Asking "what is the average salary in cybersecurity?" is like asking how long a piece of string is. The number you get is almost useless without context. I've been in this field for over a decade, and I've seen analysts making $65,000 and architects pulling in $300,000+. The real story isn't one number—it's a map of how experience, specialization, location, and pure negotiation savvy combine to determine your paycheck.
Let's cut through the generic averages and look at what you can actually expect, and more importantly, how you can position yourself at the higher end of the spectrum.
What’s in This Guide?
The Big Picture: Average Cybersecurity Salaries
Okay, let's get the headline number out of the way, since that's what you searched for. According to the U.S. Bureau of Labor Statistics (BLS), the median annual wage for Information Security Analysts was $120,360 as of May 2023. That means half earn more, half earn less.
Key Takeaway: The BLS figure is a solid benchmark, but it's just for one job title (“Information Security Analyst”) and includes everyone from junior to senior levels. It also doesn't account for bonuses, stock options (common in tech), or geographic differences, which are massive.
Other sources paint a similar but varied picture. Payscale reports an average base salary around $99,000, while Glassdoor shows about $117,000. Indeed's data suggests an average of $127,000. The variation comes from their different data sources—Payscale often relies on user submissions, Glassdoor on self-reported offers, and Indeed on job postings.
Here's the thing nobody tells you: these "average" figures can be dangerously misleading if you're planning your career around them. A new graduate in Kansas City accepting a SOC analyst role is living in a completely different financial universe than a principal cloud security engineer in San Francisco with RSUs (Restricted Stock Units). The average blends them into meaningless mush.
What Truly Drives Your Cybersecurity Salary? (Beyond the Average)
Forget the single number. Your salary is a function of four main levers. Understanding how to pull them is the key.
1. Your Specific Role & Specialization
"Cybersecurity" isn't one job. It's a dozen distinct careers with different pay scales. Generalists (like many internal SOC analysts) often hit a ceiling faster than specialists in high-demand, high-complexity niches.
Right now, the market is screaming for people who understand cloud security (AWS, Azure, GCP), application security (AppSec), and security automation/DevSecOps. These roles require you to speak the language of developers and engineers, not just security tools. That cross-functional skill is worth a major premium.
Non-Consensus View: Many guides tell you to get certified. That's good advice for getting past HR filters. But for salary, deep, hands-on experience with a specific platform (like securing Kubernetes clusters or implementing SAST/DAST pipelines) will beat a generic certification every time when it comes to negotiation power.
2. Experience (It's Not Just Years)
Experience matters, but it's not linear. The jump from $70k to $110k in the first 5 years is common. The jump from $150k to $200k+ requires a different kind of experience: strategic thinking, risk management, and the ability to communicate security in business terms (preventing loss, enabling revenue).
I've met "10-year veterans" who've done the same basic monitoring for a decade, and 5-year pros who've led cloud migrations and handled major breaches. Guess who gets the recruiter calls and the bigger offers? It's about scope and impact, not just tenure.
3. Location & Company Type
Geography is a brute-force multiplier. A security engineer in San Francisco or New York City can easily earn 30-50% more than an identical counterpart in Atlanta or Chicago, even adjusting for cost of living (though that adjustment is its own debate).
But here's a twist: Remote work is scrambling this. Many companies now have location-based pay bands. If you live in a low-cost area but work for a Bay Area company, you might get a "remote adjustment" down. However, some tech-forward firms are moving to national pay bands for roles. You need to ask during interviews.
Company type is huge:
- Big Tech (FAANG+): Highest total compensation (base + bonus + significant stock). Stress on significant stock. This can double your nominal salary over 4 years.
- FinTech & Finance: Very high base salaries, strong bonuses, but often less stock. The culture is high-pressure, but the pay reflects the criticality of security.
- Cybersecurity Vendors (CrowdStrike, Palo Alto, etc.): Good mix of base salary and stock options (especially if you join pre-IPO). You also gain invaluable industry knowledge.
- Government/Defense: Lower base pay than private sector, but benefits and job security are top-tier. Clearances add value.
- Midsize SaaS or Non-Tech Companies: Often the "sweet spot" for many. Competitive salaries, better work-life balance than finance, and a chance to build and own a security program from the ground up.
4. Your Negotiation Skills
This is the lever most people under-pull. The first offer is almost never the best offer. In cybersecurity, where demand outstrips supply, you have leverage. I once left $25,000 on the table because I was nervous to negotiate. I still kick myself. Companies have salary bands, and their first offer is typically at the low-to-mid point of that band. Your goal is to anchor at the top.
Cybersecurity Salary Breakdown by Key Job Roles
Let's get concrete. Here are salary ranges for common roles in the U.S. market, compiled from BLS, levels.fyi, and my own network data. These are total compensation estimates (base + bonus + typical stock) for mid-career professionals (3-8 years exp) in a major tech hub.
| Job Title | Core Responsibility | Typical Salary Range (TC*) | High-Demand Niche Within Role |
|---|---|---|---|
| SOC Analyst (Tier 2/3) | Monitoring alerts, incident triage, basic investigation. | $85,000 - $130,000 | Threat hunting, automation script development. |
| Vulnerability Management Analyst | Running scans, prioritizing patches, reporting risk. | $90,000 - $140,000 | Integrating VM into CI/CD pipelines (DevSecOps). |
| Security Engineer | Implementing & configuring security tools (firewalls, SIEM, EDR). | $110,000 - $170,000 | Cloud security engineering (AWS IAM, CSPM, container security). |
| Application Security (AppSec) Engineer | Code review, SAST/DAST, advising dev teams on secure coding. | $130,000 - $190,000+ | Product security, securing microservices and APIs. |
| Penetration Tester / Ethical Hacker | Simulating attacks on systems, apps, or people. | $100,000 - $180,000 | Red teaming, cloud pentesting, mobile app security. |
| Security Architect | Designing the overall security structure and strategy. | $140,000 - $220,000+ | Zero Trust architecture, hybrid cloud design. |
| Security Manager / Director | Leading teams, managing budgets, aligning with business. | $150,000 - $250,000+ | Building security programs from scratch, M&A security integration. |
*TC = Total Compensation. Ranges are broad because of location, company size, and exact skills. A Security Engineer at a pre-IPO startup might get a lower base but high-potential options. The same title at Google will have a robust base and RSUs.
How to Use This Data: From Research to Raise
Knowing the numbers is step one. Using them is step two. Here's a practical playbook.
If You're Job Hunting:
1. Research the specific company and role. Use Levels.fyi and Blind for tech companies. For non-tech, salary data on Glassdoor and Payscale is more relevant.
2. Know your "walk-away" number. Based on your expenses, market rate, and current salary, what's the minimum you'll accept?
3. Practice your pitch. When asked for salary expectations, try: "Based on my research on the market for [Role] with [X years] of experience in [Skill], and the impact I believe I can make here, I'm looking for a total compensation package in the range of [Quote a number at the TOP of the range you found]."
4. Get the offer in writing. Then negotiate. Ask for 5-15% above the offer. The worst they can say is no, and they almost never rescind an offer for professional negotiation.
If You're Seeking a Raise Internally:
1. Document your impact. Don't just list duties. Quantify: "Reduced mean time to respond (MTTR) by 40%," "Automated a process saving 15 hours per week," "Identified a critical flaw that prevented a potential breach."
2. Research internal equity. Carefully use sites like Levels.fyi to see what similar roles at your company pay (this is easier in big tech).
3. Schedule the talk with your manager. Frame it as a career conversation. Present your documented impact and market data. Say, "I want to continue growing here and taking on more responsibility. To align my compensation with the market value for this level of contribution, I was hoping we could discuss adjusting my salary to [Target Number]."
Personal Anecdote: The biggest raise I ever got (22%) didn't come from a promotion. It came from calmly showing my manager a job description for my *exact* role at a competitor with a salary $30k higher, alongside a one-pager of my major wins from the past year. I wasn't threatening to leave; I was demonstrating a market gap. They closed it within a month.
FAQs: Your Burning Cybersecurity Salary Questions Answered
Clearing Up the Confusion
How can I negotiate a higher cybersecurity salary?
Focus on your unique value, not just the average. Quantify your impact from past roles—like "reduced system vulnerabilities by 30%" or "led an incident response that saved X in potential losses." Research the specific salary band for your exact title at similar-sized companies in your city using sources like Levels.fyi and Blind. Frame the negotiation as solving the company's problem: "To secure your cloud infrastructure effectively, I'll need to leverage these specific tools and skills, which aligns with the market rate for this expertise."
Is an entry-level cybersecurity salary realistic for a career changer?
It's possible, but the direct path is crowded. The "average" entry-level salary often assumes a Computer Science degree and internships. As a career changer, your leverage is different. I've seen more success with an "internal transfer" strategy. Get a tech-adjacent role (like IT support or systems admin) at a large company, then volunteer for security audits or compliance projects. Your salary jump happens when you pivot internally into a dedicated security role, often with a 15-25% increase from your previous non-security salary, bypassing the lower external "entry-level" bracket.
Which cybersecurity specialization has the highest salary potential long-term?
While cloud security and application security (AppSec) command high premiums now, don't chase the "hot" thing blindly. The highest long-term ceiling often belongs to roles that sit at the intersection of technical depth and business risk management, like Security Architecture or Product Security Leadership. These roles evolve with technology rather than being tied to a specific tool. A specialization in a complex, regulated domain (like industrial control systems security or healthcare data privacy) also creates high, durable demand because the barrier to entry is steep and the consequences of failure are catastrophic.
Does remote work lower cybersecurity salaries?
It's creating a two-tier market. Companies with strict location-based pay scales may offer a "remote discount" if you move to a lower-cost area. However, a growing number of tech-first companies (especially in SaaS and cybersecurity vendors themselves) are adopting national or skill-based pay bands. For them, top talent is top talent, regardless of zip code. The key is to target these latter companies. Your leverage as a remote worker isn't just your location; it's your ability to access a wider pool of high-paying employers who compete for your skills on a national stage.
Final Thought: The question "what is the average salary in cybersecurity?" is your starting point, not your destination. Your destination is understanding which levers you control and how to pull them. Specialize deeply, quantify your work, understand your market value, and never be afraid to have the compensation conversation. This field rewards those who don't just understand technology, but also understand their own worth.
Reader Comments