Cyber Security Salary Guide 2026: What You'll Earn by Role
Complete cyber security salary guide for 2026. Salary by role, experience, location, and certifications — with real job listing data.
Cybersecurity is one of the fastest-growing and highest-paying fields in tech. Whether you're evaluating a career switch, preparing for your next job negotiation, or trying to figure out what specialization pays the most, this guide gives you the real numbers.
We've pulled data from the Bureau of Labor Statistics, live job listing analyses, Glassdoor, and salary reports from programs.com and Coursera to build the most complete picture of cyber security salaries in 2026. Here's what you'll actually earn.
Cyber Security Salaries in 2026: The Numbers That Matter
The average cyber security salary in 2026 is $135,969, based on analysis of over 100 active job listings across major hiring platforms. That number sits well above the median for all US occupations, which sits at $49,500 per year.
But the average only tells part of the story.
"The median annual wage for information security analysts was $124,910 in May 2024, with employment projected to grow 29 percent from 2024 to 2034 — far faster than the average for all occupations." — Bureau of Labor Statistics, Occupational Outlook Handbook, 2025
The BLS figure reflects the median — half of professionals earn more, half earn less. The top 10% of information security analysts earn over $186,420 per year. The bottom 10% earn under $69,660.
What drives the gap? Specialization, experience, location, and certifications. Each variable can shift your pay by $20,000 to $60,000. The sections below break each factor down.
A few things to know before we dive in:
- There are 182,800 information security analyst jobs in the US as of 2024
- About 457,398 total cybersecurity job openings were recorded nationwide in 2025
- The global cybersecurity workforce gap stands at approximately 4 million open roles
- 29% projected growth from 2024 to 2034 means roughly 52,100 new jobs over the decade
- 63% of organizations report lacking sufficient IT staff dedicated to cybersecurity (ISC2)
- 59% of companies believe they face a moderate-to-extreme risk of cyberattacks due to understaffing
This is a field where supply still falls short of demand — and salaries reflect that.
It's also a field that rewards specialization and mobility in ways most careers don't. A cybersecurity professional who deliberately chooses their specialization track, moves employers strategically, and pairs technical skill with high-value certifications can realistically double their starting salary within 7–8 years. We'll show you exactly how that trajectory works.
One more thing before we get into numbers: the data sources here matter. We combined government-sourced BLS data (the most reliable benchmark for median wages) with private job listing analysis from programs.com (which analyzed 100+ advertised salaries in 2026) and Glassdoor and Coursera survey data. Where sources diverge, we've noted it. Advertised salaries in job listings tend to run slightly above reported medians because listings skew toward actively hiring, often higher-paying employers.
Cyber Security Salary by Job Role
Not all cyber security jobs pay the same. Roles focused on building and designing systems pay more than roles focused on monitoring and responding. Here's how compensation breaks down across the major job titles.
| Role | Average Salary Low | Average Salary High |
|---|---|---|
| Security Architect | $117,427 | $168,567 |
| Cybersecurity Engineer | $113,400 | $168,620 |
| Penetration Tester (Ethical Hacker) | $112,325 | $168,492 |
| Security Consultant | $109,441 | $161,954 |
| Cybersecurity Analyst | $91,175 | $144,383 |
Source: Programs.com analysis of 100+ job listings, 2026
Where Each Role Sits in the Pay Curve
Security Architect earns the most consistently because the role requires designing the entire security posture of an enterprise. One weak decision can expose millions of records. Architects at the senior level earn between $150,000 and $225,000 nationally.
Cybersecurity Engineer sits just below architect in pay but offers a faster path from analyst-level work. Engineers build and maintain the infrastructure rather than auditing or advising on it.
Penetration Tester pay correlates closely with engineer compensation, but the path to high earnings is more credential-dependent. Holding an OSCP certification (Offensive Security Certified Professional) signals real hands-on skill and lifts advertised salaries to the $117,600–$151,000 range.
Cybersecurity Analyst at the entry level represents the most common starting point — but it's also where salary growth stalls most if you don't specialize. Tier 1 SOC analyst roles are increasingly automated, compressing the lower end of analyst pay.
CISO (Chief Information Security Officer) is the executive ceiling. At the 8+ year, senior-executive track, CISO compensation ranges from $200,000 to $585,000 annually, reflecting both technical mastery and organizational leadership.
Role Salary Quick Reference (Entry to Senior)
| Role | Entry (0–2 yrs) | Mid (3–7 yrs) | Senior (8+ yrs) |
|---|---|---|---|
| SOC Analyst | $55K–$80K | $75K–$95K | $95K–$120K |
| Security Analyst | $65K–$85K | $85K–$110K | $110K–$135K+ |
| Penetration Tester | $75K–$96K | $100K–$130K | $130K–$165K+ |
| Security Engineer | $85K–$115K | $115K–$145K | $145K–$175K+ |
| Cloud Security Engineer | $95K–$130K | $130K–$165K | $165K–$195K+ |
| Security Architect | $110K–$145K | $145K–$180K | $180K–$225K+ |
| CISO | — | $200K+ | $350K–$585K |
How Experience Transforms Your Cyber Security Salary
Years of experience is the most reliable predictor of salary in cybersecurity. But experience doesn't compound at a flat rate — there are breakpoints where pay jumps significantly.
| Min. Experience | Average Low | Average High |
|---|---|---|
| Under 3 years | ~$70K | ~$124K |
| 5 years | $111,150 | $163,419 |
| 10+ years | $143,058 | $211,171 |
Source: Programs.com job listing analysis, 2026
The biggest jump happens between years 3 and 5. This is when professionals typically move from tier-1 monitoring into engineering, consulting, or specialized penetration testing. That transition alone can add $30,000–$40,000 to your base salary.
"Cybersecurity professionals with 10+ years of experience can earn anywhere between $143,000 and $211,500 per year." — Programs.com Cybersecurity Salary Report, 2026
A second inflection point appears around years 7–8. This is where professionals who've moved into architecture, cleared federal contracting, or leadership roles see their pay detach from the general market. The $200K+ ceiling only opens when you combine deep technical skill with organizational scope.
The loyalty penalty is real. Data from Reddit communities and job-market research consistently shows that professionals who change employers every 2–3 years earn significantly more than those who stay. Internal raises average 3–5% annually. External job offers for the same experience level often come in 20–40% higher. If you've been at one employer for 4+ years without negotiating against a competing offer, you're very likely below market rate.
Cyber Security Salary by Location
Geography adds or removes $30,000–$50,000 from your expected compensation.
Top-Paying States (BLS Data via PlexTrac)
| Rank | State | Average Cybersecurity Salary |
|---|---|---|
| 1 | New York | $133,100 |
| 2 | Colorado | $132,000 |
| =3 | Maryland | $131,260 |
| =3 | Washington | $131,260 |
| =3 | California | $131,260 |
| 6 | Indiana | $124,151 |
| 7 | Virginia | $121,940 |
At the lower end: Pennsylvania ($82,441), Oklahoma ($81,640), and Alabama ($77,517).
Top-Paying Metro Areas (BLS Data)
| Rank | Metro Area | Average Annual Wage |
|---|---|---|
| 1 | San Jose-Sunnyvale-Santa Clara, CA | $175,520 |
| 2 | San Francisco-Oakland-Hayward, CA | $168,160 |
| 3 | Seattle-Tacoma-Bellevue, WA | $152,660 |
| 4 | Washington DC metro | $138,410 |
| 5 | New York-Newark-Jersey City | $138,360 |
Note that San Jose's $175,520 average reflects the concentration of enterprise tech and security vendors in Silicon Valley. Washington DC's $138,410 is supported by federal government contracting — and those roles often come with security clearance premiums that push total compensation higher.
Fast-Growing Markets to Watch
If you can't or don't want to relocate to a coastal hub, several inland metros are growing cybersecurity employment and wages simultaneously:
- Indianapolis: +31.8% job growth, +17.2% wage growth YoY. Average salary $106,870
- Raleigh, NC: +59% job growth, +8.4% wage growth. Average salary $129,000
- Cleveland: +60% job growth, +6.2% wage growth. Average salary $110,050
These markets tend to have lower cost of living than coastal tech hubs, which means your purchasing power can exceed what a coastal salary looks like on paper.
Which Industries Pay the Most for Cyber Security?
Where you work matters as much as what you do. Industry sector affects both base salary and total compensation structure.
| Industry | Average Annual Salary |
|---|---|
| Technology (major companies) | $140,000+ |
| Financial Services | $130,000 |
| Insurance | $125,000 |
| Government/Defense (with clearance) | $90,000–$180,000 |
| Healthcare | $115,000 |
| Pharma/Biotech | $121,664 |
Source: Coursera + Programs.com sector analysis, 2025-2026
Technology pays the most in absolute terms, especially at major firms. Glassdoor data shows Google paying information security professionals $214,000–$382,000 per year. Amazon pays $188,000–$301,000. Meta, NVIDIA, and AWS cluster between $165,000 and $298,000.
Financial services pays a strong $130,000 average with additional earning potential from compliance specializations. Banking institutions like JPMorgan and Bank of America pay $125,000–$200,000 base, and government-adjacent financial roles add a clearance premium.
Government and Defense has the widest salary range but offers uniquely stable employment and clearance-boosted compensation. Defense contractors typically pay $120,000–$180,000 for cleared security professionals — significantly above federal agency roles ($90,000–$150,000).
Healthcare trails the top sectors at $115,000 average but offers strong job stability due to HIPAA compliance requirements and the sensitive nature of patient data. Medical device security is an emerging sub-specialization with growing salary premium.
Not sure which industry aligns with your skills and interests? Our free career quiz helps you identify which path fits your strengths.
Certifications and Security Clearances That Boost Your Pay
Certifications can add salary, but not all certifications add equal value. Here's what the data from analyzed job listings shows:
| Certification Mentioned | Average Low | Average High |
|---|---|---|
| OSCP (Offensive Security) | $117,143 | $151,143 |
| CISSP | $100,943 | $160,736 |
| No certification specified | $110,668 | $175,186 |
Source: Programs.com job listing analysis, 2026
The counterintuitive finding: listings that don't specify a certification often pay slightly more than those that do. This suggests senior roles care less about credential boxes and more about demonstrated experience.
Among certifications, OSCP correlates with the highest low-end offers because it requires hands-on exploitation skill — not just theoretical knowledge. Employers paying for OSCP holders tend to be in the penetration testing or red team market where technical proof matters.
CISSP is widespread as a hiring filter but doesn't spike salaries on its own. It's more of a compliance checkbox than a differentiator.
Certs worth pursuing for salary impact:
- OSCP (penetration testing, ethical hacking track)
- GXPN (GIAC Exploit Researcher) — niche but high-signal
- Cloud security certs (AWS Security Specialty, Google Cloud Security)
- CISSP — necessary for many senior/management roles, not a salary driver alone
Security Clearance Impact
If you're eligible for defense or government contracting work, obtaining or maintaining a security clearance is one of the highest-ROI moves in cybersecurity:
| Clearance Level | Average Low | Average High |
|---|---|---|
| Public Trust/None | $112,973 | $157,288 |
| Secret | $81,240 | $168,100 |
| Top Secret/SCI | $104,070 | $185,090 |
A Top Secret clearance adds approximately $25,000 to upper-range compensation. Employers pay this premium because the clearance process takes 12–18 months and the pool of cleared candidates is small.
It's also worth noting that cybersecurity is one of the few high-paying fields where a 4-year degree is not always required. Many employers will accept relevant certifications and demonstrated skills, particularly at the entry and mid-level.
Remote Cyber Security Salaries
Remote work is widely available in cybersecurity, and fully remote roles pay competitively:
- Remote mid-level cybersecurity engineers: $132,275–$152,272/year
- Remote senior-level cybersecurity engineers: $140,200–$172,500/year
- Remote cybersecurity architects: $136,000–$170,500/year
Source: motionrecruitment.com, 2026
Remote roles typically pay at or above national median, though below top metro market rates. The trade-off: you capture the salary advantage of a high-demand market without paying San Francisco or New York rent.
One nuance: some remote roles specify they're "remote" but base salaries on company headquarters' cost of living. Always confirm the salary band policy. A role advertised as remote from a Dallas-headquartered company may pay differently than the same role from a San Francisco company.
How to Grow Your Cyber Security Salary Faster
Based on our research and real job market data, here are the highest-leverage moves for increasing your salary in cybersecurity.
1. Specialize rather than generalize. The data is clear: generalist analyst roles compress over time. Specializing in cloud security, penetration testing, security architecture, or incident response engineering opens the higher-paying role tiers. The analyst-to-engineer pivot alone typically adds $25,000–$40,000.
2. Treat job offers as salary resets. Internal raises rarely keep pace with external market rates. If you haven't done an external job search in 2–3 years, you're likely 15–30% below market. One external offer — even if you don't take it — gives you a negotiating lever with your current employer.
3. Pursue high-signal certifications. OSCP for penetration testers. Cloud security specialty certs for engineers. These demonstrate hands-on skill rather than theory. Avoid spending time on broad certification collections if a specific, respected cert in your niche exists.
4. Build toward clearance if you're near defense or government work. The process takes time, but the $20,000–$25,000 clearance premium is one of the most reliable salary boosts in the entire field.
5. Target growth markets, not just prestige markets. Indianapolis and Raleigh are both seeing over 30–59% job growth with strong wage growth. Competition for talent is lower, and compensation is rising to attract candidates who would otherwise head to coastal metros.
At NueCareer, we've helped thousands of professionals map their next move in tech and cybersecurity. If you're unsure which specialization fits your current skills and long-term goals, take our free career assessment quiz and get a personalized path forward.
The Cyber Security Career Path and Salary Progression
Understanding how salaries compound over a career helps you make better decisions early. Here's how a typical cyber security career trajectory looks in terms of compensation milestones.
Years 0–2: The Entry Foundation ($55,000–$114,000)
Most professionals start in SOC (Security Operations Center) analyst, IT security specialist, or junior penetration tester roles. Pay clusters in the $55,000–$90,000 range at year one. Those who enter directly into more specialized roles — particularly at tech companies or defense contractors — can start closer to $100,000.
Key moves at this stage: earn Security+, build hands-on lab experience, contribute to incident response documentation, and identify which specialization you want to pursue long-term.
Years 3–5: The Specialization Jump ($85,000–$163,000)
This is where the career diverges sharply. Professionals who have chosen a specialization — cloud security, penetration testing, security engineering — see their salaries jump into the $110,000–$145,000 range. Those who remain in generalist analyst roles may still be earning $85,000–$100,000.
The data from programs.com confirms: professionals with 5 years of experience earn $111,150–$163,419 nationally. This is the window where a lateral move to a higher-paying role or employer makes the most financial impact.
Years 6–10: The Senior Consolidation ($125,000–$211,000)
Senior engineers, architects, and cleared federal contractors at the 6–10 year mark are earning $125,000–$175,000+ depending on role and market. This is also when professionals with CISSP credentials become eligible for management-track roles (security manager, director of security operations) that pay $150,000–$200,000.
The highest earners in this band have typically done three things: specialized deeply, moved employers at least once for market-rate correction, and built their reputation through certifications or recognized contributions (bug bounties, open-source security tools, conference presentations).
Years 10+: The Executive Ceiling ($143,000–$585,000)
Senior architects and CISOs with 10+ years command $143,000–$211,000 at individual contributor level, with management and executive roles clearing $200,000 regularly. CISOs at mid-market and enterprise companies earn $250,000–$585,000.
Getting here requires more than technical skill. Organizations pay CISO-level salaries for professionals who can communicate risk in business terms, manage teams, and align security strategy with organizational goals.
Cyber Security Salary Negotiation: What the Data Tells You
Our research surfaced something that purely statistical salary guides miss: knowing what to do with the data matters as much as the data itself.
Here are the negotiation insights backed by market evidence.
Market rate is not what your employer says it is. Internal HR systems set bands based on historical data and internal equity, often lagging the live market by 12–24 months. The real-time job listing data consistently shows that advertised salaries are significantly higher than what many current employees earn for equivalent roles.
Always negotiate with data. If you're in a salary negotiation, bringing a specific number — "Based on current listings for this role in this market, the range is $128,000–$152,000" — is far more effective than a general request for more money. Use BLS, programs.com, and Glassdoor data as anchors.
Competing offers move the needle fastest. Across Reddit career communities, the most consistent pattern is that professionals who received and presented competing job offers saw immediate 15–30% increases, often from employers who had been offering 3% annual raises.
Total compensation matters, not just base salary. At the senior level especially, bonus, equity, security clearance retention pay, and remote work flexibility can add $20,000–$50,000 to effective annual compensation. When comparing offers, calculate total comp, not just base.
Location flexibility is a salary lever. Targeting a San Jose-based company with remote work means your salary is benchmarked against San Jose compensation ($175,520 average), even if you live in a lower-cost city. Remote roles from major tech companies or high-paying metros can give you a coastal salary with regional cost of living.
Global Cyber Security Salary Landscape
Cyber security is a global profession, and salaries vary significantly across regions.
| Country | Average Annual Salary |
|---|---|
| United States | $122,000 |
| Canada | |
| Australia | AUD 120,000 (~$84,533 USD) |
| United Kingdom | ~$72,961 USD |
| Netherlands | ~$102,413 USD |
| Switzerland | CHF 100,000–190,000 (~$110,000–$210,000) |
| Germany | |
| Singapore | SGD 70,000 (~$52,000 USD) |
Source: electroiq.com, 2026
The United States remains the highest-paying market in absolute dollar terms. Switzerland pays comparably in purchasing-power terms, and the Netherlands offers strong compensation relative to its cost of living.
For professionals considering international moves, Switzerland and Australia offer the strongest combination of salary, quality of life, and growing demand. The Asia-Pacific region recorded a 3.8% YoY increase in cybersecurity workforce in 2024, and faces the largest workforce shortage of any region — approximately 2.14 million unfilled positions.
Frequently Asked Questions
Is cybersecurity high paying in 2026?
Yes, and the data is consistent across every source we reviewed. Cybersecurity remains one of the highest-paying fields in technology. The average cyber security salary in 2026 is $135,969 based on live job listing analysis, and the BLS-reported median for information security analysts is $124,910 per year. The top 10% of earners in the field make over $186,420 annually. A global shortage of qualified professionals continues to drive strong salaries across experience levels.
Can I make $200,000 a year in cybersecurity?
Yes, but it typically requires 7–10+ years of experience and a senior or executive-level specialization. Security architects at the senior level earn $150,000–$225,000. CISOs earn $200,000–$585,000 depending on organization size. Professionals in major tech companies like Google and Amazon can see total compensation above $200,000 earlier in their careers due to equity and bonus structures.
Which cybersecurity job has the highest salary?
CISO (Chief Information Security Officer) is the highest-compensating role at $200,000–$585,000. Among individual contributor roles, Security Architect and Cloud Security Engineer are the highest-paying, ranging from $117,000 to $225,000+ at the senior level. Penetration testers and security engineers in specialized niches (ICS/SCADA, cleared federal contracting) can also exceed $165,000.
How do I increase my cyber security salary?
The four most reliable moves are: specializing from analyst to engineer or architect track, using external job offers to negotiate (not just asking for raises), obtaining hands-on certifications like OSCP, and pursuing security clearance if you're in or near government and defense work. Relocating to or targeting high-growth markets like Raleigh and Indianapolis can also accelerate salary growth with lower cost-of-living impact.
Did cybersecurity salaries increase in 2026?
Yes. Mid-level cybersecurity engineer salaries in 2026 range from approximately $128,700 to $148,157 nationally — an increase from prior years. Remote roles are commanding $132,000–$152,000 at mid-level. Senior positions in major metros are regularly exceeding $180,000. Demand continues to outpace supply, and salaries are growing accordingly.
What is the starting salary for a cyber security job?
Entry-level cybersecurity salaries in the US typically range from $65,000 to $114,000 depending on role type and employer. SOC analysts at the entry level start around $55,000–$75,000. Entry-level security analysts typically earn $65,000–$85,000. Professionals entering directly into more specialized roles (penetration testing, cloud security) or at major tech employers may start $90,000–$114,000. Building foundational certifications like CompTIA Security+ before job searching helps position toward the higher end of the entry range.
What is the difference between a cybersecurity analyst and a cybersecurity engineer salary?
Cybersecurity analysts earn $91,175–$144,383 on average, while cybersecurity engineers earn $113,400–$168,620. The gap widens at the senior level: senior analysts top out around $135,000+ while senior engineers reach $175,000+. The distinction matters for salary planning: the analyst role focuses on monitoring, detection, and response, while the engineer role builds and maintains the security infrastructure. Engineers take on more ownership, which translates to higher compensation throughout the career lifecycle.