Cybersecurity Degree Salary Guide

"What's the starting salary?"

That is the first question every cybersecurity student asks, and the answer they usually get — a single number — misses the point. Cybersecurity salaries vary enormously based on your specific role, certifications, industry, and location. A SOC analyst in a mid-size city earns a fundamentally different salary than a cloud security architect at a major bank. Quoting the $120,360 BLS median without context creates unrealistic expectations for some graduates and hides the upside for others.

The data tells a compelling story when you break it apart. Cybersecurity has one of the highest salary floors of any bachelor's-level career path, meaning even the lowest-paying roles in the field exceed what many other majors earn at the median. The ceiling is equally impressive — senior cybersecurity professionals routinely earn $150,000 to $350,000+ without requiring a graduate degree¹.

This page maps actual salary data by experience level, specialization, industry, and location so you can plan your career path with real numbers rather than averages that obscure the details.

Entry-Level Salary: What to Expect Year One

The first year out of college is where cybersecurity diverges from most fields. While many liberal arts graduates are competing for $40,000 roles, cybersecurity graduates with a bachelor's degree and at least CompTIA Security+ certification enter a market that is actively competing for them.

The most common entry-level roles and their starting salary ranges:

SOC Analyst (Tier 1): $55,000-$75,000. The most accessible entry point. Monitoring security alerts, triaging events, and escalating incidents. Higher pay in major metros and at financial institutions.

IT Security Specialist: $55,000-$70,000. Managing firewalls, patching systems, configuring access controls. Common at mid-size companies that need a generalist.

GRC Analyst: $55,000-$75,000. Risk assessments, policy writing, compliance documentation. Less technical, more analytical and organizational.

Junior Penetration Tester: $65,000-$85,000. Testing systems for vulnerabilities. Competitive to land without OSCP, but the starting salary reflects the technical skill required.

Digital Forensics Analyst: $50,000-$70,000. Investigating incidents, preserving evidence, supporting legal proceedings. Government positions start lower but include strong benefits packages.

If you have not yet decided on cybersecurity, comparing cybersecurity careers with computer science careers shows where the salary differences emerge at each career stage.

Mid-Career Salary: Where the Money Grows

Mid-career is where cybersecurity salaries accelerate faster than most technical fields. The combination of persistent talent shortage, increasing regulatory requirements, and growing threat complexity means experienced cybersecurity professionals are in high demand.

Security Engineer (3-7 years experience): $100,000-$140,000. Designing and implementing security systems. This is the natural progression from SOC analyst for technically oriented professionals. Employers expect certifications like CISSP or cloud-specific credentials.

Senior Penetration Tester / Red Team Lead (5-10 years): $120,000-$170,000. Leading security testing engagements, developing attack methodologies, and mentoring junior testers. OSCP is the standard credential, with OSCE and GXPN adding salary premium.

Cloud Security Architect (5-8 years): $140,000-$180,000. Designing security architecture for cloud environments (AWS, Azure, GCP). This is one of the fastest-growing and highest-paying mid-career paths because the cloud security talent gap is even more acute than the general cybersecurity shortage.

Incident Response Manager (5-10 years): $110,000-$150,000. Leading teams that respond to active breaches. Requires both technical depth and project management ability. The high-pressure nature of the work commands premium compensation.

Security Architect (7-12 years): $130,000-$175,000. Designing enterprise-wide security strategy and infrastructure. Requires CISSP and deep experience across multiple security domains. This is the senior technical role that many security engineers aspire to.

GRC Director / Security Compliance Manager (7-10 years): $120,000-$160,000. Managing organizational risk programs, audit preparation, and regulatory compliance. CISA and CRISC certifications add significant value. This path rewards organizational and communication skills alongside security knowledge.

Salary by Industry

Industry choice is the single biggest variable in cybersecurity compensation outside of experience and role. The same skills command wildly different salaries depending on where you apply them.

Financial services pays the highest cybersecurity salaries outside of pure tech. Major banks, investment firms, and insurance companies face constant attack and strict regulatory requirements. Security engineers at JPMorgan Chase, Goldman Sachs, or Citigroup earn $120,000-$180,000 at mid-career. The financial sector also offers substantial bonuses — 15-25% of base salary is typical for cybersecurity roles.

Technology companies offer competitive base salaries plus equity compensation that can significantly increase total compensation. Security engineers at companies like Google, Amazon, Microsoft, and CrowdStrike earn $130,000-$200,000+ when including stock grants. Smaller tech companies pay slightly less in base salary but may offer more significant equity upside.

Healthcare pays moderately for cybersecurity roles but has growing demand due to HIPAA requirements and the increasing digitization of medical records and devices. Security professionals at hospital systems and health insurers earn $90,000-$140,000 at mid-career. The work is particularly meaningful because security failures in healthcare can directly impact patient safety.

Government and defense pays below private sector base salaries but offers benefits packages that narrow the gap. Federal cybersecurity professionals earn GS-12 to GS-15 salaries ($80,000-$150,000+ with locality adjustments³) plus retirement benefits, health insurance, and job security that the private sector cannot match. Defense contractors (Raytheon, Lockheed Martin, Booz Allen Hamilton, Northrop Grumman) pay closer to private sector rates — $90,000-$160,000 — with the added benefit of security clearances that increase your market value permanently.

Consulting firms (Deloitte, PwC, EY, KPMG, Accenture, and boutique security firms) pay entry-level consultants $60,000-$85,000 with rapid promotion cycles. Senior consultants and managers reach $120,000-$180,000 within five to seven years. Consulting also builds broader experience because you work across multiple clients and industries.

Energy and utilities pay well for cybersecurity because critical infrastructure protection is a national security priority. Operational technology (OT) security — protecting power grids, water treatment plants, and oil refineries from cyber attacks — is a specialized niche with salaries of $100,000-$160,000 and relatively few qualified candidates.

Salary by Location

Geographic variation in cybersecurity salaries follows predictable patterns, though remote work has partially flattened the differences.

Washington, D.C. metro area is the single largest cybersecurity job market in the country, driven by federal agencies, defense contractors, and a dense concentration of security firms. Salaries run 10-20% above national averages. A mid-career security engineer earns $120,000-$160,000 in the D.C. area.

San Francisco and Silicon Valley pay the highest raw salaries ($130,000-$200,000+ for mid-career roles) but the cost of living absorbs much of the premium. Total compensation at major tech companies (including equity) can make this the most lucrative market.

New York City pays well for cybersecurity in financial services ($110,000-$170,000 mid-career) with cost of living comparable to the Bay Area.

Austin, Dallas, and Denver have emerged as cybersecurity hubs with strong salaries ($90,000-$140,000 mid-career) and significantly lower cost of living than coastal cities. These markets offer arguably the best salary-to-cost-of-living ratio for cybersecurity professionals.

Remote positions have expanded significantly and typically pay based on company location or a national average. Many employers have adopted location-based pay bands where remote workers in lower-cost areas earn 10-20% less than those in the company's headquarter city.

Highest-Paying Career Paths With This Degree

Chief Information Security Officer (CISO) is the highest-paying cybersecurity role, with total compensation of $180,000-$350,000+ at large organizations. CISOs at Fortune 500 companies can earn $400,000-$600,000+ including equity and bonuses. This role requires 10-15+ years of experience, CISSP certification, and strong business and leadership skills alongside technical depth.

Cloud Security Architect pays $140,000-$200,000 and is the fastest path to high compensation for technically oriented professionals. The cloud security talent gap is so severe that experienced architects can command premium salaries and often receive multiple competing offers.

Security Sales Engineer at cybersecurity vendors (CrowdStrike, Palo Alto Networks, Fortinet) earns $100,000-$150,000 base plus commission that can push total compensation to $200,000-$300,000. This role combines technical security knowledge with client-facing sales support.

Application Security Engineer at technology companies earns $130,000-$180,000 and combines software development skills with security expertise. If you have strong programming abilities alongside your security training, AppSec is one of the highest-paying technical paths.

What Actually Moves the Needle on Your Salary

Certifications provide the most measurable salary bumps in cybersecurity. CompTIA Security+ is table stakes. CISSP adds $20,000-$30,000 to average compensation². OSCP adds $15,000-$25,000 for penetration testing roles. Cloud security certifications (AWS Security Specialty, CCSP) add $10,000-$20,000. The certifications cost $300-$750 per exam and represent one of the highest-ROI professional investments available.

Security clearance increases your market value by $10,000-$30,000 because it limits competition. Obtaining a clearance requires a government or defense contractor employer to sponsor you, but once you have it, the clearance itself is a valuable credential that reduces the candidate pool for sensitive positions.

Specialization matters more as you advance. Generalist security analysts earn the median. Specialists in cloud security, application security, or operational technology security earn 15-30% premiums because the specialized talent pool is smaller.

Industry sector determines your compensation ceiling. Financial services and technology pay the most. Government and education pay the least in base salary. Healthcare and energy fall in between.

For the full career map, see our guide to cybersecurity careers and evaluate whether a cybersecurity degree is worth the investment.

FAQ

What is the average starting salary for a cybersecurity major?

Starting salaries for cybersecurity bachelor's graduates with CompTIA Security+ certification range from $55,000 to $80,000 depending on role, location, and internship experience. SOC analyst and GRC analyst roles start at the lower end, while junior penetration testers and security engineers at large companies start higher. The median entry-level salary falls around $60,000-$70,000 across all cybersecurity roles.

Can you make six figures with a cybersecurity degree?

Yes, and most cybersecurity professionals reach six figures within three to seven years of graduation. Security engineers, penetration testers, cloud security specialists, and GRC managers all earn $100,000+ at the mid-career level. CISSP certification and specialization in cloud security are the two fastest accelerators to six-figure compensation.

Do you need a master's degree to make good money in cybersecurity?

No. The majority of six-figure cybersecurity professionals hold a bachelor's degree plus industry certifications rather than a master's degree. CISSP, OSCP, CCSP, and cloud vendor certifications carry more salary weight than a master's degree in most cybersecurity hiring decisions. A master's can help with career transitions into management or academia but is not required for high earnings.

How does a cybersecurity salary compare to a software engineering salary?

Software engineers at major tech companies typically start higher ($80,000-$120,000 vs. $55,000-$80,000 for cybersecurity). By mid-career, the gap narrows considerably — senior security engineers and architects earn $130,000-$200,000, competitive with senior software engineers outside of FAANG companies. CISOs at large organizations can earn more than most software engineering directors. The compensation trajectories converge at the senior level.

What cybersecurity jobs pay the most without a graduate degree?

CISO ($180,000-$350,000+), cloud security architect ($140,000-$200,000), security sales engineer ($150,000-$300,000 total compensation), senior penetration tester ($120,000-$170,000), and application security engineer ($130,000-$180,000) all offer strong compensation with a bachelor's degree plus certifications and experience. The key differentiators are CISSP certification, specialized expertise, and years of relevant experience.

Is the cybersecurity salary bubble going to burst?

The fundamentals suggest sustained demand rather than a bubble. Cyber threats are growing in frequency and sophistication, regulatory requirements for security are expanding across industries, and the talent shortage has persisted for years. BLS projects 33% growth through 2033¹. Salaries may plateau at the entry level as more graduates enter the field, but the demand for experienced professionals shows no signs of declining.

More on this degree:

• Cybersecurity Degree Guide — Overview
• Is It Worth It?
• Career Paths
• Requirements
• How Hard Is It?
• Internships
• Best Colleges