Updated June 2026
The State of Cybersecurity Hiring
Key findings
- The median disclosed cybersecurity salary is $168k, across 1462 postings that list pay.
- Open security roles sit unfilled for a median of 32 days.
- Security Engineering is the most in-demand specialization, with 87 open roles.
- 40% of open roles are remote.
- SOC 2 is the most-referenced compliance framework, appearing in 271 postings.
Salary landscape
Based on the 1462 active postings that disclose pay, the median cybersecurity salary is $168k (25th–75th percentile $127k–$207k). Figures cover only roles that publish a salary range.
By specialization
| Specialization | Median (USD) | Postings |
|---|---|---|
| AppSec | $210k | 19 |
| Security Engineering | $190k | 26 |
| Detection Engineering | $182k | 11 |
| GRC | $134k | 17 |
By seniority
| Level | Median (USD) | Postings |
|---|---|---|
| VP | $246k | 26 |
| Director | $222k | 105 |
| Principal | $219k | 75 |
| Staff | $190k | 108 |
| Senior | $165k | 304 |
| Manager | $157k | 347 |
| Mid | $145k | 485 |
By country
| Country | Median (USD) | Postings |
|---|---|---|
| United States | $167k | 676 |
| Canada | $139k | 70 |
Where the demand is
40% of open roles are remote. The most in-demand specializations by open-role volume:
| Specialization | Open roles |
|---|---|
| Security Engineering | 87 |
| AppSec | 66 |
| Detection Engineering | 60 |
| Threat Intelligence | 60 |
| GRC | 56 |
| AI Security | 42 |
| Cloud Security | 32 |
| Offensive Security | 25 |
| Identity & Access | 23 |
| Privacy | 18 |
Time on market
Security roles stay open a median of 32 days. This measures how long currently-open roles have been posted (open-role age), not formal time-to-fill.
| Specialization | Median days open | Postings |
|---|---|---|
| Cloud Security | 76 | 32 |
| Identity & Access | 65 | 23 |
| Privacy | 62 | 18 |
| Offensive Security | 53 | 25 |
| AppSec | 51 | 66 |
| GRC | 47 | 56 |
| Detection Engineering | 44 | 60 |
| Security Engineering | 39 | 87 |
| Threat Intelligence | 32 | 60 |
| AI Security | 31 | 42 |
Framework & certification demand
Frameworks
- SOC 2 - 271
- ISO 27001 - 248
- HIPAA - 244
- GDPR - 194
- CCPA - 166
- FedRAMP - 157
- PCI-DSS - 44
- CMMC - 33
- NIST 800-53 - 31
- DORA - 17
- SOX - 17
- NIST CSF - 12
Certifications
- CISSP - 235
- GIAC - 72
- CompTIA Security+ - 71
- CCSP - 64
- CISA - 58
- CISM - 52
- CEH - 48
- OSCP - 30
- CIPP - 23
- CIPM - 18
- CRISC - 15
- ISO 27001 LA - 5
Key facts (cite this)
- The median disclosed cybersecurity salary is $168k, across 1462 postings that list pay. (source: InfoSec Job Board, June 2026)
- Open security roles sit unfilled for a median of 32 days. (source: InfoSec Job Board, June 2026)
- Security Engineering is the most in-demand specialization, with 87 open roles. (source: InfoSec Job Board, June 2026)
- 40% of open roles are remote. (source: InfoSec Job Board, June 2026)
- SOC 2 is the most-referenced compliance framework, appearing in 271 postings. (source: InfoSec Job Board, June 2026)
Frequently asked questions
What is the median cybersecurity salary in 2026?
Across the 1462 postings on InfoSec Job Board that disclose pay, the median cybersecurity salary is $168k (as of June 2026).
Which cybersecurity roles are most in demand?
By open-role volume, the most in-demand specializations are Security Engineering, AppSec, Detection Engineering.
How long do cybersecurity roles stay open?
Open security roles sit unfilled for a median of 32 days, a sign of how tight the talent market remains.
How is this data collected?
These figures are computed live from the active job postings aggregated from cybersecurity employers on InfoSec Job Board. Salary figures cover only the subset of postings that disclose pay.
Methodology
All figures are computed directly from the active job postings aggregated from cybersecurity employers on InfoSec Job Board, refreshed daily (June 2026). Salary medians cover only the 1462 postings that disclose pay; per-group medians are shown only where the sample is large enough to be meaningful (10+ postings per role, 25+ per country). "Time on market" reflects how long currently-open roles have been posted, not formal time-to-fill.
By Andrew Tjong. Andrew Tjong is the founder of InfoSec Job Board, where he analyzes hiring and salary data across the cybersecurity employers tracked on the platform. Published 2026-06-18; updated June 2026.