Salary data

Cybersecurity Salary Guide 2026

Realistic salary data by role, location, experience, and certification — sourced from BLS, Glassdoor, and live job postings. No inflated headlines.

14 min read

Last updated May 2026

9 roles · 9 locations

Quick answer

Realistic 2026 US cybersecurity salaries: $55k–$75k for true entry-level Tier 1 SOC roles, $90k–$130k for mid-career Cybersecurity Analysts, $170k–$250k+ for senior Security Engineers and Architects. Location adds +20–35% in major metros. Certifications add 8–25% depending on level. Active clearance adds another $15k–$30k for cleared roles.

Skip ahead: By role By location Cert impact FAQ

Cybersecurity salary data online ranges from realistic to fantasy. Some sources cite $100k+ entry-level figures that bear no resemblance to actual offers most candidates receive. Others quote BLS data that's lagged by 1–2 years and underestimates current market rates. The truth requires triangulating multiple sources and adjusting for role definitions, experience levels, and location.

This guide presents salary ranges that align with actual 2026 offers — drawn from BLS data, Glassdoor and PayScale aggregations, ZipRecruiter posting analysis, and real candidate offer reports from Reddit and LinkedIn. Where sources diverge significantly, the ranges presented prioritize realistic median expectations over optimistic averages.

Numbers below reflect US base salaries. Total compensation (bonuses, equity, sign-on) typically adds 5–25% to base. International salaries vary substantially — UK, EU, and Canadian markets typically pay 60–80% of US equivalents at junior levels, narrowing the gap at senior levels.

A note on salary data

All ranges presented are realistic 2026 estimates synthesized from multiple sources including the US Bureau of Labor Statistics, Glassdoor, PayScale, ZipRecruiter, and live job posting analysis. Individual offers vary significantly based on employer, candidate background, and negotiation. Use these as benchmarks, not guarantees.

By role

Salaries by cybersecurity role

9 common roles with realistic ranges across experience levels.

SOC Analyst (Tier 1)

Entry

$55k–$75k

Mid

$75k–$95k

Senior

$95k–$130k

Most accessible entry point. MSSPs often pay slightly less than in-house corporate.

Cybersecurity Analyst (general)

Entry

$70k–$90k

Mid

$90k–$120k

Senior

$120k–$160k

Broader than pure SOC. Includes vulnerability management and compliance work.

GRC Analyst

Entry

$65k–$90k

Mid

$90k–$130k

Senior

$130k–$180k

Compliance and risk-focused. Strong demand in 2026, especially with AI regulation expansion.

Penetration Tester

Entry

$70k–$95k

Mid

$95k–$140k

Senior

$140k–$200k

True entry-level rare. Most start with prior IT or developer experience.

Security Engineer

Entry

$90k–$120k

Mid

$120k–$170k

Senior

$170k–$240k

Technical builder role. Often skipped Tier 1 by candidates with development backgrounds.

Cloud Security Engineer

Entry

$95k–$130k

Mid

$130k–$180k

Senior

$180k–$260k

Highest growth specialization in 2026. Strong premium for AWS/Azure/GCP expertise.

Application Security Engineer

Entry

$95k–$130k

Mid

$130k–$180k

Senior

$180k–$250k

Best target for ex-developers. Often skips Tier 1 entirely.

Security Architect

Entry

—

Mid

$140k–$190k

Senior

$190k–$280k

Not entry-level. Requires 5+ years of progressive security experience.

CISO

Entry

—

Mid

—

Senior

$220k–$420k+

Executive role. Large enterprises and Fortune 500 reach $400k+ with bonuses.

Definition note: Entry = 0–2 years experience. Mid = 3–5 years. Senior = 5+ years. Some roles (Architect, CISO) require significant prior experience and have no realistic entry-level path.

By location

Location adjustments

Add or subtract from baseline national figures based on metro area.

Location	vs National	Why
San Francisco / Bay Area	+25–35%	Highest concentration of tech employers and security teams
New York City / NJ Metro	+20–30%	Strong financial sector demand drives premium
Washington DC / Northern VA	+15–25%	Government and defense contractor cluster
Seattle	+15–25%	Cloud security premium (AWS, Azure)
Boston	+10–20%	Healthcare and biotech security demand
Austin / Denver / Atlanta	+5–15%	Growing tech hubs with moderate premium
National average	Baseline	Most US locations cluster within ±10% of national figures
Lower cost-of-living areas	−10–20%	Rural and small metro markets
Remote (no location adjustment)	Variable	Increasingly common — pay anchored to employer location, not yours

Cost of living typically tracks salary differences imperfectly. SF Bay Area pays 30%+ more than national average but costs 50%+ more to live. Lower COL areas often produce better effective compensation despite lower headline figures.

Certifications

Certification salary impact

How much each major certification adds to typical compensation.

Security+

+8–12%

Baseline credential. Required at HR-filter level. Doesn't differentiate, but absence is disqualifying.

CySA+

+10–15%

SOC analyst specialization. Useful when targeting defensive roles specifically.

SAL1

+5–10%

Recognition still building. Best paired with Security+ for combined effect.

OSCP

+15–25%

Major impact for offensive roles. Often a hard requirement for senior pentest positions.

CISSP

+18–25%

Mid-career boost. Requires 5 years experience. Strongest for management track.

CISM

+15–22%

Management track. Useful for transitioning into leadership.

AWS / Azure Security

+15–25%

Cloud security premium is the highest-growth area in 2026.

Top Secret Clearance

+15–30%

Not technically a cert, but holding active clearance is one of the largest single salary drivers.

Important caveat: Certification salary impact is highest at entry and mid-level. Senior practitioners earn through experience and specialization; certifications matter less above $150k. Stacking 5+ certifications doesn't multiply the effect — diminishing returns kick in fast.

Get paid more

5 negotiation tips that actually work

Most candidates accept first offers. The ones who negotiate earn 10–20% more on average.

Always ask for 10–15% above the offer

Initial offers leave room for negotiation in 70%+ of cybersecurity roles. Asking once, politely, with justification (market rates, your unique value) typically produces a counter. Not asking guarantees you leave money on the table.

Get competing offers when possible

A second offer is the strongest negotiation lever. Even if you prefer the first employer, a competing offer at 15%+ higher gives you grounds to request a match. Don't bluff — competing offers can be verified.

Negotiate non-salary compensation

Sign-on bonuses, education stipends, equipment allowances, and remote work flexibility are often easier to negotiate than base salary. A $5,000 sign-on bonus has the same effective value as a salary bump but doesn't impact the company's salary band.

Don't disclose current salary if possible

Many states (CA, NY, WA, MA, and others) prohibit asking for salary history. Use this protection. "My target compensation for this role is $X" anchors the discussion to market value, not what you currently make.

Time matters

Negotiating after the offer letter arrives is standard. Negotiating after you've started or accepted in writing is significantly weaker. The window between verbal offer and signed acceptance is your strongest leverage point.

Reality check

$100k entry-level isn't the norm

Many cybersecurity salary articles lead with $100,000+ entry-level figures. These reflect either (a) Cybersecurity Analyst roles with broader scope hiring candidates with prior IT/dev experience, (b) major metro premiums, or (c) sources sampling skewed populations. For pure entry-level Tier 1 SOC roles, $55k–$75k is the realistic range for most candidates outside major metros.

The good news: cybersecurity salaries grow faster than most fields. Mid-career compensation ($90k–$140k) is achievable within 3–5 years for candidates who specialize. Senior positions ($150k–$250k+) are realistic by years 5–7. The trajectory matters more than the entry point.

Plan around realistic entry numbers, not aspirational headlines. Setting expectations against $100k+ entry figures often leads to declining good offers — and ending up unemployed longer than necessary.

Common questions

Frequently asked questions

Tap any question to expand.

What's the realistic entry-level cybersecurity salary in 2026?

For Tier 1 SOC Analyst roles in the US, $55,000–$75,000 is the realistic range for most candidates and locations. Major metros (San Francisco, NYC, DC, Seattle) push the upper end higher. Lower cost-of-living areas land at the lower end. The frequently-cited "$100k+ entry-level" figures often reflect Cybersecurity Analyst roles with broader scope or candidates with prior IT/developer experience — not pure entry-level positions. Don't budget around aspirational headlines; budget around realistic range and grow from there.

Why do salary surveys show such different numbers?

Different sources sample different populations and use different role definitions. Glassdoor and PayScale rely on user submissions which skew toward more experienced or higher-paid respondents. ZipRecruiter aggregates job postings, including roles that overlap with mid-level work. Bureau of Labor Statistics provides government data lagged by 1–2 years. Each source has a different methodological lens. The realistic approach: look at multiple sources, identify the overlap range, and trust that overlap more than any single source.

Do cybersecurity salaries actually require certifications to reach?

Mostly yes for entry-level — no for senior roles. At the entry-level (under 3 years experience), certifications matter significantly because employers have limited other signals to evaluate candidates. Security+ is effectively required by HR filters. For mid-career and senior positions, demonstrated experience and specialization matter more than certifications. Many senior security engineers earn $200k+ without holding active certifications — but they all started with certifications earlier in their careers.

How much does location actually affect cybersecurity pay?

Significantly. San Francisco Bay Area roles often pay 25–35% above the national average. NYC and Seattle add 20–30%. Washington DC adds 15–25% for cleared positions. Lower cost-of-living areas can pay 10–20% below national average. Remote work has complicated this somewhat — some employers pay based on candidate location, while others pay based on employer headquarters location. Always clarify which model applies before accepting an offer.

Should I take a pay cut to enter cybersecurity from a developer role?

Often yes, at least temporarily. Mid-level developers (3+ years experience) typically face short-term pay cuts moving to Tier 1 SOC Analyst — entry-level cybersecurity salaries ($55k–$75k) frequently sit below mid-level developer compensation. The pay cut typically lasts 12–18 months. Senior security engineers often outpace senior developer salaries within 3–5 years. Developers who go directly into Application Security or Cloud Security (skipping Tier 1) often avoid the pay cut entirely since these roles compensate closer to senior developer rates.

What's the salary trajectory after first cybersecurity job?

Aggressive promotion cycles are common in cybersecurity. The typical pattern: Tier 1 SOC at $55k–$75k for 12–18 months, promotion to Tier 2 SOC at $75k–$100k within 18–24 months, transition to Security Engineer or specialist roles at $100k–$140k by year 3–5, and Senior or Lead positions at $140k–$200k+ by year 5–7. Specialization choices (cloud security, AppSec, threat intelligence) significantly affect the trajectory. Generic SOC analysts plateau around $130k; specialized engineers continue climbing.

Are remote cybersecurity jobs paid less than on-site?

It depends on the employer's compensation model. Some companies pay based on candidate location — meaning remote workers in lower-cost areas earn less than equivalent on-site roles in major metros. Other companies pay based on employer location regardless of where the worker lives — these positions effectively transfer high-cost-area salaries to lower-cost areas. The latter model produces the highest effective compensation when you live in lower-cost regions. Always ask about location-based pay adjustments during interviews.

How does security clearance affect cybersecurity salaries?

Active Top Secret clearance can add $15,000–$30,000 to typical offers, particularly in Washington DC, Northern Virginia, and other government contractor hubs. Secret clearance adds less but still meaningful premium ($5,000–$15,000). The premium reflects the time and cost employers save by not waiting 6–18 months for a candidate to obtain clearance. Maintaining active clearance after switching jobs is one of the most straightforward ways to secure higher offers without necessarily gaining new technical skills.

Final word

The bottom line

Cybersecurity offers strong long-term compensation — but realistic expectations matter more than aspirational ones. Plan around $55k–$75k entry-level for Tier 1 SOC, with significant uplift through specialization, location adjustments, and certifications.

The biggest single factor in long-term compensation is specialization choice. Cloud Security Engineers and Application Security Engineers consistently outpace generic SOC analysts by years 3–5. Picking the right specialty early matters more than the first job's exact salary.

Negotiate every offer — politely, with justification, but consistently. Candidates who negotiate earn 10–20% more across their careers than those who don't, compounded over decades. The half-hour conversation when accepting an offer is the highest-leverage half-hour in your career.

Next step

Ready to land your first role?

The complete guide to entry-level cybersecurity jobs — where to look, what skills win interviews, and application strategies that work.

Read the jobs guide

Keep reading

Related guides

Career

Entry-Level Cybersecurity Jobs in 2026

Where to look, what skills employers want, and the application strategies that actually work.

Certifications

10 Best Cybersecurity Certifications for Beginners 2026

Compare every entry-level certification by cost, difficulty, and career fit.