How much do cybersecurity professionals make?

Cybersecurity salaries rank among the highest in technology, but the headline numbers hide a wide spread. The Bureau of Labor Statistics (Occupational Employment and Wage Statistics, 2024) reports a median annual wage of $124,910 for information security analysts (SOC code 15-1212), more than double the $48,060 median for all occupations. The top 10% earn over $193,000 per year, and the bottom 10% earn approximately $69,210. Where you fall in that range depends on role, experience, certifications, employer type, and location.

Entry-level baseline. SOC Analyst Tier 1 hires typically open at $60,000 to $80,000 nationally, with the BLS (2024) median across all SOC analyst experience levels at $87,400. A Tier 1 SOC analyst in Atlanta with Security+ and one year of helpdesk experience earns $58,000 to $72,000. The same profile in Washington D.C. metro reaches $75,000 to $92,000 because of federal contractor density per BLS Occupational Employment Statistics (2024). GRC Analyst hires open at $70,000 to $95,000 with a $82,500 median.

Mid-career compensation. Security Engineers at the three-to-five-year mark earn a $124,900 median per BLS (2024), with senior individual contributors commonly reaching $150,000 to $180,000. Incident Responders run a $105,300 median, climbing past $140,000 with five years of experience and IR-specific certifications. Threat Intelligence Analysts ($110,800 median) and Penetration Testers ($112,200 median) sit in similar bands. Add 10% to 25% for major metropolitan areas (San Francisco, New York, Washington D.C., Boston).

Senior and leadership compensation. Security Architects earn a $158,600 median per BLS (2024), with Fortune 500 architects routinely above $200,000. CISOs at large enterprises earn a $232,000 BLS median, but the top quartile reaches $400,000 to $700,000 including equity per industry compensation surveys. CISO compensation has climbed since the SEC adopted cyber disclosure rules (Item 1.05 of Form 8-K, effective December 2023) which increased CISO personal liability and accountability profile.

Cybersecurity sales compensation runs higher than most technical IC roles. SDR/BDR opens at $80,000 to $130,000 OTE. Mid-market AEs earn $150,000 to $300,000 OTE. Enterprise AEs at vendors like CrowdStrike, Palo Alto Networks, Zscaler, and Wiz closing seven-figure deals reach $250,000 to $500,000+ OTE. VP of Sales and CRO roles at cybersecurity vendors hit $300,000 to $800,000+ OTE. These numbers do not appear in BLS data because BLS does not separately track cybersecurity-specific sales roles.

Decision logic on how to maximize compensation. Pick the architecture track if you want a high IC ceiling and prefer technical depth. Pick the management track (Security Manager to Director to CISO) if you have leadership instinct and tolerate executive politics. Pick the sales track if you have communication strength and competitive drive. Stay in pure operations if you value stability and clear scope over income maximization.

Tradeoffs to acknowledge. Higher salaries come with higher stress, longer hours, and more accountability. CISOs face personal liability under SEC rules and state AG actions. Enterprise AEs face quota cycles that can wipe out a quarter's earnings. Senior architects often spend more time in meetings than in actual security work. Pick the trajectory that matches what you can sustain, not just what pays most on paper.

Geographic and sector variation matters. Federal contractors in the D.C. corridor often pay 15% to 25% above national median for cleared positions. Financial services and healthcare pay competitively due to regulatory pressure. Government civilian roles (GS-2210 series) pay below private sector at junior levels but include pension, federal benefits, and locality adjustments that close some of the gap.

For role-specific salary data, see the related career entries for soc-analyst, security-engineer, security-architect, ciso, and cybersecurity-account-executive, plus the certification entry for cissp and the glossary entry for incident-response.