Cybersecurity has spent the better part of a decade being described as a gold rush profession, and for substantial portions of the salary data that description holds. A field that barely existed as a named discipline thirty years ago now encompasses hundreds of distinct job titles, pay bands running from $60,000 to over $700,000 in total compensation, and a hiring market where qualified candidates at senior levels still hold meaningful leverage. But raw enthusiasm about cybersecurity pay papers over enormous variation that matters for career planning. A Tier 1 SOC analyst working rotating night shifts earns a fundamentally different salary than a cloud security architect at a major bank, even though both technically work in cybersecurity. Getting the full picture requires disaggregating salary data by role, seniority, industry, certification status, and geography.
The primary sources for this analysis are the ISC2 Cybersecurity Workforce Study 2024, which surveyed over 14,000 professionals globally, and the ISACA State of Cybersecurity 2024, which surveyed over 3,000 security leaders across 20 countries. These are supplemented by the US Bureau of Labor Statistics Occupational Employment Statistics for May 2024, Glassdoor salary data, LinkedIn Salary Insights 2024, Dice's 2024 Tech Salary Report, and Levels.fyi compensation data for senior technical roles. Where relevant, data from specific country surveys (StepStone Germany, CWJobs UK, Seek Australia) is used for international comparisons.
This article covers the full compensation picture: entry-level SOC analyst pay, mid-career engineer and pen tester salaries, CISO total compensation, salary by industry sector, salary by country (US, UK, Germany, Australia, Canada), how certifications measurably affect earnings, total compensation breakdown for equity-eligible roles, and the concrete tradeoffs between government employment, private sector roles, and independent contracting.
"The cybersecurity workforce shortage is not just a technical problem — it is an economic signalling problem. When organisations underpay entry-level talent, they create the very gap they complain about." — Clar Rosso, CEO of ISC2, speaking at RSA Conference 2023
Key Definitions
Total Compensation (TC): The full economic value of an employment package, including base salary, cash bonuses, stock options, RSUs (restricted stock units), employer pension or 401k contributions, and other benefits. In senior cybersecurity roles at technology companies, TC can exceed base salary by 50-150%.
Information Security Analyst: The umbrella job title used by the US Bureau of Labor Statistics for most cybersecurity roles below director level. The BLS median for this category ($120,360 in May 2024) is frequently cited but masks wide internal variation across role types.
SOC (Security Operations Center): The team responsible for continuous monitoring of an organisation's security posture. SOC tiers (1, 2, 3) correspond to junior analyst, experienced analyst, and senior analyst/threat hunter roles with correspondingly different compensation levels.
OTE (On-Target Earnings): For roles with variable pay components (bonuses, performance incentives), OTE represents base salary plus full target bonus assuming all performance goals are achieved.
SCI Clearance (Sensitive Compartmented Information): The highest common US security clearance level, required for access to especially sensitive intelligence. SCI-cleared cybersecurity professionals command significant salary premiums in the defence and intelligence sectors.
Salary by Role: The Full Spectrum
SOC Analyst (Tiers 1, 2, 3) and Threat Hunter
SOC work is the primary entry point for most people entering cybersecurity. Tier 1 analysts monitor dashboards, triage SIEM alerts, and escalate genuine incidents to more senior analysts. The work is structured and often shift-based, and compensation reflects that.
| Role | Experience Level | US Median Salary | US Range | Notes |
|---|---|---|---|---|
| SOC Analyst Tier 1 | 0-2 years | $68,000-$78,000 | $58,000-$95,000 | Entry; shift work common |
| SOC Analyst Tier 2 | 2-4 years | $90,000-$108,000 | $78,000-$125,000 | Alert investigation, response |
| SOC Analyst Tier 3 | 4-7 years | $115,000-$140,000 | $100,000-$160,000 | Complex incidents, tuning |
| Threat Hunter | 5-10 years | $130,000-$160,000 | $110,000-$190,000 | Proactive threat discovery |
| Security Analyst (Senior) | 6+ years | $125,000-$155,000 | $105,000-$185,000 | Broad blue team scope |
Sources: BLS OES May 2024; LinkedIn Salary Insights 2024; ISC2 Cybersecurity Workforce Study 2024
The progression from Tier 1 to Tier 3 over 5-7 years typically doubles base compensation. Threat hunters, who proactively search for attacker activity rather than responding to alerts, represent the senior end of the blue team specialization and are among the most difficult roles to hire for in the market.
Penetration Tester and Red Team
Offensive security roles command consistent premiums that increase sharply with demonstrated capability (particularly OSCP) and experience.
| Role | Experience Level | US Median Salary | Range |
|---|---|---|---|
| Junior Penetration Tester | 0-3 years | $80,000-$100,000 | $65,000-$120,000 |
| Penetration Tester (mid) | 3-6 years | $115,000-$145,000 | $95,000-$170,000 |
| Senior Penetration Tester | 6-10 years | $145,000-$185,000 | $125,000-$220,000 |
| Red Team Lead | 8+ years | $160,000-$210,000 | $140,000-$260,000 |
| Exploit Developer / Vulnerability Researcher | 5+ years | $160,000-$220,000 | $130,000-$300,000+ |
Sources: Dice 2024 Tech Salary Report; LinkedIn Salary Insights 2024; Glassdoor Cybersecurity Roles 2024
OSCP certification adds a median $15,000-$25,000 premium over non-OSCP peers at equivalent experience levels (LinkedIn Salary data, 2024). Senior exploit developers at specialist firms, defence contractors, and government agencies represent the upper ceiling of this specialization.
Security Engineer and Architect
Security engineers implement and maintain security infrastructure — SIEM platforms, endpoint detection, identity systems, firewall architectures. Security architects design the overall security posture. Both are distinct from analysts in that they build systems rather than primarily monitoring and responding.
| Role | Experience Level | US Median Salary | Range |
|---|---|---|---|
| Security Engineer (mid) | 3-6 years | $125,000-$148,000 | $105,000-$175,000 |
| Senior Security Engineer | 6-10 years | $148,000-$185,000 | $130,000-$215,000 |
| Security Architect | 8-15 years | $165,000-$210,000 | $145,000-$260,000 |
| Cloud Security Architect | 5-12 years | $170,000-$215,000 | $150,000-$280,000 |
| Application Security Engineer | 4-10 years | $140,000-$185,000 | $120,000-$230,000 |
Sources: Glassdoor Cybersecurity 2024; LinkedIn Salary Insights 2024; Levels.fyi Security Engineering 2024
Cloud security architects are currently the highest-compensated non-executive security specialists in the market, reflecting the scarcity of professionals who combine deep cloud platform expertise (AWS, Azure, or GCP) with security architecture knowledge at production scale.
Incident Response and Digital Forensics
| Role | US Median Salary | Range | Notes |
|---|---|---|---|
| Incident Responder | $110,000-$140,000 | $90,000-$170,000 | In-house or consulting firm |
| Digital Forensics Analyst | $100,000-$130,000 | $85,000-$155,000 | Law enforcement, corporate, consulting |
| IR Consultant (consulting firm) | $130,000-$165,000 | $110,000-$200,000 | Billing rates $250-$500/hr during incidents |
IR consultants at major firms (Mandiant/Google, CrowdStrike, Palo Alto Unit 42) often earn above their base through significant performance bonuses tied to billable hours during high-activity incident periods.
CISO and Security Leadership
CISO compensation is highly sensitive to company size, industry, and geography.
| Organization Size | US CISO Total Compensation Range | Median |
|---|---|---|
| Under 1,000 employees | $180,000-$280,000 | $220,000 |
| 1,000-5,000 employees | $240,000-$380,000 | $295,000 |
| 5,000-20,000 employees | $320,000-$520,000 | $390,000 |
| 20,000+ employees | $450,000-$900,000+ | $560,000 |
| Fortune 100 (financial sector) | $600,000-$1,500,000+ | N/A |
Sources: ISACA State of Cybersecurity 2024; Spencer Stuart and IANS Research CISO Compensation Survey 2024; Korn Ferry Executive Compensation Survey 2024
The Spencer Stuart and IANS Research 2024 CISO survey placed the median US CISO total compensation at $329,000. Vice Presidents of Security at large enterprises typically earn $200,000-$350,000, representing the primary pipeline to CISO positions.
Salary by Experience Level
Experience is the dominant driver of compensation across all cybersecurity roles, more significant than certification status alone.
| Experience Band | Typical Role Level | US Median Base Salary | Notes |
|---|---|---|---|
| 0-2 years | SOC Tier 1, junior analyst | $65,000-$80,000 | Entry; certifications (Sec+) raise floor |
| 3-5 years | SOC Tier 2, security analyst | $88,000-$115,000 | Specialization starts to differentiate |
| 6-10 years | Senior analyst, security engineer | $120,000-$165,000 | Specialization premium strong |
| 10+ years | Architect, director, CISO | $160,000-$350,000+ | Management track vs deep specialist diverge |
Source: BLS OES May 2024; ISC2 Cybersecurity Workforce Study 2024
Salary by Industry Sector
The industry a cybersecurity professional works in has a significant impact on compensation, sometimes as large as geographic effects.
| Industry | US Median (Information Security Analyst) | Notes |
|---|---|---|
| Finance and Insurance | $138,000-$155,000 | PCI-DSS, SOX, GLBA regulatory pressure; highest absolute pay |
| Technology (software, cloud) | $130,000-$150,000 | Lower than finance but strong equity upside |
| Defence Contractors | $120,000-$165,000 | Add $15,000-$45,000 for clearance requirements |
| Healthcare | $105,000-$120,000 | HIPAA pressure, ransomware threat; budget constraints cap pay |
| Federal Government (civilian) | $100,000-$115,000 | Below private sector; exceptional job security + pension |
| Energy and Utilities | $115,000-$135,000 | Growing ICS/OT security demand |
| State and Local Government | $82,000-$100,000 | Significant budget constraints; persistent talent drain |
| Education | $80,000-$100,000 | Nonprofit budget constraints |
Sources: BLS Occupational Employment Statistics by Industry, May 2024; ISACA State of Cybersecurity 2024
The finance and technology premium over government is approximately 25-35% in base salary terms. However, federal civilian positions offer defined-benefit pensions, exceptional job security, and the classified-environment experience that commands substantial consulting and contracting premiums later in a career. The long-term financial calculus depends heavily on individual circumstances and risk tolerance.
Salary by Country
The United States pays the highest absolute cybersecurity salaries globally. International comparisons are useful for professionals considering relocation and for remote-first companies calibrating international compensation.
| Country | Mid-Level Security Engineer | Senior Security Engineer | CISO Range | Notes |
|---|---|---|---|---|
| United States | $130,000-$155,000 | $155,000-$200,000 | $250,000-$700,000+ | Global benchmark |
| Canada | CAD $95,000-$120,000 (~$70,000-$90,000 USD) | CAD $120,000-$160,000 | CAD $200,000-$450,000 | Toronto/Vancouver command premiums |
| United Kingdom | GBP 60,000-85,000 (~$75,000-$107,000 USD) | GBP 85,000-115,000 | GBP 175,000-350,000 | London +15-20% over national |
| Germany | EUR 70,000-95,000 (~$76,000-$103,000 USD) | EUR 95,000-130,000 | EUR 160,000-300,000 | Benefits package substantial |
| Australia | AUD 110,000-145,000 (~$73,000-$97,000 USD) | AUD 145,000-190,000 | AUD 250,000-500,000 | Sydney/Melbourne premium |
| France | EUR 60,000-85,000 (~$65,000-$92,000 USD) | EUR 85,000-115,000 | EUR 150,000-280,000 | Paris premium significant |
| Netherlands | EUR 65,000-90,000 (~$70,000-$98,000 USD) | EUR 90,000-125,000 | EUR 160,000-300,000 | Amsterdam tech cluster |
Sources: StepStone Gehaltsreport IT 2024 (Germany); CWJobs Cybersecurity Salary Survey 2024 (UK); Seek.com.au Salary Insights 2024 (Australia); LinkedIn Salary Insights country-level data 2024
Remote work impact: European and Canadian professionals working for US-headquartered companies on USD-denominated contracts can earn $80,000-$130,000 USD, substantially above their local market rates. This has partially converged cybersecurity pay across countries for English-speaking practitioners in cloud security and AppSec roles, where remote-first work is most normalized.
Salary by Certification Held
Certification status is a measurable but secondary driver of compensation — secondary to experience and role type. The causal relationship is complex: professionals who invest in CISSP are also typically those with more experience and career intentionality. That said, specific certifications do open access to roles with minimum credential requirements, which creates a direct salary floor effect.
| Certification | Median US Salary (Holders) | Premium over Uncertified Median | Source |
|---|---|---|---|
| No security certification | $88,000 | Baseline | ISC2 2024 |
| CompTIA Security+ | $90,000-$96,000 | +$5,000-$8,000 | CompTIA 2024 |
| CompTIA CySA+ | $100,000-$115,000 | +$12,000-$27,000 | CompTIA 2024 |
| OSCP | $132,000-$162,000 | +$44,000-$74,000 | LinkedIn Salary 2024 |
| AWS Security Specialty | $135,000-$160,000 | +$47,000-$72,000 | Glassdoor 2024 |
| CISM | $148,000 | +$60,000 | ISACA 2024 |
| CISSP | $156,000 | +$68,000 | ISC2 2023 |
The highest certification premiums are OSCP (offensive security specialization), AWS Security Specialty (cloud security roles), CISM (management track), and CISSP (architecture and senior management). These also happen to be the certifications that directly gate specific high-value role categories, which partly explains the correlation.
Total Compensation Breakdown: Base, Bonus, and Equity
For roles at technology companies and growth-stage startups, base salary is only part of the picture.
| Role Level | Company Type | Base Salary | Annual Bonus | Annual Equity (RSU vest) | Approx Total Comp |
|---|---|---|---|---|---|
| Entry security analyst | Mid-size tech | $80,000 | $5,000-$8,000 | $0-$10,000 | $85,000-$98,000 |
| Mid security engineer | Growth tech | $140,000 | $15,000-$25,000 | $30,000-$60,000 | $185,000-$225,000 |
| Senior security engineer | Big Tech (FAANG-adjacent) | $180,000 | $25,000-$50,000 | $80,000-$180,000 | $285,000-$410,000 |
| Security architect | Large enterprise (non-tech) | $185,000 | $20,000-$40,000 | $10,000-$30,000 | $215,000-$255,000 |
| VP / Director of Security | Large tech | $220,000 | $40,000-$80,000 | $120,000-$300,000 | $380,000-$600,000 |
Sources: Levels.fyi Security Engineering Compensation 2024; LinkedIn Salary Insights 2024; Glassdoor Cybersecurity 2024
The equity differential between technology companies and traditional enterprises is substantial. A senior security engineer at a pre-IPO tech company with $80,000 in annual RSU vesting and a strong equity outcome could see $400,000+ in total realized compensation; the same role at a bank or healthcare system with no equity might pay $180,000-$200,000 in total comp. Both are well-compensated — the choice involves risk preference, not just salary.
Government vs Private Sector: The Real Tradeoffs
The government vs private sector decision involves more than current salary comparison.
Government advantages:
- Job security: Federal civilian cybersecurity roles are among the most secure employment in the economy; layoffs are extremely rare
- Defined benefit pension: The Federal Employees Retirement System (FERS) provides pension, social security, and TSP (Thrift Savings Plan) with employer match
- Mission: Many practitioners value working on national security and public infrastructure protection
- Clearance acquisition: Obtaining a Secret or TS/SCI clearance in government creates a credential that commands a $15,000-$45,000 premium in the private sector for cleared roles
- Training and access: Government roles in intelligence and defence provide access to threat intelligence and technical training not available commercially
Private sector advantages:
- Base salary: Private sector pays 25-35% more in base salary at equivalent experience levels
- Equity upside: Technology company equity can create significant wealth in ways government cannot
- Career velocity: Specialization, advancement, and compensation increases typically happen faster in private sector
- Flexibility: Remote work, flexible hours, and role variety are generally more available
The common pattern: Many practitioners spend early career years in government (building clearance, classified experience, and institutional credibility) and move to private sector consulting or contractor roles at mid-career, where cleared positions command strong premiums. Defence contractors (Booz Allen Hamilton, Leidos, Raytheon) occupy a middle ground — private sector pay with government-adjacent work and clearance requirements.
Contractor vs Employee: Compensation Comparison
Independent contracting is a meaningful compensation alternative for experienced cybersecurity practitioners.
Independent IR contractors: Incident response specialists with strong credentials (OSCP, GCFE, GCIH) contracting directly or through firms bill at $200-$500 per hour for active engagements. A practitioner with 100-150 billable days per year at $250/hour earns $200,000-$300,000 in gross revenue before taxes and benefits self-funding.
Security consulting rates: Senior security consultants (pen testers, cloud security architects, security program directors) bill at $150-$350/hour for project work through boutique firms or independently.
Clearance contractor premium: Cleared contractors (Secret level) add $15-$25/hour above market for cleared contractor roles; TS/SCI adds $25-$50/hour above equivalent non-cleared contractor rates.
The self-employment overhead: Independent contractors must fund their own benefits (health insurance, retirement contributions), deal with self-employment taxes (approximately 15.3% on top of income tax), and absorb unbillable time for business development, administration, and between-project gaps. The gross revenue figure needs to be discounted by 25-40% to compare fairly with an employee total compensation package.
Practical Salary Benchmarking
Use role-specific benchmarks. "Information security analyst" covers roles paying $65,000 to $210,000. Search LinkedIn Salary, Glassdoor, Levels.fyi, and Dice using your specific job title (e.g., "Cloud Security Engineer" or "Penetration Tester") to get relevant comparisons.
Factor total compensation, not just base. At technology companies, equity can represent 30-60% of total economic value. A $130,000 base with $70,000 annual RSU vesting is worth considerably more than a $155,000 base with no equity.
Clearance premium is real. If you hold or can obtain a US security clearance, your market value increases materially. Secret level adds approximately $15,000-$25,000; TS/SCI adds $25,000-$50,000 over equivalent non-cleared roles at the same experience level.
Benchmark certification ROI before investing. Pull 50 recent job postings for your specific target role and record how many list each certification as required, preferred, or not mentioned. Required certifications have the highest direct salary floor impact; preferred certifications affect competitiveness without hard-gating salary.
Adjust for cost of living. A $120,000 salary in Austin, Texas has materially more purchasing power than the same figure in San Francisco or New York. MIT's Living Wage Calculator and Numbeo's cost of living comparisons are useful tools for real purchasing power assessment.
References
- US Bureau of Labor Statistics. Occupational Outlook Handbook: Information Security Analysts, May 2024. bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
- ISC2 Cybersecurity Workforce Study 2024. isc2.org/research/workforce-study
- ISACA State of Cybersecurity 2024. isaca.org/resources/reports/state-of-cybersecurity-2024
- Spencer Stuart and IANS Research. CISO Compensation and Tenure Survey 2024. iansresearch.com
- Dice Inc. 2024 Tech Salary Report. dice.com/technologist/salary-survey
- CompTIA State of the Tech Workforce 2024. comptia.org/content/research/state-of-the-tech-workforce
- Glassdoor Cybersecurity Salary Data 2024. glassdoor.com/Salaries
- LinkedIn Talent Insights: Cybersecurity Compensation Data 2024. linkedin.com/salary
- Levels.fyi Security Engineering Compensation Data 2024. levels.fyi
- StepStone Gehaltsreport Informationstechnologie 2024. stepstone.de
- CWJobs UK Cybersecurity and IT Salary Survey 2024. cwjobs.co.uk
- Seek Australia Salary Insights: Cybersecurity 2024. seek.com.au
Frequently Asked Questions
What does a SOC analyst earn at each tier?
US median salaries: SOC Tier 1 earns \(68,000-\)78,000, Tier 2 earns \(90,000-\)108,000, and Tier 3 earns \(115,000-\)140,000. Threat hunters at the senior end earn \(130,000-\)160,000, per ISC2 and LinkedIn Salary data 2024.
Which cybersecurity industry pays the most?
Finance and insurance pays the highest median salary at \(138,000-\)155,000 for US information security analysts. Technology companies follow at \(130,000-\)150,000, with strong equity upside. Government pays 25-35% less in base salary but offers defined pensions and clearance credentials.
How much do CISSP holders earn compared to uncertified professionals?
ISC2's 2024 Workforce Study shows CISSP holders earn a \(156,000 US median salary, versus \)88,000 for uncertified professionals — roughly a $68,000 premium, though experience differences account for a significant portion of that gap.
Is cybersecurity pay significantly higher in the US than other countries?
Yes. A mid-level US security engineer earns \(130,000-\)155,000 versus 60,000-85,000 GBP in the UK, 70,000-95,000 EUR in Germany, and AUD 110,000-145,000 in Australia. Remote roles at US companies can partially close this gap for international practitioners.
Should I work as a contractor or employee in cybersecurity?
Experienced contractors in IR and cloud security bill at \(200-\)500 per hour, generating \(200,000-\)300,000+ gross revenue annually. However, self-employment taxes, benefits costs, and unbillable time reduce take-home by 25-40%. Full-time employment at large tech companies with equity can match or exceed contracting net income for most practitioners.