Skip to content
Paygrade Careers. Money. Reality.

Technology · Career profile

Cybersecurity Analyst

What cybersecurity analysts really earn, why the 'millions of unfilled jobs' claim misleads beginners, and the certifications that actually get you hired.

Median salary

$110,000

$65,000 – $185,000

Typical entry route

Certification

~4 years to median pay

Outlook

Growing demand

Cybersecurity has the most misleading marketing in tech: endless headlines about millions of unfilled jobs, next to thousands of qualified juniors who can’t get an interview. Both things are true at once, and knowing why is the difference between a smart entry and a year of rejections.

What the job actually is

Forget hoodie-wearing hackers. A cybersecurity analyst, usually starting in a Security Operations Center (SOC), watches alert queues, investigates suspicious events, and decides in minutes whether that weird login from Belarus is an executive on holiday or the start of a very bad week. It’s detective work built on log files: triage, investigate, escalate, document, repeat.

The job rewards people who understand how systems actually work. You cannot spot abnormal network traffic without knowing what normal looks like, which is why failed entries into the field almost always share one cause: skipping the IT fundamentals.

What it really pays

RegionTypical median (annual)
United States$115,000
United Kingdom$70,000
Western Europe$68,000
US senior / specialized$140,000–$185,000

The US median for information security analysts sits around $110,000–$115,000, notably strong for a role that often doesn’t require a degree. Entry-level SOC work starts at $60,000–$75,000, and the curve steepens with specialization: cloud security, incident response, and detection engineering commonly pay $140,000–$170,000, with offensive security and security architecture above that.

The UK runs £45,000–£65,000 ($55,000–$80,000) for mid-level analysts, with London finance paying a premium. EU pay clusters similarly, strongest in the Netherlands, Germany, and the Nordics. Government roles everywhere pay less but hire juniors more willingly, a deliberately good trade early on.

The realistic path in

  1. Build the IT foundation first. Networking (TCP/IP, DNS), Windows and Linux administration. Most successful analysts did 1–2 years in helpdesk, sysadmin, or networking before security.
  2. Get Security+. It’s the HR filter for most entry roles. One cert, then stop collecting and start doing.
  3. Prove skill in public. A home lab, TryHackMe or Hack The Box progress, and two or three written investigation walkthroughs beat any certificate stack.
  4. Take the unglamorous first role. Night-shift SOC, government, MSSP contractors. The first job is the hard one; the second finds you.
  5. Specialize by year 3. Pick defense (incident response, detection engineering), cloud security, or offense, and aim at the $140,000+ tier. Four years to median is realistic on this route.

The honest downsides

SOC work at the entry level can be genuinely grinding: 12-hour shifts, nights and weekends, and hundreds of alerts that are almost all false positives. Alert fatigue is the field’s occupational hazard, and burnout rates in first-line roles are high. The good analysts automate their way out and move up; the rest churn.

There’s also the cost-center problem. Security doesn’t generate revenue, so budgets get squeezed until an incident proves the point expensively. And when a breach does happen, the hours are brutal and the blame arrives faster than the credit ever did.

Still, the fundamentals of the trade are exceptional: every company is a target, regulation keeps ratcheting up, and AI is producing more attacks faster than it eliminates defenders. Get past the crowded front door and this is a durable, six-figure career with room to run.

Why it's worth it

  • US median around $115,000 without requiring a degree at many employers
  • Demand grows every time something gets breached, which is constantly
  • Clear ladders into cloud security, incident response, and pentesting at $150,000+

The trade-offs

  • Entry level is a paradox: 'shortage' headlines, yet junior postings demand 3 years experience
  • SOC shift work means nights, weekends, and alert fatigue
  • You're a cost center: budgets get questioned until the day of the breach

Frequently asked questions

Can I get into cybersecurity without a degree?

Yes. It's one of the few six-figure fields where certifications plus demonstrated skill genuinely substitute for a degree. The catch is that certs alone don't cut it either: employers want CompTIA Security+ or similar plus evidence you can actually investigate, usually proven through home labs, CTFs, or prior IT work.

How much do cybersecurity analysts make?

The US median is around $110,000–$115,000, with entry-level SOC roles starting at $60,000–$75,000. Specializations pay more: incident responders and cloud security engineers commonly reach $140,000–$170,000, and senior offensive-security roles clear $180,000.

Is the cybersecurity job shortage real?

At the senior level, yes: experienced defenders are genuinely scarce. At the entry level, no: junior applicants heavily outnumber junior openings, because the famous 'millions of unfilled jobs' figures count roles requiring years of experience. The realistic move is 1–2 years in IT support or networking first, then pivoting in.

Which cybersecurity certification should I get first?

CompTIA Security+ is the standard entry ticket: cheap, respected, and required for many US government-adjacent roles. After landing a job, aim for hands-on certs that match your track: BTL1 or CySA+ for defense, OSCP for offensive work. Skip expensive cert stacking before your first role; experience beats a fourth certificate.

Salary figures are researched estimates in USD, aggregated from public salary data across the US, UK and EU. Actual pay varies by location, company and experience. Last updated 7 July 2026.