Security Engineer Salary Guide 2026
Security engineers in the United States earn between $105,000 and $215,000 in 2026, with the national median landing around $152,000 to $170,000 depending on which aggregator you trust. Specialization matters more than title. A cloud security engineer running AWS GuardDuty and writing Terraform sentinel policies across three accounts will out-earn a network security engineer managing Palo Alto firewalls by $15,000 to $30,000 at the same experience level, same metro, same company size. The gap isn’t about difficulty. It’s about scarcity.
This guide breaks the number down by experience, specialization, geography, and certification so you can benchmark against real market data instead of a single Glassdoor average that blends junior analysts with principal architects into one meaningless number.
Robert Ardell, KORE1. I run security and AI engineering searches out of our IT staffing practice. Over the past 18 months, cybersecurity reqs have been about a third of my active desk, and the security engineer title specifically has been the most consistently misbudgeted role I see. Clients read one salary report, anchor to the median, post the role $20K below market, and then spend 60 days wondering why their candidate pipeline is empty. I’ve had that exact conversation eleven times since last September. This post exists so the twelfth conversation goes differently.
What a Security Engineer Actually Does
A security engineer is the person who designs and builds the actual systems, the detection pipelines, the access controls, the hardened configurations, that keep an organization’s infrastructure and data from getting owned. The job sits in the gap between the CISO who writes the security policy document and the SOC analyst who monitors the alerts at 2 AM, and it’s the security engineer’s job to make sure the stuff between those two endpoints actually works when someone tries to break it. Security engineers are the ones writing the code and building the architecture that makes the policy enforceable and the alerts meaningful.
That definition covers a lot of ground. Too much, honestly. The title “security engineer” on LinkedIn returns job descriptions that range from firewall administration to building zero-trust architectures from scratch to reviewing pull requests for OWASP Top 10 vulnerabilities. Same title. Wildly different jobs. And wildly different pay.
The Bureau of Labor Statistics doesn’t have a separate occupation code for security engineers. They get rolled into “Information Security Analysts” (SOC 15-1212), which includes analysts, engineers, architects, and consultants all in one bucket. The BLS median for that combined group is $124,910. Useful as a floor. Not useful as a benchmark for someone building container security pipelines in Kubernetes.
The sub-specializations are where the salary story actually lives.
| Specialization | What They Build | Core Tools | Typical Salary Range |
|---|---|---|---|
| Cloud Security Engineer | IAM policies, cloud-native SIEM, infrastructure-as-code guardrails, CSPM tooling | AWS Security Hub, Azure Sentinel, Terraform, Prisma Cloud | $140,000 to $210,000 |
| Application Security Engineer | SAST/DAST pipelines, threat modeling, secure code review, DevSecOps integration | Snyk, Checkmarx, Burp Suite, SonarQube, GitHub Advanced Security | $135,000 to $200,000 |
| Network Security Engineer | Firewall rule sets, VPN architecture, IDS/IPS tuning, network segmentation | Palo Alto, Fortinet, Cisco ASA, Wireshark, Splunk | $115,000 to $175,000 |
| Infrastructure Security Engineer | Endpoint hardening, OS-level security, patch management, zero-trust frameworks | CrowdStrike, Tanium, Intune, Rapid7, HashiCorp Vault | $120,000 to $180,000 |
| Security Architect | Org-wide security strategy, framework design, vendor evaluation, compliance mapping | NIST CSF, ISO 27001, TOGAF, risk modeling tools | $160,000 to $240,000+ |
Ranges above reflect base salary plus typical annual bonus, excluding equity. Add 20-40% for total comp at public tech companies where RSUs are standard.
Security Engineer Salary by Experience Level
Experience is the single biggest lever on security engineer comp. Not certifications. Not degrees. Years doing the actual work, and what kind of work it was.
I placed a security engineer last year who had three years of experience but all three were in a SOC doing L1 triage. Good analyst. Not yet an engineer. The client wanted someone who could build detection-as-code pipelines in Splunk and write custom Sigma rules. We had to recalibrate expectations on both sides. The candidate ended up in a hybrid role at $118,000, which was right for the skill set but $25,000 less than the “3 years of experience” benchmarks suggested on paper. Title inflation in cybersecurity is real, it distorts salary data more than people want to admit, and it is the single most common reason I see clients anchor to a number that’s $15,000 to $20,000 below what the market actually demands for the skill set they need.
| Experience Level | Years | Base Salary Range | Total Comp (with bonus) | What Gets You to the Top of the Range |
|---|---|---|---|---|
| Entry-Level / Junior | 0-2 | $75,000 to $100,000 | $80,000 to $110,000 | Prior internship at a vendor (CrowdStrike, Palo Alto), Security+ or CySA+ already in hand, Python scripting ability |
| Mid-Level | 3-5 | $110,000 to $150,000 | $120,000 to $165,000 | Cloud security hands-on (not just cert), incident response war stories, at least one automation project shipped |
| Senior | 5-8 | $150,000 to $195,000 | $165,000 to $225,000 | Led a security program or major initiative, architected detection pipelines, mentored juniors, cross-functional leadership |
| Staff / Principal | 8-12+ | $190,000 to $250,000 | $220,000 to $350,000+ | Org-wide security strategy ownership, board-level reporting, vendor selection authority, published research or conference talks |
The jump from mid-level to senior is where the biggest salary acceleration happens. Not coincidentally, it’s also where the candidate pool thins out the most. Everyone and their cousin has a Security+ now. Far fewer people have actually built and operationalized a SIEM from scratch, responded to a real breach under pressure, or designed an IAM framework that survived an acquisition integration. That experience gap is where the money is.
One thing the table can’t show: the variance at the staff/principal level is enormous. A principal security engineer at a mid-market SaaS company might earn $210,000 total comp. The same title at a FAANG company in the Bay Area? $400,000 to $500,000 with equity refreshers. Same person, same skills, same Tuesday morning standup, but the employer’s revenue model and equity compensation philosophy are what split a $210K offer from a $450K one, not the candidate’s resume. We placed someone last fall who turned down $195,000 at a healthcare company to take $185,000 base at a Series C startup because the equity package, if the company hit its next milestone, was worth roughly $800,000 over four years. Comp is never just the salary line, and at the principal-and-above level, the difference between a good equity package and a mediocre one can be worth more over four years than the cumulative difference in base salary between any two offers on the table.
Where Geography Moves the Number
Remote work compressed security engineer salary bands for about two years. That compression is reversing, and the reversal is happening faster in cybersecurity than in most other engineering disciplines because so much of the demand comes from government contractors and regulated industries that can’t or won’t go fully remote. Employers with classified work, government contracts, or compliance requirements that mandate on-site presence are pulling salaries apart by metro again. The DC-Maryland-Virginia corridor alone accounts for over 80,000 cybersecurity job postings, and cleared security engineers in that region command premiums that make the rest of the country look underpaid.
| Metro Area | Avg Base (Mid-Senior) | Premium vs National Avg | Notes |
|---|---|---|---|
| San Francisco / Bay Area | $170,000 to $220,000 | +20% to +30% | FAANG and late-stage startup equity pushes total comp much higher |
| Washington DC / NoVA / Maryland | $155,000 to $200,000 | +15% to +25% | Clearance holders add $20K-$40K; federal contract demand is insatiable |
| New York City | $155,000 to $195,000 | +15% to +22% | Financial services drives the premium; JPMorgan alone had 2,000+ security roles open in 2025 |
| Seattle | $160,000 to $200,000 | +18% to +25% | Amazon and Microsoft security teams are always hiring; no state income tax sweetens the net |
| Los Angeles / Orange County | $140,000 to $180,000 | +8% to +15% | Entertainment, aerospace, and healthcare drive demand; less saturated than SF |
| San Diego | $135,000 to $175,000 | +5% to +12% | Defense contractors (SAIC, Leidos, General Atomics) plus a growing startup scene |
| Austin / Dallas / Houston | $130,000 to $170,000 | +3% to +10% | No state income tax; lower COL makes net comp competitive with higher-paying metros |
| Denver / Boulder | $135,000 to $175,000 | +5% to +12% | USAF Space Command, defense tech, growing fintech and healthtech presence |
| Fully Remote (US-based) | $125,000 to $170,000 | Varies | Some employers geo-adjust, some pay flat national rates; ask before you assume |
A security engineer in Austin making $145,000 with no state income tax is keeping more of their paycheck than someone in San Francisco at $180,000. Candidates know this. Employers in high-tax metros who refuse to acknowledge it lose offers to Texas, Florida, and Washington at a rate I would have found surprising three years ago.
We placed two cloud security engineers in Orange County last quarter. Both had competing offers from Bay Area companies paying $25,000 more in base. Both chose the SoCal roles anyway. One cited commute and cost of living. The other said, verbatim, “I did the math and the Bay Area offer actually pays me less after housing.” He ran the numbers in a spreadsheet and showed me, and once you factored in California state income tax, a $3,200/month mortgage difference, and the commute hours he was buying back, the SoCal offer was worth about $18,000 more per year in real terms. If you’re hiring in Southern California for security engineering talent, our cybersecurity staffing team handles these searches regularly.
Certifications and What They’re Actually Worth
The certification conversation in cybersecurity is louder than it needs to be. HR departments write requirements. Hiring managers have opinions. Candidates collect acronyms. The salary data tells a more complicated story than “get your CISSP and make more money.”
CISSP holders earn a median of roughly $164,000 according to Glassdoor and ISC2’s own workforce study, which represents a $25,000 to $35,000 premium over non-certified peers. Sounds clear-cut. It isn’t. CISSP requires five years of experience to earn. You’re effectively comparing people who already have five-plus years of real security work, because that’s what the cert requires, against a population that includes analysts in their first or second year who couldn’t hold the cert even if they wanted to. The premium is real, but the cert didn’t create all of it. The experience floor did most of the heavy lifting, and the studies don’t control for that very well.
That said, CISSP still opens doors. Literally. Federal contracts and large enterprises often list it as a hard requirement in the job posting, and even when hiring managers don’t care about the cert itself, HR filters will screen you out before a human ever reads your resume. It’s a checkbox that matters for access, not necessarily for competence.
| Certification | Median Salary (Holders) | Estimated Premium | When It Actually Matters |
|---|---|---|---|
| CISSP | ~$164,000 | $25K to $35K | Federal/DoD contracts, enterprise compliance roles, CISO-track positions. Non-negotiable for many government-adjacent jobs. |
| CISM | ~$149,000 | $20K to $28K | Security management and governance roles. More useful for people moving into leadership than for hands-on engineers. |
| AWS Security Specialty | ~$155,000 | $15K to $25K | Cloud security roles at AWS-heavy shops. The hands-on experience matters more but the cert signals you’ve done the reading. |
| CEH (Certified Ethical Hacker) | ~$107,000 | $8K to $15K | Penetration testing roles, DoD 8570 compliance. Widely held, less differentiation than it once had. |
| CompTIA Security+ | ~$90,000 | $5K to $10K | Entry-level baseline. Gets your foot in the door but adds almost nothing after your first two years. |
Here’s the thing nobody puts in salary guides. The fastest-growing premium I see in actual offer negotiations isn’t attached to any certification. It’s attached to hands-on cloud security experience. I watched a candidate last quarter walk into an interview and explain, step by step, how she wrote a custom AWS Config rule that caught S3 bucket misconfigurations across 40 accounts and how she built a detection pipeline in Azure Sentinel that cut mean time to detect from 14 hours to 22 minutes. She didn’t have CISSP. She got the offer over two candidates who did. Every time I see that play out, the pattern is the same: the person who can show the work beats the person who can show the acronym.
I’m not saying skip the certs. I’m saying the market has shifted. Three years ago, CISSP on a resume got you into nearly any security engineering interview. Today, hiring managers want to see the cert AND the GitHub commits. The cert alone isn’t enough anymore. Maybe it never was, but the talent shortage was bad enough that nobody tested the question. Now they are.
What’s Pushing Security Engineer Salaries Up Right Now
The BLS projects information security analyst employment to grow 33% from 2024 to 2034, with approximately 16,000 openings per year. For context, the average growth rate across all occupations is about 4%, so security is growing at roughly eight times the national baseline, which puts it in a category with nurse practitioners and wind turbine technicians as the occupations the labor market is most desperate to fill. Not just in tech. Any occupation. The current workforce sits at about 182,800.
The ISC2 2024 Cybersecurity Workforce Study estimated the global cybersecurity workforce at 5.5 million, with a gap of 4.8 million additional professionals needed. That gap grew 19% year over year. The 2025 update shifted focus entirely to skills gaps rather than headcount, because even organizations that have enough bodies on seats report that 90% of their security teams have at least one critical skills gap. Having a security engineer on payroll who doesn’t know how to secure a container orchestration environment is the same as not having one, for the purposes of that specific risk.
CompTIA’s State of Cybersecurity 2025 report documented more than 514,000 cybersecurity-related job postings in a single 12-month window. Let that number sit for a second. Half a million postings. Against a total workforce of 5.5 million globally. The ratio is absurd, and it explains why security engineers with even moderate experience can field multiple recruiter messages per week without trying.
Three forces are accelerating this right now.
AI security is a new line item. Every company deploying LLMs or building AI-powered features needs someone who understands prompt injection, model extraction, training data poisoning, and the dozen other attack surfaces that didn’t exist three years ago. CompTIA found that 97% of AI-related security incidents happen at organizations with no defined AI controls. The security engineers who can bridge traditional infosec and AI/ML security are commanding premiums that the salary aggregators haven’t even caught up with yet, because the role barely existed in 2023.
Regulatory pressure keeps expanding. NIST CSF 2.0 dropped in February 2024 and organizations are still scrambling to align. The SEC’s cybersecurity disclosure rules mean public companies need security engineers who can translate technical risk into language that goes into an 8-K filing. EU’s NIS2 directive. State-level privacy laws multiplying every legislative session. Every new regulation creates work, and that work requires engineers, not just compliance analysts reading checklists.
Ransomware economics haven’t changed. The average cost of a ransomware recovery, across industries, still sits above $2 million. Boards of directors are no longer arguing about whether to fund security. They’re arguing about whether the current funding is enough, and that shift from “do we need this?” to “is this enough?” is the single biggest structural change in cybersecurity budgeting I’ve seen in the last five years. That shift in posture at the executive level translates directly into budget for security engineering headcount, which translates into competition for candidates, which translates into higher offers.
Contract vs Full-Time Security Engineer Comp
Not every security engineer search is a full-time hire. About 30% of the security engineering reqs that hit my desk are contract or contract-to-hire, and the comp math looks different enough that it’s worth breaking out separately.
| Model | Typical Rate / Salary (Mid-Senior) | Effective Annual (Before Tax) | When It Makes Sense |
|---|---|---|---|
| W-2 Contract (via agency) | $75 to $105/hr | $156,000 to $218,000 | Compliance audits, cloud migration security, tool implementation projects with defined scope |
| 1099 Independent | $90 to $130/hr | $187,000 to $270,000 | Pen testing, security assessments, fractional CISO work, short-term architecture reviews |
| Full-Time (Direct Hire) | $140,000 to $195,000 base | $155,000 to $230,000 total comp | Ongoing security program ownership, team building, architecture decisions with long-term consequences |
The contract rates look higher on paper. They are higher on paper. But no benefits, no PTO, no equity, and you’re paying both sides of FICA on 1099. A $100/hr contract rate and a $170,000 salary with standard benefits are roughly equivalent in real take-home value. Roughly. The math depends on your tax situation, how much you value health insurance, and whether you think you can stay fully utilized 48 weeks a year.
A suggestion for employers stuck in a dead search. Say you’re trying to hire a senior security engineer full-time at $140,000 and nobody’s biting. You likely have budget for a contractor at $95/hr for six months. That’s $99,000 in contract spend. The work gets done. You evaluate the person in context instead of through a whiteboard interview. If you end up wanting to convert, the risk on both sides has already been wrung out. Our contract staffing practice handles the structure. Something to consider before you burn another quarter with an open req.
Industry Premiums Worth Knowing About
Where you work changes what you earn. Sometimes by a lot.
Pharmaceutical and biotech companies pay the highest median total comp for security engineers at approximately $205,000, according to Glassdoor’s 2026 data. Financial services follows at around $154,000. Tech lands at roughly $162,000 in median total comp, though the range is the widest of any industry because it includes both early-stage startups paying $130,000 in base and public companies where stock-based comp pushes the real number past $300,000.
Government and defense is its own animal. Base salaries run $110,000 to $160,000 for GS-13/14/15 equivalents, which looks modest compared to private sector until you factor in pension contributions, TSP matching, job stability, and the clearance premium. A TS/SCI clearance adds $20,000 to $40,000 to a security engineer’s market value, and that premium transfers to the private sector when cleared professionals eventually leave government. The big defense primes know this math. Raytheon and Northrop Grumman and Booz Allen recruit from the same government talent pool. They know what GS-14 Step 10 pays down to the dollar. Their offers usually land $15K to $25K above that number. That’s the premium it takes to get someone to walk away from a federal pension.
Healthcare is quietly becoming one of the better-paying verticals for security engineers. HIPAA enforcement actions got expensive in a way that finally got the attention of CFOs who had been treating cybersecurity budget requests as optional line items for years. The average healthcare data breach costs $9.77 million according to IBM’s Cost of a Data Breach Report. Hospitals that already got breached once tend to over-hire after. You know the ones. The CEO had to stand at a press conference and explain why patient records ended up on a dark web marketplace. Reputational damage hurt more than the fine did. Those systems spend differently on security engineering the second time around. We’ve seen healthcare clients in Southern California move from offering $135,000 to $165,000 for the same role within a single budget cycle after a security incident.
How to Negotiate a Security Engineer Offer
Salary guides are useful for benchmarking. They don’t tell you how to use the benchmark. A few things I’ve watched work in actual negotiations across my desk.
Know which number you’re negotiating. Base salary is the floor. Annual bonus target, signing bonus, equity grant, and equity vesting schedule are all separate levers. I’ve seen candidates fixate on base salary and leave $30,000 in signing bonus on the table because they never asked. The employer would have paid it. They just weren’t going to volunteer the information. Ask about every component, and if the recruiter or HR contact deflects on any of them, that deflection itself is information about how the company thinks about comp and whether they’re used to negotiating with senior technical candidates who know what they’re worth.
Bring your own data, not just a feeling. Pull numbers from at least two sources. Glassdoor, ZipRecruiter, Levels.fyi for tech companies, or our own salary benchmark tool. When you say “the market range for a senior security engineer in this metro with my experience is $165,000 to $195,000,” and you can show where those numbers come from, the conversation changes. That reframes the whole conversation. You’re correcting a gap.
Certifications are a negotiation tool, not an entitlement. CISSP or AWS Security Specialty on your resume gives you a data point to reference, not a guaranteed premium. Frame it as: “Candidates with this certification earn $25,000 to $35,000 more on average. My expectation reflects that.” Don’t frame it as: “I have CISSP so I deserve more.” One of those gets a conversation. The other gets a polite no.
Remote flexibility is currency. If the company wants you in a San Francisco office five days a week and you’re willing to show up, that willingness is worth real money to them because half their other candidates won’t do it. If you’d prefer three days remote and they can accommodate it, you might accept $10,000 less in base because the effective value of your time is higher. Know what you’d trade for what before the conversation starts.
Don’t negotiate against yourself. State your number. Stop talking. Let them respond. I have watched candidates talk themselves down from their own ask in the silence after they stated it. Uncomfortable? Sure. Effective? Always.
Things Hiring Managers Get Wrong When Budgeting
Changing perspective for a paragraph. If you’re the one setting the budget for a security engineer hire, here are the mistakes I correct most often.
Using BLS data as your benchmark. The BLS median of $124,910 for information security analysts includes a massive range of roles and experience levels. If you’re hiring a senior security engineer to build your cloud security program, budgeting at $125,000 means you’re shopping at the 25th percentile. You’ll get resumes. They won’t be the right ones.
Ignoring the clearance premium. If your role requires or even prefers a security clearance, add $20,000 to $40,000 to your budget. Cleared security engineers are rare, they know exactly how rare they are, and they have recruiters from defense contractors calling them every week with offers that make your posted salary look like an insult. Posting a cleared security engineer role at $140,000 is posting a role that will sit open for six months.
Assuming remote means cheaper. Some employers geo-adjust remote salaries and some don’t. If your competitor pays a flat national rate of $170,000 for remote senior security engineers and you’re offering $145,000 because the candidate lives in Phoenix, you’ll lose that offer fight. Check what remote-first security companies are paying before you anchor your range.
Bundling “security engineer” with “IT administrator.” I see this at companies under 500 employees. They want someone to manage the firewall, run the SIEM, handle compliance questionnaires, do incident response, AND build detection engineering pipelines. That’s two jobs. Budget for two jobs or accept that you’re hiring for the most urgent one and deprioritizing the rest.
What Hiring Managers Ask Us
So what’s the actual median, if every source gives a different number?
$150,000 to $165,000 for a mid-to-senior security engineer in 2026, all-in. Glassdoor says $169,700. ZipRecruiter says $152,773. Built In says $130,139. PayScale says $103,573. The variance comes from methodology. Glassdoor skews toward larger companies that pay more and includes bonuses in “total pay.” PayScale reports base-only and has a wider survey that pulls in lower-paying regions and smaller companies. Neither is wrong. They’re measuring different things. For budgeting a competitive offer in a major metro, the $150K to $165K range is where we consistently see offers close.
Do we really have to pay more for CISSP?
Not always. If the role requires it for a compliance reason or a government contract mandate, you don’t have a choice and neither does the candidate. The cert is table stakes, not a premium. If the role doesn’t require it and a candidate uses it as their primary negotiation lever, push back. Ask what they built with the knowledge. The certification is evidence of study. The premium should attach to demonstrated capability, and it does when the hiring manager knows how to evaluate it.
Why can’t we find cloud security engineers under $150K?
48 to 72 hours. That’s how long a qualified cloud security engineer with 4+ years of AWS or Azure experience stays on the market before they have multiple offers. The ISC2 study says 90% of security teams have skills gaps, and cloud security is the gap mentioned most often. You can’t find them under $150K because nobody else can either, and the ones willing to work at that rate usually lack the hands-on multi-account, production-environment experience that the role actually requires. Raise the budget or extend the timeline. Pick one.
Should we hire a security engineer or outsource to an MSSP?
Wrong question, slightly. An MSSP handles monitoring and alerting. A security engineer builds the systems the MSSP monitors. They’re not substitutes. If your security program is mature enough that you have detection rules, response playbooks, and architecture documentation, an MSSP can operate it. If none of that exists yet and someone has to build it from scratch, that’s an engineer, not a managed service. Most companies under 1,000 employees need one internal security engineer AND an MSSP, not one or the other.
Realistically, how fast can we fill a senior security engineer role?
30 to 60 days if the comp is market-rate and the process moves fast. 90 to 120 days if the budget is below market, the interview process has four rounds, or the role requires a clearance the employer doesn’t sponsor. We filled a senior cloud security role in San Diego in 19 days last quarter, but that was a client who approved a $175,000 base on day one, ran two interview rounds, and made the offer 48 hours after the final interview. Speed is a competitive advantage in this market. Treat it like one.
Is the security engineer salary bubble going to pop?
Short answer: not in 2026, not in 2027, probably not this decade. The BLS projects 33% job growth through 2034, and that projection was made before AI security became its own sub-discipline. The ISC2 workforce gap is growing, not shrinking. Regulatory requirements are expanding, not contracting. For salaries to come down, you’d need a simultaneous explosion of qualified candidates and a reduction in threat activity. The candidate supply isn’t growing fast enough to close the gap, and threat actors are not planning to take 2027 off. If anything, AI will create more security engineering work, not less, because every AI system deployed is another attack surface to protect.
If you’re a security engineer reading this and wondering whether to push for a raise, push. The data supports it. If you’re a hiring manager reading this and wondering whether to increase your budget, increase it. I’ve run the back-of-napkin math with clients before. Six months of an unfilled security engineering seat costs more than the $20K raise that would have closed the candidate. Add up the incident response gaps. Add the SOC 2 audit findings nobody addressed. Add the burnout spiral on whoever got voluntold to cover the workload. The open-req cost compounds fast. A single breach averages $4.88 million according to IBM’s 2024 Cost of a Data Breach Report. The difference between your current budget and a competitive offer is a rounding error compared to that.
Need help benchmarking a specific security engineering role or building a candidate pipeline? Our cybersecurity staffing team handles these searches daily. If you want to understand how security engineer salaries compare to the broader cybersecurity salary landscape, we’ve covered that too. Or if you’re earlier in the hiring process and still scoping the role, check our SOC analyst career guide to see whether the role you’re defining is actually a security engineer or an analyst. The distinction matters for comp, candidate quality, and retention.
Talk to a recruiter and we’ll get specific about your market, your metro, and your budget.