The BLS projects information security analyst roles to grow 33% through 2033, nearly four times the average across all occupations. The median salary across all experience levels sits at $124,910. Entry-level roles start considerably lower than that, but the progression is fast and the ceiling is high.
The question is not whether cyber security pays well. It clearly does. The question is which entry-level role gives you the best combination of accessibility, salary, and career trajectory from where you are starting right now.
Here is the honest breakdown.
What Do Entry-Level Cyber Security Jobs Actually Pay?
Salary data for entry-level cyber security varies significantly by source, role, location, and whether prior IT experience is included. Here is how the main data points stack up.
ZipRecruiter puts the average annual pay for an entry-level cyber security analyst at $99,400 as of May 2026, with the majority of salaries ranging between $79,500 and $115,500. Glassdoor reports a lower average of $73,909 for entry-level security analyst roles. The gap between these figures reflects the difference between roles requiring prior IT experience and true entry-level positions with no prior background.
Coding Temple's role-specific breakdown gives the clearest picture by role: SOC Analyst Tier 1 at $50,000 to $70,000 with shift differentials for nights and weekends pushing total compensation higher; IT Security Specialist at $55,000 to $75,000; GRC Analyst at $60,000 to $80,000 in regulated industries; Junior Information Security Analyst at $65,000 to $85,000.
According to HADESS, progression from SOC Tier 1 to Tier 2 typically takes one to two years and comes with a $15,000 to $25,000 raise. The first role is not the destination. It is the launch point.
Which Entry-Level Roles Are Most Accessible?
Not all entry-level cyber security roles are equally accessible. Accessibility depends on the hiring pipeline, the technical bar at interview, and whether employers expect prior security experience.
SOC Tier 1 Analyst
The most common and most accessible first role in cyber security. CyberSeek shows over 514,000 open information security analyst roles in the US, with SOC analyst positions representing the largest share of entry-level openings. MSSPs and large enterprises with 24/7 SOC operations hire at volume and actively train career changers.
Salary: $50,000 to $70,000 base, higher with shift differentials and in higher-cost markets where some postings average closer to $85,000.
What you need: SIEM familiarity (Splunk or Sentinel), Windows event log knowledge, an understanding of alert triage methodology, and practical evidence of hands-on investigation. A practical certification like SAL1 is the most direct way to demonstrate this.
Career trajectory: Tier 2 analyst in one to two years at $85,000 to $110,000. From there: threat hunting, detection engineering, DFIR, or security engineering.
GRC Analyst
The strongest entry point for candidates from non-technical backgrounds. Governance, Risk, and Compliance work is surging in 2026 as DORA, NIS2, and updated SEC disclosure rules hit organisations simultaneously. Regulated sectors including financial services, healthcare, and government are hiring at volume.
Salary: $60,000 to $80,000 at entry level, with regulated-sector employers frequently toward the top of that range. Glassdoor puts the Cyber Security GRC Analyst average at $85,000 across all experience levels.
What you need: Security+ or equivalent, familiarity with at least one framework (NIST CSF or ISO 27001), and strong written communication skills. Prior experience in audit, compliance, legal, or policy transfers directly.
Career trajectory: Senior GRC analyst, GRC manager, or CISO track. GRC leadership salaries easily top $130,000.
IT Security Specialist
The natural bridge role for candidates with existing IT experience. Help desk, system administration, network operations, and desktop support all provide transferable skills that cyber security hiring managers value. This role does not typically require prior security job titles.
Salary: $55,000 to $75,000, higher for candidates bringing cloud or network administration experience.
What you need: Security+ as the baseline credential, OS proficiency in both Windows and Linux, and endpoint security familiarity. TryHackMe's Cyber Security 101 path covers the security layer that goes on top of existing IT knowledge.
Career trajectory: Security engineer, cloud security specialist, or SOC analyst within twelve to eighteen months.
Junior Penetration Tester
The role most people want and one of the less accessible first positions. Junior pentester roles are less common than SOC openings, more competitive, and most employers expect demonstrable offensive skill across web, network, and Active Directory before considering a candidate.
Salary: $65,000 to $95,000 at junior level. OSCP holders command a noticeable premium over non-certified testers.
What you need: Documented lab work across web, network, and Active Directory targets, a practical certification like PT1, and ideally OSCP in progress or completed. TryHackMe's Jr Penetration Tester path is the most structured preparation route.
Career trajectory: Senior penetration tester, red team operator, or independent consultant. Senior and specialist roles regularly exceed $130,000.
Cloud Security Engineer (Aim For After Your First Role)
Worth including because it is consistently the highest-paid specialisation, but it is not a true entry-level role. It requires both cloud platform experience and security knowledge layered on top. Cloud security roles that require AWS, Azure, or GCP expertise pay 15 to 25% more than equivalent non-cloud roles.
Salary: $85,000 to $110,000 and above at entry.
What you need: Cloud platform proficiency at intermediate level plus security specialism. Target this after your first security role, not before.
The Salary and Accessibility Comparison
| Role | Entry salary (US) | Barrier to entry | Best first credential | TryHackMe path | 2-year salary potential |
|---|---|---|---|---|---|
| SOC Tier 1 Analyst | $50,000 to $70,000 | Low. Largest entry-level pipeline in the field | SAL1 | SOC Level 1 | $85,000 to $110,000 at Tier 2 |
| GRC Analyst | $60,000 to $80,000 | Low to moderate. Strong fit for non-technical backgrounds | Security+ or equivalent | Cyber Security 101 | $90,000+ as senior GRC analyst |
| IT Security Specialist | $55,000 to $75,000 | Moderate. Suited to candidates with existing IT background | Security+ | Cyber Security 101 | $80,000 to $95,000 as security engineer |
| Junior Penetration Tester | $65,000 to $95,000 | High. Requires demonstrable offensive skill across multiple domains | PT1 | Jr Penetration Tester | $110,000+ as senior pentester |
| Cloud Security Engineer | $85,000 to $110,000 | Very high. Requires cloud platform experience plus security specialism | AWS Security Specialty or SC-200 | Target after first role | $130,000+ as cloud security architect |
Salary ranges reflect US market data from BLS, ZipRecruiter, Glassdoor, Coding Temple, and HADESS (2026). Ranges vary significantly by location, employer type, and prior experience.
What Factors Move Your Salary Up?
Within any role, several factors consistently push compensation toward the top of the range.
Location. Cyber security salaries in San Francisco, New York, Washington DC, and Seattle significantly exceed national averages. Remote roles increasingly pay at the employer's location rate rather than the employee's, which matters.
Employer type. In-house SOC teams at large enterprises and financial institutions typically pay more than MSSPs for equivalent roles. MSSPs compensate with faster skill development through higher incident volume.
Certifications. The right credential at the right time moves the needle. OSCP holders command a noticeable premium at junior and mid-level penetration testing roles. SAL1 signals practical readiness in a way that theoretical certifications do not, which affects hiring decisions as much as initial salary.
Practical evidence. A documented portfolio of lab work, CTF writeups, and a public TryHackMe profile showing consistent activity over several months is increasingly weighed against certification stacks by technical hiring managers. The candidates who negotiate strongest at offer stage are those who can speak specifically about what they have done.
Which Role Should You Target First?
The honest answer depends on where you are starting.
If you have no IT background: SOC Tier 1 is the most accessible, highest-volume entry point with the clearest hiring pipeline. Budget six to twelve months of structured preparation. TryHackMe's SOC Level 1 path and SAL1 certification are the most direct preparation and validation route.
If you have a non-technical background in audit, compliance, or policy: GRC analyst is the natural fit. The technical bar is lower, the transferable skills are higher, and demand is surging in 2026.
If you have existing IT experience: IT Security Specialist or SOC Tier 1 are both realistic targets within four to eight months of focused preparation.
If you want penetration testing: SOC Tier 1 first is still the advisable route for most people. It builds the security operations foundation that makes you a stronger pentester, and it gets you into the field faster. Transition into penetration testing after twelve to eighteen months of operational experience.
Your first cyber security job is not the destination. It is the credential that opens every door after it. Start on TryHackMe today, build consistently, and that first role is closer than you think.
Nick O'Grady