The median cybersecurity salary in the US crossed $120,000 in 2025, according to BLS data—but that number hides a wide spread. A fresh SOC analyst at a managed security provider might clear $62K. A cloud security architect at a financial institution in New York hits $190K before bonuses. The same job title at a defense contractor in rural Virginia pays $95K. If you're trying to figure out whether cybersecurity is worth pursuing, or where you currently sit relative to market, the median alone is useless. What matters is role, specialization, location, and—more than most people want to admit—certifications.
This guide breaks down cybersecurity salary by the factors that actually move the number, what employers are willing to pay for in 2026, and which courses and certs deliver the fastest measurable return on your time.
Cybersecurity Salary by Role (2026 Benchmarks)
The "cybersecurity" category covers jobs that have almost nothing in common with each other. A governance, risk, and compliance analyst and a reverse malware engineer both fall under the umbrella. Their salaries reflect that gap.
Entry-Level Roles ($55K–$85K)
- SOC Analyst (Tier 1): $58K–$78K. Alert triage, SIEM monitoring, escalation. High turnover, clear promotion path.
- IT Security Analyst (junior): $62K–$82K. Vulnerability scanning, patching, policy enforcement.
- Cybersecurity Specialist (federal/contractor): $65K–$88K. Entry government roles often require clearance; pay is slightly higher with faster ceiling.
Mid-Level Roles ($90K–$140K)
- Penetration Tester: $95K–$135K. OSCP or CEH typically required. Bug bounty income on top.
- Incident Response Analyst: $95K–$130K. Forensics + containment. Premium for anyone who can write a post-incident report that a board can read.
- Cloud Security Engineer: $110K–$145K. AWS/GCP/Azure security tooling. One of the fastest-growing specializations right now.
- Security Engineer (AppSec): $115K–$150K. SAST/DAST integration, threat modeling. Often requires software development background.
Senior and Leadership Roles ($140K–$300K+)
- Senior Security Engineer / Architect: $140K–$190K. Zero-trust architecture, network segmentation, enterprise tooling decisions.
- Red Team Lead / Principal Pentester: $145K–$200K. Physical + digital engagements, C-suite reporting.
- CISO (Chief Information Security Officer): $180K–$320K + equity. At public companies and large banks this clears $400K total comp. At mid-size companies without board-level risk programs, it's often closer to $160K.
What Moves a Cybersecurity Salary the Most
Three variables explain most of the variance: specialization, certifications, and clearance status. Location matters but is declining in relevance as remote security roles have normalized post-pandemic.
Specialization Premium
Cloud security, AI/ML security, and OT/ICS security (operational technology—power grids, manufacturing) are commanding the highest premiums right now. Generic "security analyst" roles are increasingly commoditized. If you're entering the field, picking a technical lane early pays off faster than trying to be a generalist.
Certifications That Pay
The data from hiring surveys is reasonably consistent:
- CISSP: Adds $15K–$25K to mid-senior salaries. Required or preferred at most enterprise and government security roles above L3.
- CISM: Strong for governance-focused roles. Less technical but commands similar salary bumps in finance and healthcare.
- Security+: Near-mandatory for government contractor positions and a solid baseline credential. Won't differentiate you at senior levels.
- OSCP: Respected in penetration testing specifically. Not universally valued outside red team roles.
- AWS/Azure Security Specialty: Fast ROI for anyone already in cloud infrastructure.
- CC (Certified in Cybersecurity, ISC²): Entry-level cert gaining traction as a pre-Security+ credential and interview signal for career changers.
Security Clearance
An active Top Secret / SCI clearance adds $20K–$40K to any role in the defense, intelligence, or federal contractor space. The clearance process takes 6–18 months, so this is a medium-term play, not an immediate lever—but it's one of the most durable salary moats in the field.
Cybersecurity Salary by Location
Remote work has compressed but not eliminated geographic pay differences. The rough picture in 2026:
- Washington DC / Northern Virginia: Highest average cybersecurity salaries in the US, driven by federal and defense contracts. $115K–$180K for mid-level roles.
- San Francisco / Bay Area: Tech company premiums. Typical mid-level security engineer: $130K–$165K. HCOL adjustment reduces real-world advantage.
- New York City: Finance sector drives demand. $120K–$175K for experienced roles, especially financial crime and fraud.
- Austin / Denver / Seattle: Growing tech hubs, lower cost of living. $95K–$140K. Good value proposition for remote workers.
- Remote (no location premium): Most companies have converged toward a single US pay band or a small adjustment. You're unlikely to take a 20% cut for going remote anymore at established tech firms, though some do anchor to your local market.
Top Courses to Increase Your Cybersecurity Salary
The honest answer about courses and salary: a course alone doesn't raise your pay. A course that gets you a cert, helps you pass a technical interview, or gives you a specific skill you can demonstrate does. Below are the ones worth your time, ranked by practical payoff.
Put It to Work: Prepare for Cybersecurity Jobs (Coursera, 9.7/10)
Part of Google's Cybersecurity Certificate, this final course focuses specifically on job readiness—interview prep, resume, and understanding what employers actually test for. If you're within 6 months of your first security job, this is the one to prioritize.
The Official ISC² CC Certified in Cybersecurity Exams (2026) (Udemy, 9.5/10)
The CC is ISC²'s entry-level credential and a legitimate signal for hiring managers who are tired of seeing uncredentialed candidates. This course maps directly to the exam domains, which is what you need—not a broad survey of security concepts.
The Complete Certified in Cybersecurity CC Course ISC² 2026 (Udemy, 9.4/10)
A more comprehensive alternative to the official ISC² prep if you want more depth before sitting the exam. Worth taking alongside the official exam prep if you're starting from scratch in security.
A Practical Guide to Cybersecurity Operations Foundations (Udemy, 9.6/10)
Targeted at SOC and security operations roles—the largest hiring category in the field. Covers the day-to-day workflow that entry-level job postings actually reference: log analysis, alert triage, SIEM basics.
CompTIA SecAI+ Fundamentals: AI Cybersecurity Basics (Udemy, 9.6/10)
CompTIA's new AI-focused security cert is one of the fastest ways to position yourself in the AI/ML security specialization that's pulling salary premiums right now. Early movers on new credentials typically see outsized returns.
Unspoken Rules of Cybersecurity: A CISO's 20-Year Playbook (Udemy, 9.5/10)
Not a technical cert prep—this is practitioner knowledge about how security organizations actually function, how decisions get made, and what gets you promoted vs. stuck. Worth reading alongside technical training if you're aiming at senior or leadership roles.
How Long Does It Take to Reach Each Salary Band?
Realistic timelines, not marketing copy:
- $65K–$80K: 0–12 months from zero, assuming you complete a foundational cert (Security+, CC, or Google Cybersecurity Certificate), build a home lab, and can demonstrate basic incident response or network security knowledge in an interview. Career changers with adjacent IT experience move faster.
- $90K–$110K: 2–4 years of hands-on experience. Usually requires a mid-level cert (CySA+, SSCP, or cloud security cert) and demonstrated incident response or engineering work you can speak to in interviews.
- $130K–$160K: 5–8 years plus either CISSP, cloud security specialty cert, or a specialized track (pen testing, architecture). At this level, your professional network and prior employer reputation matter as much as certs.
- $180K+: Director/CISO level. Driven more by business acumen, executive communication, and track record of managing programs than by technical certs. Most people reaching this level have 10+ years in security.
FAQ
What is the average cybersecurity salary in the United States?
The Bureau of Labor Statistics reports a median annual wage of approximately $120,000 for information security analysts, but actual cybersecurity salaries range from around $60K for entry-level SOC roles to $300K+ for CISOs at large enterprises. The average across all roles and experience levels is commonly cited around $112K–$120K.
Does a cybersecurity degree pay more than certifications?
Not consistently. At mid-to-senior levels, relevant certifications (CISSP, OSCP, cloud security certs) often carry more weight than a degree in an adjacent field. A CS or cybersecurity degree helps get past initial resume screens and into federal/contractor roles that have degree requirements, but practitioners with strong portfolios and relevant certs regularly out-earn degree holders.
Which cybersecurity specialization pays the most?
In 2026, cloud security engineering and AI/ML security are commanding the highest premiums. Red team / penetration testing and security architecture also pay well at senior levels. GRC (governance, risk, compliance) pays less than technical roles but has lower technical barriers to entry.
Can you break into cybersecurity without a computer science degree?
Yes, and it's common. The field has a talent shortage and many employers have explicitly dropped degree requirements. The typical path without a CS degree is: build foundational knowledge (Security+, CC, or an equivalent cert), build a home lab to demonstrate practical skills, and target SOC analyst or junior security analyst roles as your entry point. IT help desk experience is useful but not required.
How much does Security+ increase salary?
For candidates without prior security experience, Security+ typically moves hiring managers from "no" to "maybe" rather than directly increasing compensation. For those already employed in IT, it can support a $5K–$15K raise when moving into a dedicated security role, and it meets the DoD 8570 baseline requirement for many government contractor positions, which opens access to a higher-paying job market entirely.
What's the cybersecurity salary ceiling for someone who stays technical?
You can stay entirely technical (no people management) and reach $180K–$220K as a principal security engineer, distinguished architect, or senior red team consultant at large tech companies or top consulting firms. The CISO track pays more but requires moving into business and risk management. Neither path is obviously better—pick based on what you're good at.
Bottom Line
Cybersecurity salary is real, the growth is real, and the shortage of qualified practitioners is real. What's often overstated is how fast you get there without making deliberate choices about specialization. The people stuck at $75K after three years are usually generalists who never built a portfolio, never pursued a certification, and never had a clear answer to "what kind of security work do you want to do?"
If you're starting out: get the CC or Security+, pick a lane (SOC operations, cloud security, or AppSec are the most accessible), and use a course like Put It to Work: Prepare for Cybersecurity Jobs to understand what technical interviews actually look like before you sit in one. If you're mid-career and plateaued: CISSP or a cloud security specialty certification is the most direct path to the next bracket, and understanding the organizational dynamics from a resource like the CISO's 20-Year Playbook will tell you as much about advancement as any technical course will.
The salary is there. The path is not mysterious—it's just specific.