Cyber security is consistently cited as one of the best-paying fields in technology. That is broadly true, but "cyber security salaries are high" is not useful information if you are trying to decide whether to make a career move, figure out what to negotiate, or understand how long it takes to reach a salary you are aiming for.
This guide gives you specific numbers by role and experience level, the factors that move salaries up fastest, and an honest picture of what entry-level actually looks like before the numbers get interesting.
What Entry Level Actually Pays
One of the most persistent problems with cyber security salary data is that averages are pulled upward by senior, specialist, and leadership roles that most people reading them are years away from. The honest entry-level picture is more modest.
In the US, entry-level SOC analyst and junior security analyst roles typically start between $55,000 and $85,000, depending heavily on location, employer type, and whether the role is in-house or at a managed security service provider (MSSP). MSSPs tend to pay less than in-house security teams but often provide faster skill development through sheer volume of work.
In the UK, entry-level roles start between £25,000 and £37,000 at most organisations outside London. London-based roles at financial institutions and consultancies sit higher, typically £35,000 to £48,000 at entry level.
These are starting positions. The reason cyber security is worth the investment is not the entry salary but how quickly compensation accelerates once you move past it.
Salary by Role and Experience Level
The table below covers the most common cyber security career paths with realistic salary ranges at each stage. US figures are base salary only; UK figures are annual base. Both exclude bonuses, equity, and benefits, which can add 10 to 30 percent at mid and senior levels.
| Role | Entry level | Mid level (3-5 yrs) | Senior (5+ yrs) | UK entry | UK senior |
|---|---|---|---|---|---|
| SOC Analyst | $55k–$85k | $85k–$115k | $110k–$140k | £25k–£37k | £55k–£80k |
| Penetration Tester | $70k–$100k | $110k–$150k | $150k–$210k | £30k–£45k | £65k–£100k |
| Security Engineer | $80k–$110k | $115k–$150k | $150k–$200k | £32k–£48k | £65k–£95k |
| Cloud Security Engineer | $85k–$115k | $120k–$165k | $160k–$220k | £35k–£52k | £70k–£110k |
| GRC Analyst | $60k–$85k | $85k–$120k | $120k–$170k | £28k–£40k | £55k–£85k |
| Security Architect | N/A (senior role) | $120k–$155k | $155k–$210k | N/A | £75k–£120k |
| CISO | N/A (leadership role) | N/A | $190k–$300k+ | N/A | £100k–£160k+ |
Figures represent base salary ranges at the 25th–75th percentile based on 2026 job posting and industry survey data. US figures are USD; UK figures are GBP. Location, sector, and employer size affect these ranges significantly. Total compensation including bonuses and equity can add 10–30% at mid and senior levels.
When Salaries Jump and Why
The most significant salary acceleration in cyber security happens between entry level and mid level, typically between years two and five. Professionals who develop a clear specialisation during this period and earn the credentials to back it up commonly see their base salary increase by 40 to 60 percent from where they started.
The jump is not automatic. It is driven by three things happening in roughly the same window.
Specialisation. Generalist cyber security knowledge is the foundation. What commands a premium is depth in a specific domain. Cloud security engineers, penetration testers with offensive security credentials, and GRC professionals with compliance framework expertise all earn noticeably more than analysts with the same years of experience but a broader, shallower skill set. The market is clearer about what specialists are worth.
Certifications at the right level. Entry-level certifications like Security+ establish a baseline and satisfy HR filters. The certifications that move salaries are the harder ones earned after two to three years of experience: OSCP for offensive security roles, CISSP for senior and leadership paths, and cloud security credentials for infrastructure-focused positions. These are not accessible at day one, but planning toward them early shapes what you study and what experience you seek out.
Industry and sector. Financial services, defence, and large technology companies consistently pay above the market average for equivalent roles. A SOC analyst at a major bank or a cloud security engineer at a tech company with equity compensation will out-earn the same title at a mid-market company or public sector organisation, sometimes substantially. If maximising earnings is a priority, the sector you target matters as much as the role.
What Certifications Are Actually Worth in Salary Terms
Not every certification moves pay. The ones that correlate most consistently with salary increases are the ones that are difficult to earn and that employers treat as a meaningful signal.
| Certification | Typical salary premium (US) | Best career stage | Why it moves salaries |
|---|---|---|---|
| Security+ | +$5k–$10k vs uncertified | Entry level | Passes HR filters; baseline expected by many employers. Not having it costs more than having it earns. |
| OSCP | +$10k–$20k | Mid level (offensive roles) | Hard to earn; credibly signals practical offensive ability. Named in many penetration testing job postings. |
| CISSP | +$15k–$25k | Mid to senior level | Strongest salary signal at senior level. Common requirement for leadership and architecture roles. |
| AWS Security Specialty | +$10k–$18k | Mid level (cloud roles) | Cloud security is undersupplied; vendor-specific depth is directly valued by AWS-heavy employers. |
| CISM / CISA | +$10k–$20k | Mid to senior (GRC / management) | ISACA credentials command premiums in GRC, audit, and security management tracks. |
Salary premiums are approximate market averages based on job posting data and industry surveys. Individual variation is significant based on role, employer, and geography.
The Factors That Matter More Than People Expect
Location within a market. In the US, roles in San Francisco and the Bay Area pay 20 to 35 percent above the national average for the same title. New York and Washington DC are 15 to 25 percent above average. In the UK, London adds a similar premium over the national average, particularly at financial institutions. Remote work has opened access to higher-paying employers for professionals outside these hubs, but the highest total compensation packages still cluster around major financial and technology centres.
Sector. Financial services, large technology companies, and defence contractors pay the highest base salaries. Healthcare, education, and public sector roles typically sit below market average for equivalent experience, though they often offer stronger benefits and greater job stability.
In-house versus consultancy. Consultancy and professional services roles often pay higher base salaries and expose you to a wider range of environments and technologies. In-house roles tend to offer better benefits, more predictable hours, and sometimes equity. Both are legitimate career paths with different compensation structures, and moving between them is common at mid career.
Security clearance. In the US, roles requiring Secret clearance typically pay $5,000 to $10,000 above market. Top Secret clearance adds $15,000 to $25,000. For roles in defence and government contracting, clearance is one of the most direct ways to move your salary above peers with equivalent experience and credentials.
A Realistic Earnings Timeline
For someone entering cyber security as a complete beginner, a rough earnings trajectory in the US looks something like this: entry-level SOC analyst at $60,000 to $75,000 in year one, rising to $85,000 to $100,000 by year three as skills and a first certification develop, then a more significant jump to $110,000 to $130,000 by year five if a specialisation has been established and a mid-level credential earned. In the UK, the equivalent trajectory runs from £28,000 to £35,000 at entry, to £45,000 to £55,000 by year three, to £60,000 to £75,000 or beyond by year five in a specialist track.
These are not guarantees. They are what consistent skill development, deliberate specialisation, and the right credential sequencing actually produces across the field. The people who sit at the lower end of these ranges at each stage are those who stayed generalist too long, did not pursue credentials that signal depth, or stayed in sectors or employer types that pay below market.
Build the Skills That Drive the Salary
The salary trajectory in cyber security is directly connected to the practical ability you can demonstrate. Employers do not pay premiums for years of service alone. They pay for specific, evidenced skills in areas where supply is short.
TryHackMe gives you the structured, hands-on environment to build and demonstrate those skills before your first role and as you specialise through your career. Whether you are working toward SOC analyst fundamentals, offensive security depth for a penetration testing path, or the practical cloud security skills that command cloud security premiums, the learning paths are built around the job-ready skills employers are actually hiring for.
Nick O'Grady