Cybersecurity has spent the better part of a decade being described as a gold rush profession — and for many of the numbers, that description holds. A field that barely existed as a named discipline thirty years ago now encompasses hundreds of distinct job titles, salary bands that run from $60,000 to well over $700,000 in total compensation, and a hiring market where qualified candidates still hold considerable leverage. But raw enthusiasm about cybersecurity pay often papers over enormous variation. A Tier 1 SOC analyst working rotating night shifts earns a fundamentally different salary than a cloud security architect at a major bank, even though both technically work in cybersecurity.

Understanding what the field actually pays requires disaggregating salary data by role, seniority, certification status, industry sector, and geography. The US Bureau of Labor Statistics (BLS), ISC2, and ISACA each publish annual workforce and salary studies, and while they use different methodologies, their combined picture is detailed enough to navigate by. This article synthesises 2023-2024 data from all three sources alongside specialist salary surveys from Dice, Glassdoor, and LinkedIn Talent Insights to give you a grounded, role-specific picture of cybersecurity compensation.

What follows covers entry-level SOC analyst pay, mid-career security engineer and pen tester salaries, CISO-level total compensation, the measurable impact of certifications, how industry sector distorts pay (financial services vs healthcare vs public sector), and significant geography-driven differences between the US, UK, and the European Union. Whether you are evaluating a career change, negotiating your first security role, or benchmarking your current salary, these figures will give you real anchors.

"The cybersecurity workforce shortage is not just a technical problem — it is an economic signalling problem. When organisations underpay entry-level talent, they create the very gap they complain about." — Clar Rosso, CEO, ISC2, speaking at RSA Conference 2023

Key Definitions

Total Compensation: The full economic value of an employment package, including base salary, bonuses, equity (stock options or RSUs), pension contributions, and other benefits. In senior cybersecurity roles, total compensation can exceed base salary by 40-100%.

Information Security Analyst: The umbrella job title used by the US Bureau of Labor Statistics for most cybersecurity roles below director level. The BLS median for this category ($120,360 in 2024) is often cited but masks wide internal variation.

SIEM: Security Information and Event Management. Software platforms (Splunk, Microsoft Sentinel, IBM QRadar) that aggregate and analyse security log data. Proficiency in a major SIEM platform significantly affects employability and salary, particularly for SOC roles.

SOC (Security Operations Center): The team or facility responsible for continuous monitoring of an organisation's security posture. SOC tiers (1, 2, 3) correspond roughly to junior analyst, experienced analyst, and senior/threat hunter roles with correspondingly increasing pay.

OTE (On-Target Earnings): For cybersecurity roles with variable pay components (bonuses, commissions in vendor/sales-adjacent roles), OTE represents base salary plus full target bonus, assuming performance goals are met.

Entry-Level Cybersecurity Salaries: What SOC Analysts Actually Earn

The entry point for most people entering cybersecurity is a Tier 1 SOC analyst role. These positions involve monitoring security dashboards, triaging alerts generated by SIEM platforms, and escalating genuine incidents to more experienced analysts. The work is structured, sometimes repetitive, and often shift-based — which is reflected in the pay.

According to the BLS Occupational Outlook Handbook (2024), the 10th percentile for information security analysts in the US sits at approximately $65,000. LinkedIn Salary data for 'SOC Analyst' and 'Junior Security Analyst' titles in 2024 places the median starting salary at $68,000-$75,000 nationally, with geographic variation pulling this figure to $85,000-$95,000 in high-cost markets like San Francisco, New York, and Washington DC.

CompTIA's 2024 State of the Tech Workforce report provides additional granularity. Professionals with Security+ but no prior security work experience average $72,000 on first hire. Those coming from IT support or networking backgrounds with 1-2 years of adjacent experience and Security+ typically start at $78,000-$88,000.

The helpdesk-to-SOC pipeline is the most common entry route for career changers, and salary progression follows a predictable arc: Tier 1 analyst ($68,000-$82,000), Tier 2 analyst after 18-24 months ($85,000-$105,000), Tier 3 or senior analyst after 3-5 years ($110,000-$140,000). These figures represent US national medians; actual offers vary substantially.

Mid-Career Security Roles: Engineers, Pen Testers, and Architects

Mid-career cybersecurity roles diverge sharply depending on specialisation. The BLS places the overall median for information security analysts at $120,360 (May 2024 data), but this median compresses a wide spread. Breaking it down by role title provides a clearer picture.

Security Engineers design and implement security controls, configure security tools, and support detection and response capabilities. Glassdoor data for 2024 places the US median for Security Engineer at $125,000-$145,000, with senior security engineers reaching $155,000-$175,000.

Penetration Testers are technical specialists who simulate attacks on systems, applications, and networks. Dice's 2024 Tech Salary Report places the median US penetration tester salary at $130,000, with senior and specialist testers earning $150,000-$190,000. OSCP-certified testers command a consistent $10,000-$20,000 premium.

Cloud Security Architects are currently among the highest-compensated non-executive security roles. LinkedIn Insights data for 2024 shows median total compensation of $165,000-$195,000 in the US, reflecting the scarcity of professionals who combine deep cloud platform knowledge (AWS, Azure, GCP) with security architecture expertise.

Application Security Engineers (AppSec) focus on securing software development pipelines and reviewing code for vulnerabilities. AppSec roles at technology companies pay $140,000-$180,000 at mid-senior level, with some FAANG-adjacent companies offering $200,000+ in total compensation.

Incident Response Specialists and Digital Forensics Analysts fall in the $110,000-$155,000 range at mid-career, with consulting firms billing out IR specialists at $250-$500 per hour during active incident response engagements.

CISO and Director-Level Compensation

Chief Information Security Officer compensation represents the upper ceiling of the cybersecurity pay scale and is highly sensitive to organisation size, industry, and geographic location.

ISACA's 2024 State of Cybersecurity report surveys over 3,000 security professionals globally. For US-based CISOs:

  • Companies with fewer than 1,000 employees: $180,000-$260,000 total compensation
  • Companies with 1,000-10,000 employees: $250,000-$400,000 total compensation
  • Companies with 10,000+ employees: $350,000-$700,000+ total compensation (including equity)

Fortune 500 CISOs at financial institutions, defence contractors, and major technology firms frequently report total compensation exceeding $500,000 when annual bonuses and equity grants are included. A 2024 survey by Spencer Stuart and IANS Research placed the median US CISO total compensation at $329,000, with the top quartile exceeding $540,000.

Vice Presidents of Security and Security Directors at large enterprises typically earn $200,000-$350,000, serving as the primary pipeline for CISO positions.

The Certification Premium: How Much Do Certs Actually Add?

ISC2's 2023 Cybersecurity Workforce Study surveyed over 14,000 professionals and found that certification status correlates strongly with compensation:

  • CISSP holders: Median US salary of $156,000, representing a 41% premium over the BLS median
  • CISM holders (ISACA's Certified Information Security Manager): Median US salary of $148,000
  • Security+ holders (entry-level): Median salary of $82,000-$96,000 depending on experience level
  • OSCP holders: LinkedIn data suggests a median of $130,000-$150,000, concentrated in pen testing and red team roles
  • Cloud security certifications (AWS Security Specialty, Google Professional Cloud Security Engineer): $10,000-$25,000 salary premium reported by Glassdoor's 2024 certification salary survey

It is important to note that correlation is not causation here. Professionals who invest in CISSP certification are also typically those with significant experience, seniority, and career intentionality — all of which independently drive higher salaries. The certification is partly a proxy for those underlying factors. That said, specific credentials do open doors to roles where they are listed as explicit requirements, which creates a real salary floor effect.

Industry Sector Pay Differences

Cybersecurity salaries vary considerably by industry. The BLS Occupational Employment Statistics (2024) provides industry-level data for the information security analyst category:

Finance and Insurance: Median $138,000. Wall Street, banking, and insurance firms pay a consistent premium reflecting both regulatory pressure (PCI-DSS, SOX, GLBA) and the sensitivity of assets protected.

Information Technology Services: Median $128,000. Slightly below finance but with better equity upside at growth-stage companies.

Federal Government: Median $101,000. Federal civilian cybersecurity roles pay below private sector equivalents but offer exceptional job security, defined benefit pensions, and classified environment experience that commands high consulting premiums later.

State and Local Government: Median $88,000. Significant budget constraints affect public sector security salaries, creating a persistent talent drain to the private sector.

Healthcare: Median $106,000. Healthcare cybersecurity is growing rapidly driven by HIPAA requirements and an explosion of ransomware targeting hospitals, but budget constraints in non-profit health systems cap pay below finance and tech.

Defence Contractors: $115,000-$160,000. Require US security clearances (Secret, Top Secret/SCI), which can add $15,000-$30,000 to market rate. Clearance-eligible professionals are in extremely short supply.

US vs UK vs EU Salary Comparison

The United States pays the highest absolute cybersecurity salaries in the world, though purchasing power parity and benefits packages complicate direct comparison.

United States: Mid-level security engineer median $130,000-$150,000; CISO median total compensation $329,000 (ISACA 2024).

United Kingdom: According to CyberSecurity Ventures and Glassdoor UK data (2024), mid-level security engineers earn 60,000-80,000 GBP ($75,000-$100,000 at 2024 exchange rates). Senior engineers reach 90,000-110,000 GBP. London adds 10-20% over national UK figures. CISOs at large UK enterprises earn 180,000-300,000 GBP including bonus.

Germany: Germany's cybersecurity market is mature and growing. IT-Gehalt.de and StepStone salary data for 2024 show security engineers earning 70,000-95,000 EUR, with senior and specialist roles reaching 100,000-130,000 EUR. German salaries include substantial social security contributions (approximately 20% employer-paid) that represent real economic value.

Netherlands and France: Both markets sit in the 65,000-90,000 EUR range for mid-level roles, with Amsterdam and Paris commanding premiums over national averages. Remote-first companies increasingly offer US-equivalent base salaries to attract European talent, particularly in cloud security and AppSec.

Remote Work Impact: The proliferation of remote work has partially globalised cybersecurity salaries. European professionals at US-based companies can earn 80,000-110,000 EUR in USD-denominated salaries, significantly above local market rates. This creates both opportunity for European professionals and wage pressure that is gradually lifting EU cybersecurity pay floors.

Practical Salary Benchmarking Steps

1. Use role-specific, not category-wide benchmarks. 'Information security analyst' encompasses everything from Tier 1 SOC work to cloud architecture. Search Glassdoor, Levels.fyi, LinkedIn Salary, and Dice using your specific job title to get relevant data.

2. Factor in total compensation. Stock options and RSUs at technology companies can represent 30-50% of economic value. A $120,000 base with $60,000 annual equity vest is worth more than a $150,000 base with no equity.

3. Adjust for clearance requirements. If you hold or can obtain a US security clearance, your market value increases materially. The government clearance premium runs $15,000-$30,000 for secret and $25,000-$45,000 for TS/SCI levels.

4. Research your COLA. A $120,000 salary in Austin, Texas has significantly more purchasing power than the same salary in San Francisco or New York. Use MIT's Living Wage Calculator alongside salary benchmarks to assess real compensation value.

5. Track certification ROI. Before investing $500-$1,500 in a certification, pull 50 recent job listings for your target role and count how many list that certification as required vs preferred vs not mentioned. Required certifications have the highest salary floor impact.

References

  1. US Bureau of Labor Statistics, Occupational Outlook Handbook: Information Security Analysts, May 2024. bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
  2. ISC2 Cybersecurity Workforce Study 2023. isc2.org/research/workforce-study
  3. ISACA State of Cybersecurity 2024. isaca.org/resources/reports/state-of-cybersecurity-2024
  4. Dice 2024 Tech Salary Report. dice.com/technologist/salary-survey
  5. CompTIA State of the Tech Workforce 2024. comptia.org/content/research/state-of-the-tech-workforce
  6. Glassdoor Cybersecurity Salary Data 2024. glassdoor.com/Salaries
  7. LinkedIn Talent Insights: Cybersecurity Roles 2024. linkedin.com/talent/insights
  8. Spencer Stuart and IANS Research, CISO Compensation Survey 2024. iansresearch.com
  9. StepStone Gehaltsreport IT 2024 (Germany). stepstone.de
  10. CyberSecurity Ventures Cybersecurity Jobs Report 2024. cybersecurityventures.com
  11. MIT Living Wage Calculator. livingwage.mit.edu
  12. Levels.fyi Security Engineering Compensation Data 2024. levels.fyi

Tags

cybersecurity salary career SOC analyst CISO

Frequently Asked Questions

What is the average cybersecurity analyst salary in the US?

According to the US Bureau of Labor Statistics (2024), the median annual wage for information security analysts is \(120,360. Entry-level roles start closer to \)65,000-\(80,000, while senior analysts and architects exceed \)160,000.

Do cybersecurity certifications significantly increase salary?

Yes. CISSP holders earn a median of \(156,000 according to ISC2's 2023 Workforce Study, compared to \)110,000 for uncertified professionals. OSCP and CISM carry similar premiums, typically adding \(15,000-\)30,000 over base.

How much does a CISO earn?

CISO salaries range widely from \(200,000 at mid-size companies to over \)700,000 (including equity) at large enterprises. The average total compensation for a US CISO sits around \(290,000-\)340,000, per ISACA's 2024 State of Cybersecurity report.

Is cybersecurity pay higher in the US than Europe?

Yes, substantially. A mid-level security engineer earns roughly \(130,000-\)160,000 in the US versus 60,000-90,000 EUR in Germany or France and 55,000-75,000 GBP in the UK. Cost of living differences narrow the gap somewhat.

Which cybersecurity specialization pays the most?

Cloud security architects, CISOs, and security directors consistently top pay rankings. Penetration testers and exploit developers at specialist firms also command high rates, especially contractors who can earn \(150-\)300 per hour.

Share this article