Cybersecurity Salary Guide: 2026 Pay Data by Role, Region, and Experience
Part of the HADESS Career Resources — This guide covers salary ranges across every major cybersecurity role. Explore our deep-dives on SOC analyst salary expectations, penetration tester compensation, and CISO salary benchmarks below.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 19 min read
This cybersecurity salary guide exists because most salary data online is either outdated, sourced from unreliable self-reporting, or designed to sell you a bootcamp by inflating numbers. We have compiled data from job postings, industry surveys, recruiter conversations, and our own hiring experience to give you a realistic picture of what cybersecurity professionals actually earn in 2026.
The short version: cybersecurity pays well. Better than most IT roles, competitive with software engineering at mid and senior levels, and significantly better than the national average across nearly every geography. But “cybersecurity” is not one salary. A SOC Analyst Tier 1 in the Midwest and a Principal Security Engineer in San Francisco are in the same field but not the same compensation bracket. This guide breaks down what you can actually expect based on your role, location, experience, and certifications.
Table of Contents
- Cybersecurity Salary Landscape 2026
- Salary by Role
- Salary by Region
- Experience Level and Salary Progression
- Certifications That Increase Pay
- How to Negotiate Your Cybersecurity Salary
- UK-Specific Salary Guide
- Remote Work and Salary Adjustments
- Related Deep-Dives
- Start Your Journey
- Frequently Asked Questions
Cybersecurity Salary Landscape 2026
The cybersecurity job market in 2026 continues to favor candidates. According to ISC2’s workforce research, the global talent gap remains above 3.5 million unfilled positions. This supply-demand imbalance keeps salaries elevated and gives job seekers meaningful negotiating power, particularly for experienced practitioners.
Several trends shape 2026 compensation:
Cloud security commands a premium. Roles that require AWS, Azure, or GCP security expertise pay 15-25% more than equivalent on-premises-focused roles. The cloud skills shortage is particularly acute, and organizations pay accordingly.
Regulatory pressure drives GRC hiring. New regulations like DORA (Digital Operational Resilience Act) in the EU, updated SEC cybersecurity disclosure rules in the US, and NIS2 directive implementation have created sustained demand for compliance and governance professionals. GRC salaries have risen faster than other specializations over the past two years.
AI security is a new premium category. Roles focused on securing AI/ML systems and applying AI to security operations are appearing with frequency. These roles often pay 10-20% above comparable non-AI positions because the talent pool is still very small.
Remote work has compressed geographic salary differences, but not eliminated them. A remote SOC analyst hired by a San Francisco company might earn less than an on-site employee, but more than the local market rate in their actual location. More on this in the remote work section below.
Total compensation matters more than base salary. Equity, bonuses, training budgets, and benefits packages vary dramatically. A $140,000 base at a startup with equity worth potentially $50,000+ is different from $150,000 base at a company with no equity component. When evaluating offers, look at the complete package.
Salary by Role
These ranges represent base salary for US-based professionals. Total compensation (base + bonus + equity) can add 10-40% at mid and senior levels. Ranges reflect the 25th to 75th percentile — outliers exist in both directions.
SOC Analyst
| Level | Salary Range (US) |
|---|---|
| Tier 1 (Entry) | $55,000 – $75,000 |
| Tier 2 (Mid) | $75,000 – $100,000 |
| Tier 3 / Lead | $100,000 – $130,000 |
| SOC Manager | $120,000 – $160,000 |
SOC analyst is the most common entry point into cybersecurity. Tier 1 salaries vary significantly by geography and employer type. MSSPs tend to pay less than in-house SOC teams but provide faster skill development through volume. Progression from Tier 1 to Tier 2 typically takes 1-2 years and comes with a $15,000-$25,000 raise.
Our full SOC analyst salary breakdown covers geographic variations and progression timelines.
Penetration Tester
| Level | Salary Range (US) |
|---|---|
| Junior / Associate | $70,000 – $95,000 |
| Mid-Level | $95,000 – $130,000 |
| Senior | $130,000 – $175,000 |
| Principal / Lead | $160,000 – $220,000 |
Penetration testing compensation reflects the specialized skill set required. Junior pen tester roles are less common than junior SOC roles because most organizations want testers with at least some professional experience. OSCP holders command a noticeable premium over non-certified testers at the junior and mid levels. Independent consultants and boutique firm partners can earn significantly more but trade stability for that income.
See the detailed penetration tester salary guide for more.
Security Engineer
| Level | Salary Range (US) |
|---|---|
| Junior | $80,000 – $110,000 |
| Mid-Level | $110,000 – $150,000 |
| Senior | $145,000 – $195,000 |
| Staff / Principal | $180,000 – $260,000 |
Security engineering covers a broad range of roles — from building detection infrastructure to designing secure architectures to implementing security tooling. At senior and staff levels, total compensation at large tech companies can significantly exceed these base ranges when equity is included. A Staff Security Engineer at a FAANG-adjacent company might earn $350,000-$500,000 in total compensation.
Cloud Security Engineer
| Level | Salary Range (US) |
|---|---|
| Junior | $90,000 – $120,000 |
| Mid-Level | $120,000 – $160,000 |
| Senior | $155,000 – $200,000 |
| Principal / Architect | $190,000 – $270,000 |
Cloud security is one of the highest-paying specializations at every level. The combination of cloud platform expertise and security knowledge creates a narrow talent pool that employers pay generously to access. Multi-cloud experience (proficiency in two or more platforms) commands an additional premium.
GRC Analyst
| Level | Salary Range (US) |
|---|---|
| Junior / Associate | $55,000 – $80,000 |
| Mid-Level | $80,000 – $115,000 |
| Senior | $110,000 – $150,000 |
| GRC Manager / Director | $140,000 – $200,000 |
GRC salaries start lower than technical roles but have strong upward trajectories, especially for people who earn CISA, CRISC, or CISM certifications. GRC Directors and Chief Risk Officers can earn compensation comparable to CISOs at some organizations.
CISO and Security Leadership
| Level | Salary Range (US) |
|---|---|
| Security Manager | $130,000 – $175,000 |
| Director of Security | $160,000 – $220,000 |
| VP of Security | $200,000 – $300,000 |
| CISO (Mid-Market) | $220,000 – $350,000 |
| CISO (Enterprise/F500) | $300,000 – $500,000+ |
CISO compensation varies enormously by company size and industry. Financial services and tech CISOs earn significantly more than their counterparts at mid-market companies. Total compensation packages for enterprise CISOs often include substantial equity and bonus components.
Read our full CISO salary and career analysis for more detailed data.
Salary by Region
Cybersecurity salaries are not uniform globally. Here is what the landscape looks like across major markets:
United States
The US remains the highest-paying market for cybersecurity professionals globally. Within the US, compensation varies by city and region:
- San Francisco / Bay Area: 20-35% above national average. Entry-level SOC: $75,000-$95,000. Senior security engineer: $180,000-$250,000+.
- New York / New Jersey: 15-25% above national average. Strong financial services presence drives security hiring.
- Washington DC / Northern Virginia: 10-20% above average. Federal contractors and defense-adjacent companies are major employers. Security clearance adds $10,000-$25,000.
- Austin / Denver / Seattle: 10-15% above average. Growing tech presence with slightly lower cost of living than SF or NYC.
- Midwest / Southeast (excluding major metros): At or slightly below national average, but cost of living adjustments make these markets very comfortable.
United Kingdom
UK cybersecurity salaries in GBP (as of 2026):
- Entry-Level SOC Analyst: GBP 25,000 – 35,000
- Mid-Level Security Engineer: GBP 50,000 – 75,000
- Senior Security Architect: GBP 80,000 – 110,000
- CISO: GBP 120,000 – 200,000+
London commands a 15-25% premium over the rest of the UK. The UK market has grown significantly due to increased regulation (UK GDPR, NIS2) and the government’s National Cyber Strategy investment.
For professionals moving to the UK, visa sponsorship is available through the Skilled Worker visa route. Cybersecurity roles regularly appear on the Shortage Occupation List, which can make the immigration process smoother. Use the HADESS UK sponsor finder to identify companies that actively sponsor cybersecurity professionals.
See our cybersecurity salary UK guide for detailed UK market analysis.
Europe
European salaries vary significantly by country:
- Germany: EUR 45,000-65,000 (entry), EUR 75,000-110,000 (senior), EUR 130,000-200,000 (CISO)
- Netherlands: EUR 40,000-60,000 (entry), EUR 70,000-100,000 (senior)
- France: EUR 35,000-50,000 (entry), EUR 60,000-90,000 (senior)
- Nordics (Sweden, Norway, Denmark): Among the highest in Europe. Senior roles: EUR 80,000-120,000
- Ireland: Strong tech presence. EUR 45,000-65,000 (entry), EUR 80,000-120,000 (senior)
European salaries look lower than US numbers in absolute terms, but many European countries offer benefits (healthcare, pension contributions, vacation time) that significantly affect total compensation when compared apples-to-apples.
Remote / Global
Remote roles hired by US companies but filled by non-US workers typically pay a location-adjusted rate. A company might offer a “US remote” rate for domestic employees and a “global remote” rate that is 20-40% lower for international workers. Some companies pay the same regardless of location, but they are the minority.
Experience Level and Salary Progression
One of the best things about cybersecurity compensation is how quickly it grows with experience. Here is a typical progression:
Year 0-1: Entry-Level
Base: $55,000-$80,000
You are learning on the job. Your value comes from being trainable and motivated. Certifications like Security+ validate foundational knowledge. Focus on absorbing everything and building practical skills.
Year 1-3: Junior to Mid-Level
Base: $75,000-$120,000
You can work independently on most tasks. You have specialized in a track. Additional certifications (CySA+, OSCP, AWS Security Specialty) drive salary increases. Job changes at this stage typically come with 15-25% raises.
Year 3-5: Mid-Level to Senior
Base: $110,000-$170,000
You are leading projects, mentoring junior team members, and contributing to architecture decisions. This is where specialization pays off — cloud security, application security, and incident response specialists earn premiums. CISSP or equivalent certification is common at this stage.
Year 5-8: Senior to Lead/Staff
Base: $150,000-$230,000
You are setting technical direction, designing security programs, and operating at a strategic level. At large tech companies, total compensation (with equity) can reach $300,000-$400,000. Management tracks and individual contributor tracks diverge here.
Year 8+: Principal/Director/CISO
Base: $190,000-$400,000+
At this level, compensation is highly variable and depends on company size, industry, and individual negotiation. Total compensation packages for security leaders at large companies regularly exceed $500,000.
Our entry-level cybersecurity salary guide breaks down what to expect in your first role and how to maximize your starting offer.
Certifications That Increase Pay
Not all certifications translate to higher pay. Here are the ones that consistently correlate with salary premiums, based on job posting data and industry surveys:
Security+ (+$5,000-$10,000 vs. uncertified)
The baseline. Having it is expected for many roles. Not having it can cost you opportunities rather than the cert actively increasing pay.
OSCP (+$10,000-$20,000)
The strongest salary signal in offensive security. It is hard to earn, and employers know that. OSCP holders at the junior and mid levels consistently earn more than peers without it.
CISSP (+$15,000-$25,000)
The most significant salary cert at the senior level. CISSP is a common requirement for security leadership roles. It has the highest correlation with six-figure salaries among all security certifications.
AWS Security Specialty / CCSP (+$10,000-$20,000)
Cloud security certifications carry salary premiums because cloud skills are in such high demand. Holding a cloud-specific security cert signals specialization that employers pay for.
CISM (+$15,000-$25,000)
For management-track professionals. CISM holders pursuing director and CISO roles see meaningful salary advantages.
GIAC Certifications (GCIH, GCFA, GCTI) (+$10,000-$15,000 each)
SANS/GIAC certifications are expensive and rigorous. Employers recognize the investment and the quality. They are particularly valued in government and defense-adjacent organizations.
Important context: certifications increase salary most effectively when combined with relevant experience. A CISSP holder with five years of SOC experience earns more than a CISSP holder with no professional security experience. The certification validates the experience, not the other way around.
For salary comparison between security careers and software engineering, see our cybersecurity vs software engineering salary analysis.
How to Negotiate Your Cybersecurity Salary
Most people leave money on the table because they do not negotiate, or they negotiate poorly. Here are the tactics that work:
Before the Negotiation
Know your market value. Use the HADESS salary calculator to get role-specific salary estimates based on your location, experience, and certifications. Cross-reference with Levels.fyi, Glassdoor, and Blind for additional data points. Go into the conversation knowing what the market pays.
Understand the employer’s constraints. Startups have different compensation structures than enterprises. Government agencies have strict pay bands. Consulting firms have utilization-based bonus structures. Understanding how your target employer structures compensation lets you negotiate the right levers.
Get competing offers if possible. Nothing increases your negotiating power like a concrete alternative. Even if you prefer one company, having a second offer gives you a factual basis for requesting higher compensation.
During the Negotiation
Let them make the first offer. If asked for salary expectations, deflect with “I would like to understand the full scope of the role first” or provide a range based on your research rather than a single number. Anchoring too low costs you money. Anchoring too high can end the conversation.
Negotiate total compensation, not just base salary. If base salary is constrained by a pay band, negotiate signing bonus, equity, training budget (especially for certifications like SANS courses which cost $7,000-$9,000), remote work flexibility, or PTO. Every component has monetary value.
Use data, not emotions. “Market data shows that OSCP-certified penetration testers in this region earn $X-$Y” is more effective than “I feel like I should earn more.” Reference specific data points from industry surveys and salary tools.
Do not accept on the spot. Always ask for 24-48 hours to consider an offer, even if you plan to accept. This creates space for a final counter-offer and prevents you from reacting emotionally.
For our full negotiation playbook, see how to negotiate your cybersecurity salary.
After the Negotiation
Get it in writing. Verbal offers can change. Do not resign from your current position until you have a signed offer letter with compensation details.
Plan for your next raise. Start documenting your impact from day one. Quantified achievements (“reduced mean-time-to-detect by 40%,” “identified $2M in compliance risk,” “led incident response for 12 P1 incidents”) are the foundation for your next salary negotiation, whether that is an internal raise or a new offer.
UK-Specific Salary Guide
The UK cybersecurity market deserves special attention because of its unique dynamics:
Visa Sponsorship and Salary Impact
The UK’s Skilled Worker visa route requires employers to meet minimum salary thresholds. For cybersecurity roles (SOC Code 2139), the going rate threshold means sponsored workers must earn at or above specific minimums, which effectively sets a salary floor for visa holders. This has an upward effect on entry-level salaries for sponsored roles.
Companies that sponsor skilled worker visas for cybersecurity positions include major banks, consulting firms, and tech companies. Use the HADESS UK sponsor finder to identify current sponsors and their typical salary ranges.
Our UK cybersecurity visa salary guide covers the specific intersection of visa sponsorship and compensation.
Tax Considerations
UK tax rates, National Insurance contributions, and pension auto-enrollment mean that take-home pay differs from gross salary more significantly than in some US states. Use the HADESS tax calculator to understand your actual take-home pay for any given salary.
Benefits Landscape
UK employers typically provide 25-30 days annual leave, employer pension contributions, private health insurance (for larger companies), and training budgets. These benefits have real monetary value and should be factored into compensation comparisons.
London vs. Rest of UK
London salaries are 15-25% higher than the rest of the UK, but the cost-of-living difference (particularly housing) often negates or exceeds the salary premium. Remote roles for London-based companies at London pay rates, based outside London, represent the best financial outcome for many professionals.
Remote Work and Salary Adjustments
Remote cybersecurity work is common, but compensation for remote roles is not uniform:
US-based companies, US employees: Most offer full pay regardless of location within the US. Some (notably GitLab, Basecamp model followers) adjust based on local cost of living. The trend is toward location-agnostic pay for US employees.
US-based companies, international employees: Typically pay 20-40% less than US rates, sometimes through employer-of-record (EOR) arrangements. The gap varies by country and company.
European companies, remote within Europe: Usually pay based on the company’s country, with minimal location adjustment within the same country. Cross-border arrangements are increasingly common under EOR models.
Contract and freelance: Remote security contractors often earn 20-40% more than equivalent employees in base salary, but without benefits, paid time off, or employer pension contributions. Net advantage depends heavily on individual circumstances.
The hybrid reality: Many organizations that went fully remote during 2020-2022 have moved to hybrid models requiring 2-3 days per week in office. Purely remote roles still exist in abundance, but some of the highest-paying positions now require at least occasional on-site presence.
Related Deep-Dives
These cluster guides go deeper into specific salary topics covered in this pillar:
- SOC Analyst Salary: Entry-Level to Senior — Detailed pay data for SOC analysts at every tier, by geography.
- Penetration Tester Salary: What Pen Testers Actually Earn — Salary data for offensive security professionals, including consultant rates.
- CISO Salary: What Security Leaders Earn — Compensation benchmarks for CISOs and security directors.
- Cybersecurity Salary UK: Complete Market Analysis — UK-specific salary data, visa considerations, and market trends.
- Entry-Level Cybersecurity Salary: What to Expect — Realistic starting salary expectations for new security professionals.
- Cybersecurity vs Software Engineering Salary — How security compensation compares to software engineering at each level.
- How to Negotiate Your Cybersecurity Salary — Tactics and scripts for salary negotiation in security roles.
- UK Cybersecurity Visa Salary Guide — Salary expectations for visa-sponsored cybersecurity roles in the UK.
Start Your Journey
Calculate Your Exact Salary
Use the HADESS salary calculator to estimate cybersecurity salaries based on your target role, location, experience, and certifications. Get data-driven numbers, not guesswork.
Upgrade for Full Salary Insights
HADESS PRO members get access to detailed salary comparisons, negotiation coaching, and market trend data. See how your current or target compensation compares to the market.
Frequently Asked Questions
What is the average cybersecurity salary in 2026?
In the US, the median salary for cybersecurity professionals is approximately $115,000 according to industry surveys. However, “average” obscures a wide range. Entry-level SOC analysts start around $60,000-$75,000, while senior engineers and architects earn $150,000-$250,000+. The specific role, location, and experience level matter far more than any single average number. Use the HADESS salary calculator for role-specific estimates.
Do cybersecurity certifications really increase salary?
Yes, with caveats. Certifications like CISSP, OSCP, and AWS Security Specialty correlate with $10,000-$25,000 higher salaries compared to non-certified peers in equivalent roles. But the certification works best when it validates real skills and experience. A CISSP without professional experience is worth less than a CISSP backed by five years of security operations work. Certifications are a salary multiplier, not a standalone salary driver.
How does cybersecurity pay compare to software engineering?
At entry-level, software engineering often pays slightly more ($80,000-$110,000 vs. $55,000-$80,000 for security). At mid-career, they converge ($120,000-$160,000 for both). At senior levels, software engineering at top tech companies can exceed security due to larger equity packages, but security leadership (CISO, VP Security) can match or exceed senior engineering compensation. The gap has narrowed significantly over the past five years.
What is the highest-paying cybersecurity role?
CISO at a large enterprise or financial services company, where total compensation can reach $400,000-$600,000+. For individual contributors, Principal Security Engineer and Security Architect roles at major tech companies offer the highest compensation, often $300,000-$500,000 in total comp. For hourly rates, independent penetration testing consultants can charge $250-$500/hour, though utilization varies.
Is the cybersecurity salary premium sustainable?
All indicators suggest yes, at least through the medium term. The workforce gap is not shrinking, as the SANS Institute and other research bodies continue to document. Regulatory requirements are expanding. The attack surface continues to grow with cloud adoption, IoT, and AI. Until the talent supply catches up with demand — which requires years of pipeline development — the salary premium should hold. That said, certain entry-level roles may see downward pressure if AI tools reduce the need for Tier 1 SOC analysts performing basic triage.
How much more does a security clearance add to salary?
In the US, an active security clearance (Secret or Top Secret) adds approximately $10,000-$25,000 to base salary for cybersecurity roles. Top Secret/SCI clearances command the highest premiums. The premium exists because obtaining clearance is a lengthy process that not all candidates can complete, and many government and defense contractor roles require it. The premium is most significant in the Washington DC / Northern Virginia market.
Should I take a lower-paying job for better experience?
Sometimes, yes. A lower-paying role at an organization with a mature security program and strong mentorship can accelerate your career faster than a higher-paying role where you are the only security person and receive no guidance. The salary difference in your first role matters less than the trajectory. Someone who learns quickly in a well-structured SOC for two years and then moves to a senior role will out-earn someone who started higher but stagnated. That said, do not accept significantly below-market pay — know your worth even at entry-level.
How often should I change jobs to maximize salary?
The data suggests that changing jobs every 2-3 years during the first decade of your career maximizes salary growth. External moves typically come with 15-25% raises, while internal promotions average 5-10%. After you reach a senior or leadership position, longer tenures become more financially and professionally rational. However, job-hopping too frequently (every 12 months or less) can raise red flags for hiring managers. The sweet spot is 2-3 years at each position during your growth phase.
— HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field. We write from experience, not theory.
