Salary data in cybersecurity is messy. Job postings routinely omit ranges. “Security engineer” at a 40-person startup pays differently than “security engineer” at a Fortune 100 company, even if the title is identical. Certifications inflate some estimates, geography distorts others, and compensation surveys almost always skew toward respondents who are already doing well.
This report tries to cut through that. The ranges below are drawn from Levels.fyi (which collects self-reported total compensation data, heaviest coverage at larger tech companies), LinkedIn Salary (broader industry coverage, weaker on equity breakdown), the IANS Research CISO Compensation Survey (the most rigorous executive-level dataset available), and Heidrick and Struggles executive placement data. Where those sources diverge, the ranges are widened rather than averaged, because the divergence is usually real.
A few honest caveats before the numbers: self-reported salary data overrepresents people at well-compensated organizations who feel good about their pay. LinkedIn Salary data skews toward people who have updated their profiles recently, which correlates with job seeking and therefore with above-market offers. IANS survey data is methodologically stronger at the CISO level but covers a smaller and more senior sample. None of these sources are perfect. Use the ranges as reference points, not ground truth.
Entry Level: $55,000 to $85,000 Base
This tier covers roles where the primary expectation is execution under supervision. You are learning processes, handling alert queues, running through playbooks, and building pattern recognition. Experience requirements are typically zero to three years.
SOC Analyst Tier 1
Base range: $55,000 to $72,000. These roles exist primarily at managed security service providers (MSSPs), large enterprises with internal SOCs, and government contractors. MSSPs tend to pay at the lower end of that range and offer faster volume of experience in exchange. Internal enterprise SOC positions at larger companies pay toward the higher end and provide more stable hours but slower advancement.
Total compensation at this level is almost entirely base salary. Equity is rare, bonuses are modest (5% to 8% if present), and benefits packages vary widely. A $65,000 SOC Tier 1 role at a healthcare system is functionally different from a $65,000 role at a defense contractor where clearance pay and stability matter.
SOC Analyst Tier 2
Base range: $68,000 to $85,000. This tier involves more autonomous investigation, escalation decisions, and often ownership of detection rule tuning. The jump from Tier 1 to Tier 2 is the most reliably achievable promotion path in the field, typically achievable in 12 to 24 months with consistent performance.
Junior Penetration Tester
Base range: $65,000 to $82,000. Junior penetration testing roles are less common than SOC roles. Most firms hiring at this level want candidates who can demonstrate hands-on proficiency — OSCP certification or equivalent CTF/lab evidence — because the ramp-up cost for pure beginners is high. Starting ranges are similar to SOC Tier 2, but the ceiling for advancement is faster once you demonstrate output.
IT Security Analyst
Base range: $60,000 to $80,000. This is a broader category that often blends compliance work, vulnerability management, and basic security operations. It is common at mid-size companies that cannot justify specialized roles. Compensation reflects the generalist nature: solid but not top-of-market in any single dimension.
Mid Level: $95,000 to $145,000 Base
At this tier, the expectation shifts from following playbooks to writing them. You are expected to own problems end to end, contribute to architectural decisions, and operate with minimal supervision. Experience requirements typically run three to seven years, though skill progression matters more than time-in-seat.
Security Engineer
Base range: $105,000 to $140,000. “Security engineer” is the most variable title in the field. At software companies, it often means building security tooling and integrating security into the development pipeline. At financial institutions, it often means operating and tuning existing security infrastructure. At consultancies, it means whatever the client needs. The title alone tells you relatively little; the scope of the role matters more. Total compensation at this level starts to include meaningful equity at tech companies — $20,000 to $50,000 in RSUs annually is realistic at mid-size to large tech firms. Bonuses at financial services firms can add 15% to 25% on top of base.
Incident Response Analyst
Base range: $95,000 to $125,000. IR analysts at internal corporate teams tend to sit toward the middle of that range. IR analysts at consulting firms (where you are handling clients across multiple industries and responding to active breaches) tend to sit toward the top, with some senior IR consultants crossing into the $130,000 to $140,000 territory that bridges into the senior tier.
Threat Intelligence Analyst
Base range: $95,000 to $130,000. Threat intelligence is a role where specialization pays. Analysts with demonstrable expertise in specific threat actor groups, regional threat landscapes (China nexus, Russian nexus, financially motivated crime), or specific sectors (financial services, critical infrastructure) command premiums over generalist roles. The field is also smaller than SOC or engineering, which limits the number of openings but also limits oversupply.
Cloud Security Engineer
Base range: $115,000 to $145,000. Cloud security has commanded a premium for several years as organizations migrate workloads and then discover they lack the skills to secure them. AWS, Azure, and GCP specializations are all in demand, with multi-cloud experience adding additional value. This is also one of the roles where the AI/ML security skills premium is most pronounced, covered in a dedicated section below.
Senior Level: $140,000 to $200,000+ Base
Senior roles carry design authority and organizational accountability. At this tier, you are expected to make architectural decisions that will hold up over years, mentor junior and mid-level staff, engage with vendors and leadership, and own outcomes rather than tasks. The compensation gap between a strong senior and an average senior is significant — this is where individual differentiation starts to matter substantially.
Senior Security Engineer
Base range: $145,000 to $185,000 at most US employers. Total compensation at large tech companies commonly runs $180,000 to $240,000 when RSUs and bonus are included. At financial services firms, base can reach $175,000 with 20% to 30% bonuses. This is where geography and employer type create the largest divergence.
Red Team Lead
Base range: $145,000 to $175,000. Red team leads manage internal adversarial simulation programs, define methodology, and often interact directly with senior executives and the board. The supply of strong red team talent is genuinely constrained — people who can lead a program rather than just participate in one are scarce — which gives experienced candidates meaningful leverage in negotiation.
Security Architect
Base range: $150,000 to $195,000. Security architects operate at the intersection of technical depth and business context. The role typically requires the ability to translate security requirements into designs that engineering teams can implement, and to communicate risk tradeoffs to non-technical stakeholders. Strong architects with proven track records at recognizable companies are among the most consistently well-compensated people in the field.
Detection Engineer Lead
Base range: $140,000 to $180,000. Detection engineering as a distinct function has matured significantly over the past several years. Leads in this space own the detection library, define detection-as-code practices, and measure detection coverage. Organizations with mature security programs increasingly recognize this as a specialized discipline rather than a subset of SOC work, which has pushed compensation upward.
Executive Level: $200,000 to $500,000+ Total Compensation
Executive compensation in security is driven primarily by organization size, industry, and — at the top — equity structure. The ranges below are total compensation figures (base plus annual bonus plus equity realized or annualized), not base salary alone. Base salary at this level commonly represents 40% to 60% of total compensation at public companies.
Director of Security
Total comp range: $200,000 to $320,000 depending on organization size. Directors at large enterprises (10,000+ employees) in regulated industries (financial services, healthcare, defense) sit toward the top of that range. Directors at smaller organizations or those without dedicated security budgets sit toward the lower end.
VP of Security
Total comp range: $250,000 to $380,000. This role is more common at technology companies and financial institutions than at other sectors. The VP layer often has P&L or budget ownership and reports to the CISO or directly to the CTO or CRO. Equity is meaningful at this level — RSU grants in the $80,000 to $150,000 annual range are common at public tech companies.
CISO
Total comp range: $300,000 to $500,000+ at public companies. The IANS Research CISO Compensation Survey, which is the most methodologically rigorous dataset at this level, found median total compensation for Fortune 500 CISOs in the $425,000 to $480,000 range in its most recent data cycle. CISOs at mid-size private companies typically earn $250,000 to $350,000 in total comp, with less equity upside. CISOs at early-stage startups may take base salaries as low as $200,000 to $250,000 in exchange for equity stakes that could be material on exit.
Heidrick and Struggles executive placement data shows that CISO base salaries at large public companies now commonly run $300,000 to $380,000, with bonuses of 40% to 60% of base and equity grants bringing total annual compensation into the $450,000 to $550,000 range at the top of the market.
The CISO role is also one of the few in security where industry matters as much as company size. Financial services CISOs consistently command a 15% to 25% premium over technology CISOs with similar scope, reflecting the regulatory complexity and liability exposure of the role.
Geographic Breakdown
US compensation data is not uniform. The figures above are predominantly US-based ranges, but geography creates real variation within the US and sharp differences between the US and other markets.
Bay Area and New York City (in-person or hybrid)
Expect a 20% to 35% premium over national averages at the senior and mid levels. A security engineer role paying $130,000 nationally may pay $160,000 to $175,000 in San Francisco or New York, reflecting cost of living and the concentration of high-paying employers in those markets. At the entry level, the premium is smaller — cost of living adjustments are not dollar-for-dollar at lower salary bands.
US Remote
The past five years created a genuine geographic arbitrage opportunity that has not fully closed. A security engineer or cloud security engineer working remotely for a Bay Area or New York employer often earns Bay Area or New York compensation while living in a lower cost-of-living market. This is real and significant — a $145,000 salary in Austin or Denver goes further than the same number in San Francisco by a wide margin, particularly when state income tax is factored in (Texas and Florida have no state income tax; California’s marginal rate runs to 13.3%).
The arbitrage has narrowed somewhat as companies have instituted location-based pay bands, but it has not disappeared. Many employers still post single national ranges for remote roles, and negotiated offers still often reflect the employer’s market rather than the employee’s market. This is worth understanding before you accept a remote role — which salary band is the company using to calculate your offer?
United Kingdom
UK cybersecurity salaries are substantially lower than US equivalents in pound terms, and the gap widens further when adjusted for purchasing power. A mid-level security engineer in London earns approximately GBP 70,000 to GBP 95,000. Senior security engineers in London range from GBP 95,000 to GBP 130,000. CISO compensation at large UK organizations commonly runs GBP 175,000 to GBP 280,000 in total comp.
US-based employers hiring remotely from the UK sometimes apply their US compensation structures to UK candidates, creating significant individual premium for those who can access those roles.
European Union
Germany, the Netherlands, and the Nordics pay best within the EU for security roles. A senior security engineer in Amsterdam or Munich earns approximately EUR 90,000 to EUR 130,000. CISO compensation at large European enterprises commonly runs EUR 200,000 to EUR 350,000. France and Southern Europe generally pay 15% to 25% less than Germany and the Netherlands for equivalent roles.
The AI and ML Security Skills Premium
The demand for security professionals who can work in and around AI systems has created a measurable compensation premium at some organizations. The premium is real but unevenly distributed — it is most pronounced at technology companies building or deploying large-scale AI systems, and largely absent at traditional enterprises where AI security is not yet a defined function.
Where the premium exists, estimates from LinkedIn Salary data and job posting analysis put it at 15% to 25% above comparable roles without AI security scope. A cloud security engineer earning $130,000 without AI scope might earn $150,000 to $160,000 if the role includes LLM security, model evaluation, or AI red teaming responsibilities.
The skills driving this premium include: adversarial machine learning and model robustness testing, LLM security assessment and red teaming, data pipeline security for model training environments, and AI governance and risk frameworks (NIST AI RMF, EU AI Act compliance). Supply of practitioners with genuine depth in these areas is low. Organizations building AI products at scale are willing to pay to close that gap.
The premium is likely to persist for two to three years as the field matures, then normalize as more practitioners acquire these skills. If you are mid-level and looking for the highest-return investment in your skill set, AI security is the clearest answer available right now.
Total Compensation vs. Base Salary
At entry level, total compensation and base salary are nearly synonymous. Bonuses are small where they exist, and equity is rare.
At mid level, the gap starts to open. A security engineer at a public technology company with a $125,000 base might have $30,000 to $50,000 in annual RSU value plus a 10% to 15% bonus target, bringing total compensation to $160,000 to $190,000. The same role at a private company might pay a $130,000 base with a 10% bonus and no equity, totaling $143,000. The base salary comparison tells an incomplete story.
At senior level and above, focusing on base salary without understanding the equity component is a significant analytical error. RSU grants at public technology companies are often 40% to 60% of base salary annually. A senior security engineer with a $165,000 base at a large public company may be earning $220,000 to $250,000 in total annual comp when RSUs vest. That is not a minor rounding error — it is a material part of the offer.
When evaluating offers, ask for the total compensation picture including: base salary, target bonus percentage, RSU grant value and vesting schedule, and equity cliff. A four-year vest with a one-year cliff means you receive nothing for the first 12 months. That changes the effective value of an equity grant meaningfully.
How to Benchmark Your Own Compensation
Use multiple sources. Levels.fyi has the best equity data but skews toward large tech companies. LinkedIn Salary covers more industries but lacks detail on equity. Glassdoor is widely used but has significant data quality problems — treat it as a directional signal, not a precise benchmark. The IANS CISO survey is worth purchasing or accessing if you are at the director level or above.
Adjust for your specific employer type. A $120,000 base at a Fortune 100 financial services company with a 20% bonus target is a different animal from a $120,000 base at a 200-person SaaS company with no bonus and 0.1% stock options in a company that may or may not ever exit.
Talk to people in your market. Salary data from surveys has a lag; the best real-time data comes from conversations with peers, recruiters, and people who have recently changed jobs. Most people in security are willing to share salary information when asked directly — the norm is less secretive than many professionals assume.
Watch for job postings with ranges. Many US states now require salary range disclosure in job postings (California, Colorado, New York, Washington, and others). If your state requires disclosure, the posted ranges for roles at your target companies are free, current market data.
Negotiation: When to Walk, How to Use Competing Offers
Competing offers are the most reliable salary negotiation tool in the market. An employer who is reluctant to move on salary for a candidate without competing offers will often move when a competing offer is on the table. This is not adversarial — it is market pricing, and most hiring managers understand that.
The leverage point is real and credible interest. Fabricating a competing offer is inadvisable: hiring managers and recruiters talk, and the security field is smaller than it appears. A genuine competing offer from a recognizable employer carries real weight. A vague claim of “another offer” without specifics carries much less.
When to walk: if an employer’s best offer is more than 15% below your benchmark for a comparable role, and the non-monetary factors (remote flexibility, scope, growth trajectory) do not close that gap, walking is often the correct decision. The opportunity cost of accepting below-market compensation compounds over time, because future raises and new job offers are often anchored to your current salary.
When to accept below-market: roles with extraordinary scope for a current level, organizations where advancement velocity is genuinely faster, companies where the equity upside is real and the business fundamentals support it. These trade-offs are legitimate. Make them consciously rather than by default.
The geographic arbitrage angle applies to negotiation as well. If you are in a lower cost-of-living market and interviewing for a remote role at a Bay Area company, do not pre-emptively anchor to local market rates. Present your value based on the role requirements and the employer’s market. Let them make the first offer. You can always negotiate down from a high offer; you cannot easily negotiate up from a low one you invited.
Summary: Realistic 2026 Ranges at a Glance
| Level | Role | Base Salary (US) | Total Comp (US) |
|---|---|---|---|
| Entry | SOC Analyst Tier 1 | $55,000 - $72,000 | $55,000 - $78,000 |
| Entry | SOC Analyst Tier 2 | $68,000 - $85,000 | $70,000 - $92,000 |
| Entry | Junior Penetration Tester | $65,000 - $82,000 | $67,000 - $88,000 |
| Entry | IT Security Analyst | $60,000 - $80,000 | $62,000 - $86,000 |
| Mid | Security Engineer | $105,000 - $140,000 | $130,000 - $200,000 |
| Mid | IR Analyst | $95,000 - $125,000 | $100,000 - $145,000 |
| Mid | Threat Intelligence Analyst | $95,000 - $130,000 | $100,000 - $148,000 |
| Mid | Cloud Security Engineer | $115,000 - $145,000 | $140,000 - $210,000 |
| Senior | Senior Security Engineer | $145,000 - $185,000 | $180,000 - $250,000 |
| Senior | Red Team Lead | $145,000 - $175,000 | $165,000 - $225,000 |
| Senior | Security Architect | $150,000 - $195,000 | $175,000 - $260,000 |
| Senior | Detection Engineer Lead | $140,000 - $180,000 | $160,000 - $230,000 |
| Executive | Director of Security | $175,000 - $250,000 | $200,000 - $320,000 |
| Executive | VP of Security | $200,000 - $290,000 | $250,000 - $380,000 |
| Executive | CISO (mid-size) | $220,000 - $280,000 | $260,000 - $350,000 |
| Executive | CISO (large public co) | $300,000 - $380,000 | $400,000 - $500,000+ |
These are US figures. Apply a 20% to 35% upward adjustment for Bay Area and NYC in-person roles at senior levels. Apply roughly a 50% to 60% reduction to convert to UK pound equivalent ranges, and a 45% to 55% reduction for major EU markets.
The data quality is imperfect and the ranges are wide because the market is genuinely wide. A job title is not a salary. The employer, the scope, the geography, and the equity structure determine your actual compensation — not the title on the offer letter.
This article is provided for informational purposes only. Salary data and market conditions change; verify figures with current industry surveys before making career decisions.
