
| Glassdoor | $158,961 total pay | $127K – $201K | 3,188 submissions, includes bonuses |
| ZipRecruiter | $122,890 | $102K – $163K | US, March 2026 |
| Built In | $166,851 base | $110K – $207K+ | Tech-company heavy sample |
| PayScale | $107,116 | $81K – $133K | Skews early-career |
| ISC2 (US median) | $150,000 | Varies by role | 16,029 respondents, 2025 study |
The gap between PayScale’s $107K and Built In’s $167K is almost $60,000 and they’re supposedly measuring the same job title. That should tell you everything about why comp conversations in cybersecurity are so frustrating for both sides. Here’s the experience breakdown that actually helps you budget.
| Experience Level | Salary Range | What We See in Placements |
|---|---|---|
| Entry-Level (0-2 years) | $70,000 – $95,000 | SOC Tier 1, alert triage, Security+ holders. High supply, fast to fill. |
| Mid-Level (3-5 years) | $110,000 – $140,000 | Incident response, vulnerability management, SIEM administration. Competitive market. |
| Senior (5-8 years) | $140,000 – $185,000 | Security architecture, pen testing leads, cloud security. Multiple offers within days. |
| Principal / Director | $185,000 – $250,000+ | Security program leadership, board reporting, vendor management. Extremely thin pool. |
Those are base. Total comp at well-funded companies adds 20-40% once you factor in bonuses, equity, and the on-call premium that cybersecurity roles almost always carry even if nobody calls it that. The ISC2 2025 Workforce Study puts the US median at $150,000, and their sample tends to over-represent experienced professionals, which honestly makes it more useful than the aggregator averages for benchmarking mid-to-senior roles. Use our salary benchmarking tool for location-specific numbers.
Cybersecurity Salary by City
Geography swings cybersecurity pay more than almost any other tech discipline because federal government and defense contracts cluster in specific metros. The DC-Maryland-Virginia triangle alone accounts for over 80,000 cybersecurity job postings. That concentration pushes salaries up in ways that don’t apply to a cybersecurity engineer working at a retail company in Minneapolis.
| Metro Area | Salary Range | What Drives It |
|---|---|---|
| San Jose / Silicon Valley | $155K – $195K | Tech companies with massive attack surfaces. Product security roles pay the most. |
| Washington DC metro | $140K – $180K | Federal agencies, defense contractors, intelligence community. Clearance = instant premium. |
| New York City | $140K – $177K | Financial services compliance. SOX, PCI-DSS, NYDFS cyber regs. Banks pay well and hire constantly. |
| Seattle | $145K – $170K | Amazon, Microsoft cloud security. No state income tax makes net pay even better. |
| Los Angeles | $130K – $160K | Entertainment, media, healthcare. Growing demand but not as concentrated as Bay Area. |
| Austin / Dallas | $120K – $155K | Defense contractors (Raytheon, Lockheed), Oracle, growing startup scene. Lower COL than coasts. |
| Denver / Colorado Springs | $120K – $150K | Space Force, NORAD, defense. Colorado Springs is quietly one of the hottest cybersecurity markets. |
| Remote (US) | $125K – $165K | Growing but some roles require on-site for classified work. Ask about location adjustment policies. |
Virginia alone had 53,855 cybersecurity job postings in the past year according to CyberSeek. California had 44,344. Texas had 42,559. Those three states account for over a quarter of all US cybersecurity hiring. If you’re job hunting and willing to relocate, that’s where the volume is. If you’re a hiring manager in one of those states, you’re competing with every defense contractor and three-letter agency within driving distance.
Certifications That Actually Move the Needle on Pay
Certs in cybersecurity matter more than in almost any other tech discipline, and I say that as someone who generally tells developers that GitHub profiles beat certificates. Cybersecurity is different. Regulated industries require specific certifications. Government contracts literally mandate them. DoD 8570/8140 compliance means you can’t touch certain systems without a cert, period, regardless of how many years of experience you have. The salary premiums are real and measurable.
| Certification | Avg Salary (Holders) | Premium vs Non-Certified |
|---|---|---|
| CISSP | $164,000 median | +$25K – $35K. Gold standard. Opens management track. |
| OSCP | $130,000 avg | +$20K – $30K. Pen testing standard. Top consultants clear $200K. |
| CISM | $150,000 (North America) | +$20K – $28K. Management and audit focused. |
| CEH | $96,490 base | Moderate. Stepping stone cert. Useful early career. |
| CompTIA Security+ | $71,697 (entry-level) | +$15K – $20K vs uncertified. DoD baseline. Gets you in the door. |
| Cloud Security (CCSP, AWS Security) | Varies widely | Up to +25%. Fastest growing premium category. |
The CISSP number is the one that makes people recalculate their hiring budget mid-meeting. $25K to $35K over non-certified. That’s not noise in the data. Five years of cross-domain experience just to sit for the exam, which means CISSP is basically a background check for “has this person actually done the work across enough areas to be dangerous.” Some hiring managers filter exclusively for it. I used to think that was excessive. Then I watched a client hire an uncertified candidate at $125K who missed a misconfigured S3 bucket that a CISSP holder would have caught in the first week of an infrastructure review. That $35K premium starts looking like insurance after something like that.
OSCP is different. It’s a hands-on hacking exam. 24 hours. You break into machines or you fail. No multiple choice. The developers and engineers who pass it tend to be the ones who genuinely enjoy the offensive side of security, and they command $130K average with top red team consultants clearing $200K. If you’re hiring a penetration tester and they don’t have OSCP, ask what they have instead, because the pen testing market is one area where certifications genuinely predict job performance.
Security+ is the entry-level baseline. DoD requires it for IAT Level II roles. Without it you literally cannot work on certain government contracts regardless of experience. The salary bump is $15K-$20K over uncertified candidates, which means the cert pays for itself in the first month. If you’re entering cybersecurity from IT and don’t have Security+, stop reading this and go study.
The Cybersecurity Career Ladder (and What Each Rung Pays)
“Cybersecurity” is not one job. It’s an entire career ecosystem with roles that share a word in the title and almost nothing else in the day-to-day work. A SOC analyst monitoring Splunk alerts and a security architect designing zero-trust network segmentation are both “in cybersecurity” the same way a line cook and a restaurant owner are both “in food service.”
| Role | Salary Range | The Work |
|---|---|---|
| SOC Analyst (Tier 1) | $60,000 – $85,000 | Alert monitoring, triage, ticket escalation. Entry point. High burnout. |
| SOC Analyst (Tier 2-3) | $85,000 – $130,000 | Deep investigation, threat hunting, detection engineering. The jump from Tier 1 to 2 is significant. |
| Cybersecurity Engineer | $110,000 – $165,000 | Tool implementation, infrastructure hardening, automation. Builder not watcher. |
| Penetration Tester | $95,000 – $168,000 | Offensive security. Breaking things professionally. OSCP expected. |
| Security Architect | $140,000 – $228,000 | System design, zero-trust implementation, vendor evaluation. Strategy role. |
| Security Director | $160,000 – $220,000 | Team management, budget ownership, vendor relationships. Management track. |
| CISO | $250,000 – $700,000+ | Board reporting, risk strategy, regulatory response. Top 1% clear $3.2M total comp. |
The jump from SOC Analyst Tier 1 to Cybersecurity Engineer is the biggest career transition in the field and the one where the most people get stuck. Tier 1 SOC work is monitoring. Looking at dashboards. Triaging alerts. It pays $60K-$85K and the burnout rate is brutal because you’re staring at Splunk for 12-hour shifts and 95% of the alerts are false positives. The engineers who break out of that cycle are the ones who automate their own workflows, build detection rules instead of just following runbooks, and actively pursue certs beyond Security+ while working full-time. Nobody said it was quick. But $75K to $130K in two or three years if you grind? That math works out to roughly a 23% annual raise if you do it right. Hard to find that trajectory in any other part of tech without switching companies four times.
CISO compensation deserves its own paragraph because the range is absurd. $250K at a mid-market company. $700K+ at a Fortune 500. The top 1% clear $3.2 million in total comp according to recent surveys, and CISO pay jumped 31% on average when professionals transition into the role from Director-level positions. But CISO is also the role with the highest turnover in the C-suite. Average tenure is 18-24 months. You’re the person who gets fired after a breach, regardless of whether you were given the budget to prevent it. The pay reflects the risk.
The Talent Shortage in Numbers
Everyone talks about the cybersecurity talent shortage. Fewer people look at the numbers behind it. So here they are.
- 514,359 cybersecurity job listings in the US over the past 12 months per CyberSeek. Up 12% from the year before. 57,000 more postings. And that’s not counting the roles that companies gave up trying to fill and pulled the req.
- 4.8 million unfilled positions globally. ISC2 2024. That number went up 19% in a single year. I remember when it was 3 million and people thought that was alarming.
- 29% employment growth projected through 2034 by the BLS. Average for all occupations is 4%. Seven times the national rate. Read that again if you’re a hiring manager wondering why your salary band from 2023 isn’t getting responses.
- Half of all organizations take six months or longer to fill a cybersecurity vacancy. Six months with a critical security seat empty. What does your attack surface look like during that window? Most CISOs already know the answer and it keeps them up at night.
- 90% of security teams say they have skills gaps beyond headcount. They can find bodies. They can’t find people who know cloud security or AI security, which happen to be the two areas where the threats are growing fastest. Bad timing.
The practical implication for hiring managers is simple. If your budget is based on 2023 salary data, you will not fill this role. If your interview process takes longer than four weeks, your candidates will accept other offers. If you require five years of experience plus CISSP plus cloud security plus incident response plus a security clearance for $130K in a major metro, you are describing a person who doesn’t exist at that price point and your req will sit open until someone adjusts the comp or the requirements. We see this pattern every single week.
Skills That Push Cybersecurity Pay Higher
Cloud security. That’s where the money moved. Every mid-market company and their cousin migrated to AWS or Azure over the past five years. Then the breaches started happening and people realized, usually the hard way, that on-prem firewall expertise doesn’t transfer to writing IAM policies that won’t accidentally hand a Lambda function the keys to your entire S3 bucket. The engineers who understand cloud-native security tools, container scanning, infrastructure-as-code auditing? $15K-$30K premium over their on-prem-only peers. Consistent across every market we recruit in.
AI security is newer and paying even more aggressively on a per-capita basis, but I want to be honest about the sample size. We’ve placed maybe a dozen people into AI security roles total. Prompt injection, model poisoning, data exfiltration through AI outputs, compliance around training on customer data. The field barely existed 18 months ago. If you’ve done this work in production and can prove it, you already know what you’re worth because recruiters won’t stop calling you.
Incident response is the sleeper premium. Not as flashy as “AI security engineer” on a resume but the pay bump is permanent and real because there is no simulation that prepares someone for the chaos of an actual breach. Coordinating with legal at 11pm. Preserving forensic evidence while the CEO is asking every five minutes if the customer data leaked. Managing the 72-hour notification clock under state breach laws while simultaneously trying to figure out how the attacker got in. You can’t learn that from a course. The people who’ve done it carry a salary premium for the rest of their career. And incident response postings more than doubled last year, which tells you how many companies got caught without someone who’d been through it before.
How Hiring Managers Should Use This Data
Stop averaging the averages. The range between PayScale ($107K) and Built In ($167K) exists because they’re measuring different populations. If you’re hiring at a mid-market company in Dallas for a cybersecurity engineer with 4 years of experience and Security+ and some cloud exposure, your number is probably $115K-$130K. Not $167K (that’s a Bay Area product security role at a company with 10,000 engineers) and not $107K (that’s a junior analyst at a company that can’t compete).
Budget for the certification premium upfront. If you need CISSP, add $25K-$35K over whatever your base range is. If you need OSCP for a pen testing role, add $20K-$30K. Trying to hire certified professionals at uncertified salary ranges is a waste of everyone’s time, and we watch it happen constantly because the HR team set the salary band before the security team specified the certification requirement.
Factor in clearance premiums separately. A security clearance (Secret, Top Secret, TS/SCI) adds another $15K-$30K depending on the level. That’s not a cybersecurity premium. That’s a clearance premium that stacks on top of whatever the role already pays. Companies in the DC metro area know this. Companies in other markets discover it painfully when they try to hire cleared cybersecurity professionals at uncleared rates.
If you’re struggling to fill cybersecurity roles at any level, talk to our team. We maintain a pipeline of vetted cybersecurity professionals from SOC analysts to security architects, including candidates with active clearances in the DC metro, Texas, and Colorado markets.
Related KORE1 Resources
- IT Staffing Services (full-service tech hiring)
- Salary Benchmark Assistant
- DevOps Engineer Salary Guide 2026
- Data Engineer Salary Guide 2026
- AI/ML Engineer Staffing
- Direct Hire Staffing
- Contract Staffing
- Contact KORE1
Frequently Asked Questions
How much does a cybersecurity engineer make a year?
$110K to $165K for a mid-to-senior role. That range is wide on purpose because the title “cybersecurity engineer” covers everything from someone administering a SIEM to someone designing zero-trust architecture for a bank. BLS median is $124,910. Glassdoor says $158,961 total pay. Entry-level SOC analysts start around $65K-$85K. Seniors with CISSP and cloud security? $150K-$185K. And CISOs are a completely different conversation. $250K to $700K+.
Is cybersecurity a high-paying career?
Extremely. And unlike some tech careers where the market gets saturated every few years, cybersecurity just keeps paying more because attackers aren’t slowing down and there aren’t enough defenders. BLS median of $124,910 is already above most tech specialties. But the real story is the ceiling. CISO comp at large companies can rival or exceed what CTOs make. 29% projected growth through 2034 means demand keeps pushing salaries up and there’s no sign of that curve flattening anytime soon. The talent shortage is structural, not cyclical.
What cybersecurity certifications pay the most?
CISSP is the clear winner at $164K median salary for holders, representing a $25K-$35K premium. OSCP commands $130K average with top consultants over $200K. CISM sits around $150K for North American professionals. Cloud security certifications (CCSP, AWS Security Specialty) add up to 25% salary premium and are the fastest-growing cert category. Security+ is the entry-level baseline that adds $15K-$20K over uncertified candidates and is required for many government contracts.
How many cybersecurity jobs are unfilled?
Depends who you ask and how they’re counting, but every source agrees on “a lot.” ISC2 pegged it at 4.8 million globally last year, and that was a 19% jump from the year before. CyberSeek tracked 514,359 US job listings in the past 12 months, and that was a 12% jump from the year before that. BLS projects 16,000 new openings every year through 2034. Half of all organizations can’t fill a cybersecurity role in under six months. The gap is widening, not closing.
What is the highest paying cybersecurity job?
CISO. Not close. Average total pay sits around $320,800 and the top 1% are clearing $3.2 million, which is a number that makes even the senior engineers do a double take. After that? Security Architect at $140K-$228K. Red team directors and pen testing leads can clear $200K at the right company. Highest IC salary we’ve personally placed was a principal cloud security architect in the Bay Area. $235K base before equity. The hottest niche right now is AI security and honestly nobody knows what the ceiling is yet because there aren’t enough data points.
Do you need a degree for cybersecurity?
The BLS says “bachelor’s degree typical entry-level education” and that’s technically accurate for corporate HR screening purposes. In practice, we’ve placed cybersecurity professionals without degrees into roles paying $120K+ when they had strong certifications (CISSP, OSCP), demonstrable experience, and a portfolio of work. The government and defense sector is stricter about degree requirements. Private sector increasingly cares about what you can do, not where you studied. But having a degree plus certs gives you the widest set of options, especially if you want to move into management where hiring committees still weight degrees heavily even when they shouldn’t.