At a Glance
- The national median salary for information security analysts is $124,910, with top metro areas and certifications pushing pay well above that figure.
- Certified professionals typically earn $10,000 to $20,000 more per year than non-certified peers, and credentials like CISSP can add over $20,000.
- Remote cybersecurity roles generally pay within a few percentage points of on-site positions across the United States.
- BLS projects roughly 33 percent job growth for information security analysts through the early 2030s, far outpacing most occupations.
Information security analysts earned a median salary of $124,910 according to the most recent Bureau of Labor Statistics data, placing cybersecurity firmly among the highest-paying segments of the IT workforce. It is also one of the fastest growing, with projected job growth roughly five times the national average for all occupations.
Still, that six-figure median masks real variation. Where you live, what role you hold, how many years you have logged, which certifications sit on your resume, and whether you work remotely all shift the number by tens of thousands of dollars in either direction. Understanding those levers matters more than chasing a single headline figure. This guide breaks down cybersecurity salaries by state, role, experience level, and certification so you can map a realistic earning trajectory along your cybersecurity career path.
How Much Do Cybersecurity Professionals Make?
Information security analysts earned a national median salary of $124,910 as of the most recent BLS data, with roughly 179,430 professionals employed across the country. Keep in mind that total compensation, including bonuses, equity grants, and benefits, can push effective pay 10% to 20% above base salary. We will break down the factors that move you along this range in later sections.
Cybersecurity Salary by State
Cybersecurity salaries vary significantly depending on where you work (or where your employer is based). The table below shows median and mean annual wages for information security analysts across all 50 states, the District of Columbia, and Puerto Rico. States with major government, defense, or tech hubs tend to cluster at the top, while lower cost of living areas often show more modest figures, though salaries there still comfortably exceed six figures in most cases.
| State | Median Salary | Mean Salary | 25th Percentile | 75th Percentile | Employed |
|---|---|---|---|---|---|
| Washington | $142,920 | $144,140 | $117,040 | $169,350 | 6,830 |
| California | $140,660 | $152,640 | $105,150 | $178,090 | 15,800 |
| Maryland | $140,480 | $145,450 | $105,230 | $175,390 | 8,770 |
| New Jersey | $135,390 | $141,130 | $108,320 | $168,240 | 4,730 |
| Delaware | $134,050 | $130,860 | $105,310 | $154,060 | 630 |
| New Mexico | $133,780 | $131,220 | $101,940 | $166,300 | 1,760 |
| Virginia | $132,460 | $136,680 | $101,610 | $166,510 | 18,670 |
| New York | $131,100 | $139,540 | $98,320 | $170,220 | 8,860 |
| Colorado | $130,570 | $135,980 | $102,350 | $164,010 | 5,840 |
| Connecticut | $130,500 | $127,740 | $95,260 | $152,410 | 1,160 |
| New Hampshire | $129,690 | $128,040 | $98,540 | $158,360 | 730 |
| Minnesota | $128,830 | $126,150 | $99,300 | $145,860 | 2,550 |
| District of Columbia | $127,760 | $132,790 | $109,680 | $150,920 | 2,010 |
| Massachusetts | $127,610 | $129,350 | $101,730 | $161,940 | 5,780 |
| Hawaii | $125,790 | $128,310 | $99,730 | $154,340 | 580 |
| Arizona | $125,320 | $123,780 | $88,520 | $161,250 | 4,170 |
| Texas | $124,970 | $126,800 | $96,020 | $149,780 | 14,730 |
| Georgia | $124,270 | $126,380 | $92,620 | $156,390 | 6,480 |
| Idaho | $121,970 | $145,880 | $87,980 | $157,060 | 870 |
| Wyoming | $121,290 | $122,570 | $82,350 | $161,650 | N/A |
| North Carolina | $121,070 | $122,310 | $88,560 | $147,030 | 6,850 |
| Oregon | $119,000 | $132,430 | $93,650 | $152,880 | 1,370 |
| Illinois | $114,300 | $119,540 | $83,960 | $138,130 | 4,560 |
| Iowa | $112,950 | $116,710 | $82,990 | $133,830 | 1,180 |
| North Dakota | $112,330 | $101,200 | $89,520 | $112,330 | 340 |
| Alabama | $111,110 | $112,800 | $79,870 | $138,270 | 3,290 |
| Pennsylvania | $110,230 | $114,870 | $79,670 | $137,900 | 4,420 |
| Rhode Island | $109,410 | $117,010 | $85,790 | $141,690 | 880 |
| West Virginia | $107,820 | $103,770 | $79,870 | $123,770 | 270 |
| Ohio | $107,570 | $115,600 | $83,480 | $137,430 | 5,070 |
| Nevada | $106,530 | $111,340 | $80,380 | $136,710 | 1,570 |
| Florida | $105,990 | $117,500 | $86,250 | $139,150 | 13,770 |
| Michigan | $104,540 | $107,630 | $79,920 | $129,150 | 3,120 |
| South Dakota | $103,310 | $104,120 | $86,360 | $115,300 | 430 |
| Missouri | $102,440 | $107,250 | $78,210 | $130,810 | 2,560 |
| Alaska | $102,170 | $111,900 | $96,320 | $121,060 | 210 |
| Kansas | $99,420 | $100,850 | $71,960 | $129,080 | 1,380 |
| Wisconsin | $99,210 | $106,260 | $79,640 | $128,770 | 1,760 |
| Kentucky | $98,210 | $102,820 | $67,650 | $128,910 | 1,790 |
| Utah | $97,180 | $101,430 | $72,800 | $127,980 | 1,720 |
| Nebraska | $95,470 | $103,310 | $85,120 | $122,360 | 1,120 |
| Maine | $93,710 | $99,420 | $73,890 | $129,560 | 270 |
| Arkansas | $93,560 | $96,080 | $66,800 | $125,550 | 1,010 |
| Louisiana | $88,200 | $101,280 | $73,830 | $107,250 | 580 |
| Montana | $87,100 | $99,560 | $87,100 | $102,650 | N/A |
| Vermont | $86,810 | $95,800 | $67,080 | $108,940 | 80 |
| Oklahoma | $86,500 | $92,390 | $57,490 | $117,500 | 1,270 |
| Mississippi | $84,640 | $89,910 | $60,240 | $105,830 | 560 |
| Indiana | $78,290 | $91,740 | $64,500 | $115,650 | 2,540 |
| Puerto Rico | $59,520 | $62,190 | $44,780 | $81,330 | 470 |
Highest-Paying Metro Areas for Cybersecurity
Location plays a major role in cybersecurity salary potential. The top-paying metro areas tend to cluster around technology hubs and regions with heavy federal or defense spending. Below are the 15 highest-paying metro areas for information security analysts, ranked by median annual salary. Keep in mind that cost of living varies significantly across these metros, so a higher salary does not always translate to more purchasing power.
| Metro Area | Total Employment | Median Salary | 25th Percentile | 75th Percentile | Mean Salary |
|---|---|---|---|---|---|
| San Jose, Sunnyvale, Santa Clara, CA | 2,500 | $175,520 | $132,810 | $220,100 | $204,340 |
| San Francisco, Oakland, Fremont, CA | 4,010 | $168,160 | $129,350 | $188,060 | $166,090 |
| Seattle, Tacoma, Bellevue, WA | 4,490 | $152,660 | $121,370 | $174,530 | $156,000 |
| Washington, Arlington, Alexandria, DC/VA/MD/WV | 15,870 | $138,410 | $111,130 | $172,670 | $146,720 |
| New York, Newark, Jersey City, NY/NJ | 10,160 | $138,360 | $106,760 | $172,050 | $146,810 |
| Baltimore, Columbia, Towson, MD | 4,370 | $136,050 | $103,780 | $175,420 | $144,460 |
| Boston, Cambridge, Newton, MA/NH | 4,870 | $132,170 | $101,760 | $164,370 | $132,120 |
| Denver, Aurora, Centennial, CO | 3,620 | $131,670 | $103,780 | $165,430 | $137,180 |
| Dallas, Fort Worth, Arlington, TX | 6,570 | $131,280 | $101,550 | $154,150 | $128,470 |
| Los Angeles, Long Beach, Anaheim, CA | 4,420 | $131,280 | $97,800 | $164,130 | $133,230 |
| San Diego, Chula Vista, Carlsbad, CA | 1,240 | $130,900 | $94,260 | $168,070 | $134,740 |
| Phoenix, Mesa, Chandler, AZ | 3,160 | $130,390 | $99,400 | $170,400 | $130,430 |
| Minneapolis, St. Paul, Bloomington, MN/WI | 2,090 | $129,380 | $100,860 | $147,390 | $127,600 |
| Charlotte, Concord, Gastonia, NC/SC | 2,130 | $127,840 | $96,960 | $161,250 | $127,280 |
| Huntsville, AL | 1,570 | $127,120 | $92,240 | $153,820 | $122,530 |
Questions to Ask Yourself
Cybersecurity Salary by Role
Not all cybersecurity jobs pay the same. Your specific role, the responsibilities it carries, and the technical depth required all shape what you can expect to earn. Below is a breakdown of six common cybersecurity positions and their typical salary ranges based on 2024 and 2025 industry data.1
Cybersecurity Analyst
This is one of the most common entry points into the field. Cybersecurity analysts monitor networks, investigate alerts, and help organizations maintain their security posture. Salaries for this role typically fall between $110,000 and $120,000 per year.1 It is a strong starting position for career changers who want to build hands-on experience before specializing. If you are considering this path, learn more about how to become a security analyst.
Cybersecurity Engineer
Engineers go a step beyond analysis. They design, implement, and maintain the security systems that protect an organization's infrastructure. Because the role demands deeper technical skills and often includes scripting or automation work, compensation tends to range from $120,000 to $135,000 annually.1 For a closer look at the skills and education you will need, explore the security engineer career path.
Security Architect
Security architects take a strategic view, designing the overall security framework for an enterprise. This is a senior-level position that requires broad knowledge of networks, cloud platforms, and risk management. Expect salary ranges between $160,000 and $175,000, reflecting the high level of responsibility involved.1
Penetration Tester
Also known as ethical hackers, penetration testers simulate attacks against systems to find vulnerabilities before malicious actors do. The role is highly specialized and appeals to professionals who enjoy problem-solving under pressure. Salaries generally range from $110,000 to $125,000.1
Incident Responder
When a breach or security event occurs, incident responders are the first ones called. They contain threats, conduct forensic analysis, and coordinate recovery efforts. While the role can be high-stress, compensation typically ranges from $95,000 to $110,000.1 Gaining experience here can open doors to leadership roles in security operations.
Chief Information Security Officer (CISO)
At the top of the cybersecurity career ladder sits the CISO, the executive responsible for an organization's entire security strategy. This role combines deep technical knowledge with business acumen and leadership. CISOs command salaries between $200,000 and $250,000, with total compensation at large enterprises often exceeding that range when bonuses and equity are included.1 Curious about the journey to the top? Read about how to become a CISO.
Choosing the Right Path
The salary differences across these roles underscore an important point: specialization and seniority matter. If you are just starting out, roles like cybersecurity analyst or incident responder offer solid pay and a clear trajectory for growth. Over time, moving into engineering, architecture, or executive leadership can significantly increase your earning potential. Think about whether you prefer hands-on technical work, strategic planning, or organizational leadership, and let that guide your next career move.
Cybersecurity Salary by Experience Level
Experience is the single biggest lever on your cybersecurity paycheck. The jump from entry level to mid-career represents roughly a 40% median salary increase, the steepest percentage gain across the entire career arc. After that, continued growth depends heavily on earning advanced certifications and moving into management or principal-level roles.
How Certifications Impact Cybersecurity Pay
Certifications are one of the most direct levers you can pull to increase your cybersecurity salary. Industry surveys consistently show that certified professionals earn $10,000 to $20,000 more per year than their non-certified peers, with the gap widening as you move into mid-career and senior credentials.1 The key is choosing the right certification at the right time.
The Salary Premium by Certification
Not all certifications carry the same weight on your paycheck. Here is how the most popular credentials stack up based on recent workforce and salary survey data:
- CompTIA Security+: Holders typically earn $8,000 to $15,000 more than non-certified professionals, translating to roughly a 10 to 20 percent bump. This is the go-to entry-level credential and is recognized across government and private sector roles.1
- CISSP (Certified Information Systems Security Professional): The premium here jumps to $15,000 to $25,000, or about 13 to 20 percent above non-holders. With an average salary near $147,000 for certified professionals, CISSP is widely regarded as the single highest-ROI certification in cybersecurity.2
- CISM (Certified Information Security Manager): Comparable to CISSP in earning power, CISM holders see a $15,000 to $25,000 lift (15 to 20 percent). This credential skews toward governance, risk management, and security program leadership.3
- CISA (Certified Information Systems Auditor): Audit-focused professionals earn $10,000 to $20,000 more with this credential, a 10 to 20 percent increase that reflects strong demand in compliance-heavy industries like finance and healthcare.3
- CEH (Certified Ethical Hacker): The salary bump is more modest at $5,000 to $10,000 (roughly 5 to 10 percent), but CEH remains valuable for professionals pursuing penetration testing and red-team roles where hands-on offensive skills matter.2
Why Mid-Career Certs Move the Needle More
Entry-level certifications like Security+ are essential for getting your foot in the door. They validate foundational knowledge and satisfy baseline requirements for many job postings, especially in government and defense contracting. However, the real salary acceleration happens with mid-career credentials like CISSP and CISM. These certifications require several years of professional experience to even qualify, which means they signal both knowledge and proven competence to employers.
Consider that the median salary for information security analysts overall sits around $124,910 as of 2024 data, while CISSP holders average closer to $147,000.1 That gap is not just about having letters after your name. It reflects the deeper expertise and leadership capability these certifications represent, and for many professionals, CISSP or CISM becomes the credential that unlocks a path to become chief information security officer.
A Practical Stacking Strategy
Rather than collecting certifications at random, think of them as building blocks aligned to your career goals:
- Start with Security+ to establish credibility and meet hiring requirements for entry-level analyst positions.
- If you are targeting a management or leadership track, pursue CISSP once you have four to five years of experience. This single credential can accelerate your path to six-figure roles.
- For a governance, risk, and compliance career path, add CISM or CISA after gaining experience in audit or policy work.
- If offensive security and penetration testing appeal to you, pair CEH with hands-on lab practice and consider following up with more advanced offensive certifications.
The most important thing to remember is that certifications compound in value when paired with real-world experience. A Security+ holder with two years of analyst work is a strong candidate for mid-level roles. Add a CISSP a few years later and you are positioned for senior and management positions that command significantly higher pay. If penetration testing is your focus, the CEH pairs well with a longer-term plan to become a penetration tester. Plan your certification path like a career roadmap, not a checklist, and the salary returns will follow within 12 to 18 months of earning each credential.1
The Bureau of Labor Statistics projects information security analyst employment to grow roughly 33 percent through the early 2030s, a pace that far outstrips the average for all occupations. Meanwhile, ISC2 estimates the global cybersecurity workforce gap stands at approximately 4.8 million professionals, meaning demand continues to vastly outpace supply.
Remote Cybersecurity Salary: What to Expect
One of the most common questions career changers ask is whether going remote means taking a pay cut. The short answer for cybersecurity professionals: not necessarily. Remote cybersecurity salary figures in the United States track closely with on-site pay, typically falling within a plus-or-minus 5 to 10 percent range of equivalent in-office roles.1 For mid-career security analysts and engineers working remotely, salaries commonly land between $100,000 and $150,000, which aligns well with the national median of $120,360 reported for information security analysts in 2024.2
How Employers Handle Remote Pay
Not every company treats remote compensation the same way. Two broad approaches dominate the market right now:
- National-band pay: Some employers, particularly cybersecurity-focused firms and federal contractors, set a single salary band regardless of where you live. Remote workers under this model may actually see a 0 to 5 percent premium over on-site peers because the employer saves on office overhead.1
- Location-adjusted pay: Large tech companies and consulting firms often scale salaries to your cost of living. If you move from San Francisco to a lower-cost metro, expect a discount of roughly 5 to 20 percent compared to what the same role pays in the original high-cost location.1
Before accepting an offer, ask the hiring manager which model the company uses. This single detail can swing your total compensation by tens of thousands of dollars.
Which Roles Work Best Remotely
Remote friendliness varies by specialty, and that affects demand and pay:
- Highly remote-friendly: SOC analysts, GRC specialists, and cloud security engineers perform nearly all of their work through digital tools and cloud consoles. If that last role interests you, explore the cloud security specialist roadmap for a detailed breakdown. Strong remote demand keeps salaries competitive.
- Less remote-friendly: Roles tied to physical infrastructure, such as OT/ICS security or on-site penetration testing, usually require a presence at facilities. These positions may command location-specific premiums but offer fewer remote options.
Because remote-friendly roles draw applicants from a national (and sometimes international) talent pool, employers weigh certifications and demonstrable skills more heavily than geography when setting pay. Industry salary guides confirm that credentialed remote candidates routinely match or exceed on-site salary benchmarks.3
The Bottom Line for Remote Job Seekers
If you are targeting a remote cybersecurity career, focus on roles that naturally fit distributed teams and clarify the employer's pay philosophy early in the interview process. Investing in the right credentials along a clear cybersecurity career path puts you in the strongest position to negotiate a salary that reflects your skills rather than your zip code.
Factors That Influence Your Cybersecurity Salary
Your cybersecurity salary is not determined by a single variable. It is shaped by a combination of factors, many of which you can actively control. Understanding these levers, and learning how to stack them, is the difference between a modest paycheck and a truly competitive compensation package.
Industry Sector Matters More Than You Think
Not all employers value cybersecurity talent equally. Finance, defense contracting, and healthcare organizations tend to offer the highest salaries because the cost of a breach in those sectors is enormous. By contrast, education and nonprofit organizations typically pay below the national median for comparable roles. If maximizing income is a priority, targeting your job search toward high-stakes industries can make a meaningful difference, sometimes tens of thousands of dollars annually for the same job title.
The Security Clearance Premium
One of the most powerful, and often overlooked, salary boosters is holding an active security clearance. According to a 2025 compensation report from ClearanceJobs, cleared professionals earned an average total compensation of roughly $126,000, already well above the general cybersecurity median.1 Those who also held a polygraph clearance averaged nearly $150,000, reflecting a premium of about $30,000 over their non-polygraph counterparts.1 Even at the lower end, a standard clearance can translate to a 10 to 20 percent pay bump compared to non-cleared cybersecurity roles. The catch is that you typically need a government or defense employer to sponsor your clearance, but once you have one, it becomes a portable asset that commands a premium across employers.
How Cybersecurity Compares to Adjacent IT Careers
Cybersecurity consistently outpaces several neighboring technology fields in median pay. Based on publicly available Bureau of Labor Statistics data, information security analysts earn a median salary that sits above those of network and systems administrators, data analysts, and many general IT support roles. Software developers can earn comparable or higher salaries at senior levels, but entry and mid-level cybersecurity positions frequently match or exceed their software development counterparts. This competitive positioning makes cybersecurity an attractive pivot for professionals already working in IT who want higher earning potential without necessarily moving into management.
Education Level and Negotiation
A bachelor's degree in cybersecurity is the standard entry point for most cybersecurity roles, but a master's degree or specialized graduate certificate in cybersecurity can open doors to senior analyst, architect, and leadership positions that carry significantly higher pay bands. Do not underestimate negotiation, either. Many candidates leave money on the table simply by accepting the first offer. Research the salary range for your target role using tools like CyberSeek or industry compensation surveys, and negotiate with data in hand.
Stack the Levers for the Biggest Jumps
Here is the most actionable takeaway: the largest salary increases come from combining two or three of these factors rather than chasing any single one in isolation. Consider a few high-impact stacking strategies:
- Clearance plus certification: Pairing an active security clearance with a respected credential like CISSP or CISM signals both trustworthiness and technical depth to employers, a combination that commands top-tier offers.
- High-demand metro plus in-demand specialization: Working in a market like the Washington, D.C. corridor or the San Francisco Bay Area while specializing in cloud security or incident response multiplies geographic and skill-based premiums.
- Advanced degree plus defense sector: A master's in cybersecurity combined with a role at a cleared defense contractor can push total compensation well into six figures even relatively early in your career.
No single move will transform your salary overnight. But by deliberately layering these controllable factors, whether it is upgrading your education, earning a clearance, targeting a lucrative sector, or simply negotiating effectively, you position yourself to capture compounding advantages over the course of your career.
If you want the single highest-leverage move to raise your cybersecurity salary, focus on a mid-career certification like CISSP or CISM. These credentials routinely deliver a salary bump of $20,000 or more, and they take a fraction of the time and cost of pursuing a second degree. For most professionals, one well-chosen cert is the fastest path to a meaningful pay increase.
Cybersecurity Career Salary FAQ
Below are answers to the most common questions career changers and students ask about cybersecurity compensation. Each response draws on current salary data and industry benchmarks covered throughout this guide.
Whether you filter by state, role, experience, or remote flexibility, cybersecurity salaries remain strong across nearly every variable. A national median above $124,000, projected job growth of roughly 33 percent, and a global workforce gap that shows no sign of closing all point in the same direction: negotiating power stays with professionals for the foreseeable future.
The most productive thing you can do right now is identify your single highest-leverage move and act on it. For some, that means earning a CISSP or CISM. For others, it could be pursuing a security clearance, relocating to a top-paying metro, or specializing in cloud security or incident response. If you are still exploring your options, a cybersecurity degree program can give you the foundational knowledge to get started. Pick one path, build a timeline, and start. The demand is not waiting.
