Cybersecurity Careers in the US: Jobs, Salaries & Pathways

What Does the Cybersecurity Job Market Look Like in the United States?

The United States is the largest cybersecurity job market in the world — and it is not close. According to the Bureau of Labor Statistics (BLS), information security analyst employment is projected to grow 33% from 2023 to 2033, far outpacing the average for all occupations. CyberSeek — a joint initiative of NICE, CompTIA, and Lightcast — reports over 500,000 unfilled cybersecurity positions across the country at any given time. The National Cybersecurity Strategy published by the Biden administration in March 2023 elevated cyber workforce development to a national priority, and the CISA Cybersecurity Workforce Training Guide actively promotes pathways for non-traditional candidates.

High-profile incidents — the SolarWinds supply chain attack, the Colonial Pipeline ransomware event, the MOVEit vulnerability exploitation wave — have pushed cybersecurity spending to unprecedented levels. Gartner estimates that US organisations spent over $80 billion on security and risk management in 2024 alone. Every sector — federal government, defence, finance, healthcare, energy, technology — is competing for the same limited pool of talent, which is why the US market remains the most opportunity-rich environment for cybersecurity career changers anywhere in the world.

I research the US market constantly because it sets the tone for what eventually reaches Australia. The certifications US employers ask for, the frameworks they adopt, and the salary benchmarks they establish ripple outward to every other market. Even though I am building my career in Sydney, understanding the American landscape has been essential — and frankly humbling. The sheer scale of the US market is staggering. Where Australia needs 30,000 more professionals, the US needs ten times that number. The opportunities are enormous, but so is the complexity of navigating a market with 50 states, federal versus private-sector dynamics, and a clearance ecosystem that makes the Australian system look straightforward.

What Are the Salary Ranges for Cybersecurity Roles in the US?

US cybersecurity salaries are the highest in the world in absolute terms, though cost of living varies dramatically by region. All figures below are in US Dollars (USD) and represent typical ranges based on data from the Bureau of Labor Statistics, CyberSeek, Glassdoor, Levels.fyi, and Robert Half reports.

Role	Experience Level	Salary Range (USD)	Notes
SOC Analyst (Tier 1)	Entry (0–2 years)	$55,000–$75,000	Highest volume of entry-level openings nationwide
SOC Analyst (Tier 2)	Mid (2–4 years)	$75,000–$100,000	Requires SIEM expertise and incident response skills
GRC Analyst	Entry–Mid (0–3 years)	$60,000–$90,000	Strong demand from finance, healthcare, and government
Security Engineer	Mid (3–5 years)	$90,000–$130,000	Cloud security experience commands a significant premium
Penetration Tester	Mid (2–5 years)	$80,000–$120,000	Higher at specialist firms and Big Tech
Security Architect	Senior (5–8 years)	$130,000–$180,000	Enterprise design roles at large organisations
Security Consultant	Mid–Senior (3–8 years)	$85,000–$150,000	Wide range depending on firm and specialisation
Incident Response Lead	Senior (5–8 years)	$110,000–$160,000	High demand following wave of ransomware attacks
Security Manager	Senior (6–10 years)	$120,000–$175,000	People management plus technical depth
CISO	Executive (10+ years)	$180,000–$350,000+	Fortune 500 companies pay at the top; total comp with equity can exceed $500K

Individual results vary based on location, experience, market conditions, and effort invested.

Key salary observations:

Geography matters enormously. The same Security Engineer role might pay $90,000 in a mid-size city and $150,000+ in San Francisco or New York, though cost of living offsets much of the difference.
Clearance holders earn a premium. An active TS/SCI clearance can add $15,000–$40,000 to equivalent non-cleared roles, particularly in the DC/NoVA area.
Big Tech pays above these ranges. Security engineers at Google, Meta, Amazon, and Microsoft often earn $150,000–$250,000+ in total compensation (base + stock + bonus), but these roles are highly competitive.
Remote roles are normalising salaries. Many US employers now offer location-adjusted pay, but remote cybersecurity roles based in lower-cost areas can still pay $70,000–$100,000+ for mid-level positions.

Who Are the Major Cybersecurity Employers in the US?

The US employer landscape is vastly more diverse than any other market. Understanding the categories helps you target your search.

Federal Government and Intelligence Community

The US federal government is the world’s largest single employer of cybersecurity professionals. These roles offer unique mission, stability, and clearance-eligible careers.

Employer	Location	Notes
NSA (National Security Agency)	Fort Meade, MD	Signals intelligence and cybersecurity. Largest employer of mathematicians in the US.
CISA (Cybersecurity and Infrastructure Security Agency)	Arlington, VA / distributed	Nation’s cyber defence agency. Growing rapidly with expanded mission and hiring authority.
FBI (Cyber Division)	Washington DC / field offices	Cybercrime investigation, digital forensics, threat intelligence.
Department of Defense (DoD)	Nationwide	Cyber Command, service branches, and hundreds of support roles across military installations.
CIA (Directorate of Science & Technology)	Langley, VA	Technical intelligence collection and cybersecurity operations.
DHS (various components)	Washington DC area	Immigration, customs, Secret Service — all have substantial cyber teams.

Defence Contractors

Defence contractors are often the easiest path into cleared cybersecurity work because they hire at higher volume than government agencies.

Employer	Headquarters	Notes
Raytheon Technologies	Arlington, VA	Major defence and cybersecurity capabilities across all domains.
Northrop Grumman	Falls Church, VA	Strong cyber division with offensive and defensive capabilities.
Lockheed Martin	Bethesda, MD	Coined the “Cyber Kill Chain.” Large internal security team and client-facing cyber services.
Booz Allen Hamilton	McLean, VA	The largest cybersecurity consulting firm in the federal space. Significant hiring volume.
General Dynamics IT	Falls Church, VA	IT and cybersecurity services across federal agencies.
Leidos	Reston, VA	Substantial federal cyber contracts including intelligence community support.

Big Tech Security Teams

Technology companies employ large internal security teams — these roles are among the highest-paying in the industry.

Employer	Notes
Google (Mandiant / Cloud Security)	Acquired Mandiant in 2022. Massive threat intelligence, incident response, and cloud security operation.
Microsoft (MSRC / Security)	Microsoft Security Response Center. Thousands of security professionals protecting Azure, Windows, and enterprise customers.
Amazon (AWS Security)	Cloud security at the world’s largest cloud provider. Significant hiring across all security disciplines.
Meta (Security Engineering)	Platform security, threat intelligence, and security engineering at massive scale.
Apple (Security Engineering)	Hardware and software security. Highly selective, premium compensation.
CrowdStrike	Austin, TX / distributed. Endpoint security leader with fast-growing team.
Palo Alto Networks	Santa Clara, CA. Network security leader with broad product portfolio.

Financial Sector

US financial institutions operate some of the most sophisticated security programmes in the world.

Employer	Notes
JPMorgan Chase	Employs 3,000+ cybersecurity professionals. One of the largest private-sector cyber teams globally.
Goldman Sachs	Significant security engineering team. Technology-forward culture.
Bank of America	Major investment in cybersecurity. Active hiring at all levels.
Citigroup	Global security operations with large US presence.
Morgan Stanley	Strong security engineering and GRC teams.

MSSPs and Cybersecurity Service Providers

MSSPs are excellent entry points — they hire at volume and provide broad exposure across clients and technologies.

Employer	Notes
Secureworks	Dell-owned MSSP. Strong SOC operations and managed detection and response.
Arctic Wolf	Fast-growing managed security provider. Significant entry-level hiring.
Optiv	Large cybersecurity solutions provider. Consulting, integration, and managed services.
Rapid7	Vulnerability management and detection/response platform with professional services arm.
Trustwave	Global MSSP with substantial US operations.

Consulting Firms (Big Four and Boutique)

Employer	Notes
Deloitte Cyber	Largest Big Four cyber practice. Federal and commercial practices.
PwC Cybersecurity	Strong GRC, strategy, and privacy focus.
EY Cybersecurity	Growing practice with identity and cloud security emphasis.
KPMG Cyber	Risk and compliance-oriented cyber practice.
Accenture Security	One of the largest security consulting teams globally.
Mandiant (now Google Cloud)	Incident response and threat intelligence — the gold standard.

US Cybersecurity Career Pathway

Typical progression with major US employers at each level

Entry Level

0–2 years | $55K–$75K

SOC Analyst T1

Arctic Wolf, Secureworks, Optiv, bank SOCs

GRC Analyst

Big Four, banks, federal agencies

IT Security Support

Any mid-large organisation

Jr Pen Tester / Vuln Analyst

Rapid7, Trustwave, boutique firms

Mid Level

2–5 years | $80K–$130K

SOC Analyst T2/T3

Secureworks, JPMorgan, Booz Allen

Security Engineer

Google, Amazon, Microsoft, banks

Penetration Tester

Mandiant, Rapid7, Big Four

Security Consultant

Deloitte, PwC, Accenture, Optiv

Senior Level

5–10 years | $130K–$180K

Security Architect

Big Tech, banks, federal agencies

IR Lead

Mandiant, CrowdStrike, CISA

Security Manager

Any large organisation

Principal Consultant

Big Four, Booz Allen, Leidos

Leadership

10+ years | $180K–$350K+

CISO

Fortune 500, banks, healthcare

VP of Security

Big Tech, financial sector

Partner / Director

Big Four, Booz Allen

Federal Cyber Leadership

CISA, NSA, Cyber Command

Idle

Federal Government vs Private Sector: Which Is Better?

This is the defining career decision for US cybersecurity professionals. The two paths offer fundamentally different experiences.

Federal Government vs Private Sector Cybersecurity in the US

Federal Government (NSA, CISA, DoD)

Mission, clearance, stability

Work on classified operations — Access to nation-state threat intelligence, offensive operations, and mission sets that simply do not exist in the private sector
Job stability and federal benefits — GS pay scale, FEHB health insurance, FERS retirement, TSP matching — outstanding total compensation package
Security clearance is a career asset — A TS/SCI clearance is worth $15K–$40K in salary premium and opens doors to the entire cleared workforce ecosystem
Student loan forgiveness eligibility — Federal employees qualify for Public Service Loan Forgiveness (PSLF) after 10 years of qualifying payments
Salary ceiling lower than private sector — GS-15 caps around $170K–$191K depending on locality; SES roles reach higher but are limited in number
DC/NoVA-centric for most roles — The majority of federal cyber roles are concentrated in the Washington DC metropolitan area
Bureaucracy and slow hiring processes — Federal hiring can take 3–6 months. USAJobs applications require patience and specific formatting

Private Sector (Big Tech, Finance, MSSPs)

Higher pay, speed, variety

Significantly higher salary ceiling — Big Tech total comp can reach $200K–$400K+ for senior engineers; CISO roles at Fortune 500 exceed $350K
Location flexibility — Roles in every major metro plus growing remote options — particularly strong for security engineering and GRC
Faster hiring and career progression — Private-sector hiring cycles are measured in weeks, not months, and promotions are merit-based
Cutting-edge technology — Big Tech and startups work with the latest tools, cloud platforms, and security technologies
Less job security — Tech layoffs in 2023–2024 affected security teams. Market conditions directly impact headcount
On-call and high-pressure culture — SOC shift work, incident response at 2 AM, and aggressive SLAs are the norm at MSSPs and banks
No access to classified intelligence — Private-sector threat intelligence is good but cannot match what government analysts see

Verdict: Neither path is universally better. Federal government suits those who value mission, stability, clearance, and benefits. Private sector suits those who prioritise salary ceiling, location flexibility, and rapid career growth.

Use case

Many successful US cybersecurity professionals alternate between government and private sector throughout their careers — the 'revolving door' between government service and defence contractors or consulting firms is a well-established career pattern.

Security clearances: what you need to know

Security clearance is the single most significant differentiator in the US cybersecurity job market. The cleared workforce ecosystem — concentrated in the DC/Northern Virginia/Maryland corridor — represents hundreds of thousands of positions.

Clearance Level	Processing Time	Requirements	Salary Impact
Public Trust	1–3 months	US citizen or permanent resident, background check	Baseline for many civilian agency roles
Secret	3–6 months	US citizen, SF-86 investigation, financial and criminal checks	+$5,000–$15,000 over non-cleared equivalents
Top Secret (TS)	6–12 months	US citizen, extensive Single Scope Background Investigation (SSBI)	+$15,000–$25,000
TS/SCI	6–18 months	Top Secret plus Sensitive Compartmented Information access — polygraph may be required	+$20,000–$40,000
Full Scope Polygraph	12–24 months	TS/SCI plus Full Scope Polygraph — primarily intelligence community	Significant premium; highly sought after

Key facts:

Clearance is sponsored by the employer, not obtained independently. You cannot apply for clearance on your own.
US citizenship is required for Secret and above. Public Trust positions may accept permanent residents.
The SF-86 form (Standard Form 86) is 127 pages and covers 10 years of personal, financial, and employment history.
A clearance backlog has historically been a problem — the average TS investigation took over 400 days in 2018, though processing times have improved since the transfer to DCSA.
Having an active clearance makes you immediately employable in the DC/NoVA corridor — defence contractors will often create roles for cleared candidates.

DoD 8570/8140: baseline certification requirements

The DoD Directive 8570 (being replaced by DoD 8140) establishes mandatory baseline certifications for anyone performing cybersecurity functions within the Department of Defense — including contractors.

Category	Baseline Certs	Who Needs It
IAT Level I	CompTIA A+, Network+, or SSCP	Help desk and IT support in DoD environments
IAT Level II	CompTIA Security+, CySA+, or GSEC	Most common requirement — Security+ satisfies this for the majority of DoD cyber roles
IAT Level III	CISSP, CASP+, or CISA	Senior technical roles
CSSP Analyst	CySA+, GCIA, CEH, or equivalent	SOC analysts in DoD environments
CSSP Incident Responder	GCIH, CISSP, CEH, or equivalent	Incident response roles

Where Are the Jobs? City-by-City Breakdown

Washington DC / Northern Virginia / Maryland — The Cyber Capital

The DC metropolitan area is the largest cybersecurity job market in the world, driven by the federal government, intelligence community, and defence contractors.

Key sectors: Federal government (NSA, CISA, DoD, CIA, FBI), defence contractors (Booz Allen, Raytheon, Northrop, Leidos, GDIT), consulting (Big Four federal practices), cleared MSSPs.

Advantages: Highest volume of cybersecurity roles anywhere on Earth. Clearance holders are in extreme demand. Federal benefits (FERS retirement, FEHB, TSP matching) add significant value beyond base salary. Multiple BSides events and active security community.

Challenges: High cost of living, particularly in Northern Virginia (Arlington, Tysons Corner, Reston). Traffic congestion is notorious. Most high-paying roles require clearance, which requires citizenship and can take months to process.

Typical salaries: 10–20% above national averages. Cleared roles pay an additional $15,000–$40,000 premium.

New York City — Financial Sector Hub

NYC’s cybersecurity market is anchored by Wall Street — the financial sector drives the majority of demand.

Key sectors: Financial services (JPMorgan, Goldman Sachs, Citigroup, Morgan Stanley, Bloomberg), media and publishing, healthcare, consulting.

Advantages: Highest absolute salaries in the private sector. Enormous financial-sector demand for GRC, security engineering, and threat intelligence. Dense networking opportunities — ISSA NYC, OWASP NYC, BSides NYC.

Challenges: Highest cost of living in the US. Competition for roles is intense. Many financial-sector security roles require prior financial industry experience or familiarity with regulations (SOX, GLBA, NY DFS 23 NYCRR 500).

San Francisco / Bay Area — Technology Capital

The Bay Area cybersecurity market is driven by technology companies and the venture-backed startup ecosystem.

Key sectors: Big Tech (Google, Apple, Meta, Salesforce), security vendors (Palo Alto Networks, CrowdStrike, Fortinet), startups, venture-backed security companies.

Advantages: Highest total compensation in the industry (base + stock + bonus). Cutting-edge technology and security challenges. Strong community (BSides SF, OWASP Bay Area, DEF CON groups).

Challenges: Extremely high cost of living. Tech layoffs in 2023–2024 affected the market. Many roles require significant engineering background. Housing costs can offset salary premiums.

Austin — The Rising Star

Austin has emerged as one of the fastest-growing cybersecurity markets in the US, fuelled by tech company relocations and a business-friendly environment.

Key sectors: Technology (CrowdStrike, Dell/Secureworks, Oracle, Tesla), defence (growing presence), startups, managed security providers.

Advantages: Lower cost of living than SF, NYC, or DC. No state income tax (Texas). Growing tech ecosystem with strong demand. Active security community (BSides Austin).

Challenges: Smaller market than DC, NYC, or SF. Fewer federal government roles. Some roles still require relocation from candidates based elsewhere.

Dallas / Fort Worth — Broad Demand

Dallas offers diverse cybersecurity demand across multiple industries, with a lower cost of living than coastal metros.

Key sectors: Financial services (Charles Schwab, State Farm), telecommunications (AT&T headquarters), healthcare, energy, defence contractors.

Advantages: Lower cost of living. No state income tax. Broad industry mix provides diverse opportunities. Growing market with less competition than coastal cities.

Challenges: Market depth is less than DC, NYC, or SF. Fewer Big Tech opportunities. Some specialised roles may be limited.

Remote — The Fastest-Growing Category

Remote cybersecurity work has expanded dramatically since 2020, and many US employers now offer fully remote positions.

Key observations: GRC, security engineering, and consulting roles are most commonly offered remotely. SOC analyst roles are increasingly remote but some employers still prefer on-site. Federal government and cleared roles are almost exclusively on-site. Remote salaries may be adjusted for geographic location — some employers pay a “national rate” while others adjust by region.

What Certifications Do US Employers Want?

Core certifications (valued across the US market)

Certification	US Relevance	Cost (USD approx.)
CompTIA Security+	The most requested entry-level cert; satisfies DoD 8570 IAT Level II	~$404
ISC2 CC	Free — excellent starting credential, increasingly recognised	Free
CompTIA CySA+	Strong for SOC roles; satisfies CSSP Analyst under 8570	~$404
CISSP	Required or preferred for senior and management roles across all sectors	~$749
CISM	Popular in GRC, especially Big Four and financial sector	~$575
CEH	Required by some DoD contracts; valued in pen testing	~$1,199
OSCP	Gold standard for pen testing roles	~$1,649
GIAC certifications	Highly valued by employers willing to pay — GSEC, GCIH, GCIA, GPEN	$2,000–$8,000+ (often employer-funded)

US-specific frameworks and knowledge

Knowledge Area	What It Is	Who Needs It
NIST Cybersecurity Framework (CSF)	The most widely adopted cybersecurity framework in the US — used across government and private sector	Everyone — this is the NIST equivalent of Australia’s Essential Eight
NIST 800-53	Comprehensive security and privacy controls for federal systems	Security professionals working with or within federal government
FedRAMP	Federal Risk and Authorization Management Program for cloud services used by government	Cloud security professionals serving federal clients
DoD 8570/8140	Baseline certification requirements for DoD cybersecurity workforce	Anyone working in or with the Department of Defense
CMMC (Cybersecurity Maturity Model Certification)	Required for DoD supply chain contractors — tiered maturity model	Defence industrial base (DIB) companies and their security teams
HIPAA Security Rule	Health Insurance Portability and Accountability Act — security requirements for healthcare	Healthcare cybersecurity roles
SOX / GLBA / PCI DSS	Financial sector compliance frameworks	Financial sector GRC and security engineering roles

How Do You Find Cybersecurity Jobs in the US?

Job boards and career platforms

Platform	Best For	Tips
CyberSeek	Interactive map of US cybersecurity supply/demand by metro area and role	Use it to identify which roles are most in demand in your target city
ClearanceJobs	Cleared positions — defence contractors and intelligence community	Create a profile even before you have clearance; recruiters search actively
USAJobs	All federal government cybersecurity positions	Federal resumes require a specific format — longer and more detailed than private sector. Search “2210” (IT Specialist) series
LinkedIn	Broadest coverage across all sectors	Follow CrowdStrike, Palo Alto, CISA, Booz Allen. Engage with US cybersecurity content. Set job alerts
Indeed	High volume of mid-market and MSSP roles	Good for entry-level positions outside major metros
Dice	Technology and cybersecurity specialist job board	Filter by cybersecurity, set salary ranges
Built In	Tech company roles in specific cities (Austin, NYC, SF, etc.)	Strong for startup and growth-stage security roles

Recruiters and staffing firms

Cybersecurity-specialist recruiters are particularly valuable in the US cleared space. Key firms include Robert Half Technology, TEKsystems, Hays Technology, CyberCoders, and for cleared roles, ClearanceJobs and BAH/Leidos/GDIT internal recruiting teams. The cleared workforce ecosystem operates heavily through referrals and recruiter relationships.

Training and Community in the US

Professional associations

Organisation	What It Offers	Cost
ISC2	World’s largest cybersecurity professional organisation. CISSP, CC, and other certifications. Local chapters across the US.	Membership from $50 USD/year (CC holders)
ISSA (Information Systems Security Association)	Networking, education, career development. Strong chapter network across US cities.	~$95–$160 USD/year
ISACA	GRC-focused. CISM, CISA, CRISC certifications. Active US chapters.	~$135 USD/year
OWASP	Application security community. Free local chapter meetings in every major US city.	Free
InfraGard	FBI partnership with private sector. Threat briefings and networking.	Free (FBI-vetted membership)

Security conferences and events

Event	Location	Notes
DEF CON	Las Vegas, NV	The world’s largest hacker conference. Villages, CTFs, talks — an essential experience.
Black Hat USA	Las Vegas, NV	Premier commercial security conference. Briefings, trainings, and the Arsenal.
RSA Conference	San Francisco, CA	Largest enterprise security conference. Industry-focused, strong for networking and career opportunities.
BSides (multiple cities)	Nationwide	Free or low-cost community conferences in 30+ US cities. BSides Las Vegas, BSides DC, BSides SF are among the largest.
ShmooCon	Washington, DC	East coast hacker conference. Smaller, community-driven, strong DC-area networking.
GrrCon	Grand Rapids, MI	Midwest security conference. Welcoming community, excellent for newcomers.
Wild West Hackin’ Fest	Deadwood, SD	BHIS-hosted conference. Outstanding training and community atmosphere.

While this page covers the US market, the career change fundamentals are universal. This guide walks you through the skills and knowledge you need regardless of location.

Intro to Cybersecurity for Non-ITAvailable Now

Complete beginner guide to cybersecurity for career changers with zero IT background.

Get the Guide → $19

What Makes the US Market Different?

Several factors make the US cybersecurity market unique:

1. Scale is unmatched. With 500,000+ unfilled positions and $80+ billion in annual security spending, the US market dwarfs every other country. This scale creates opportunities at every experience level, in every specialisation, and in every geographic region.

2. The cleared workforce is a market within a market. The security clearance ecosystem — centred in DC/NoVA/MD — is essentially a separate job market with its own salary structure, employer base, and career dynamics. Having a TS/SCI clearance transforms your career trajectory in ways that do not exist in most other countries.

3. NIST frameworks dominate. Where Australia uses the ASD Essential Eight and the UK uses Cyber Essentials, the US market is built around NIST CSF, NIST 800-53, and sector-specific regulations. NIST literacy is a fundamental requirement for US cybersecurity professionals.

4. The DoD certification baseline creates guaranteed demand for Security+. The DoD 8570/8140 directive means that hundreds of thousands of defence positions legally require specific certifications — primarily Security+. This single policy decision has made Security+ the most valuable entry-level certification in the world.

5. Remote work is more established than in other markets. US employers have been more aggressive in adopting remote cybersecurity work than their Australian, UK, or European counterparts. This creates opportunities for professionals outside major metros to access high-paying roles.

6. Healthcare and finance create massive compliance-driven demand. HIPAA (healthcare), SOX and GLBA (finance), and PCI DSS (payment card) create regulatory mandates that drive cybersecurity hiring at scale. GRC professionals who understand these regulations are in constant demand.

7. The startup ecosystem creates unique opportunities. The US venture capital ecosystem funds hundreds of cybersecurity startups annually. Early-stage security companies offer equity, rapid responsibility growth, and the chance to build security programmes from scratch — though with higher risk than established employers.

A Practical Entry Plan for US Career Changers

Based on the US market specifically, here is a practical 12-month plan:

Months 1–3: Foundations

Earn ISC2 Certified in Cybersecurity (free exam, free training)
Start Professor Messer’s Security+ course (free on YouTube)
Join ISSA or an ISC2 local chapter
Attend a local BSides or OWASP meetup

Months 4–6: Core Certification

Earn CompTIA Security+ (~$404 USD) — this satisfies DoD 8570 IAT Level II
Build a home lab with VirtualBox (Kali Linux, vulnerable VMs)
Complete TryHackMe SOC Level 1 path
Learn the NIST Cybersecurity Framework — read the CSF 2.0 documentation

Months 7–9: Hands-On and Networking

Complete TryHackMe Cyber Defence path
Attend 2–3 community events (BSides, OWASP, ISSA chapter meetings)
Connect with 30+ US cybersecurity professionals on LinkedIn
Start applying for entry-level roles (SOC Analyst, GRC Analyst, IT Security)

Months 10–12: Active Job Search

Register with 2–3 cybersecurity specialist recruiters (Robert Half, TEKsystems, CyberCoders)
Apply for roles on CyberSeek, LinkedIn, Indeed, and direct employer career pages
If eligible, apply to federal positions on USAJobs (search 2210 IT Specialist series)
Consider cleared roles at defence contractors if you are a US citizen — many will sponsor your clearance

Summary and Key Takeaways

The United States offers the largest, most diverse, and highest-paying cybersecurity job market in the world. The skills shortage is real, the federal government is actively investing in workforce development, and employers across every sector are competing for talent.

The market is massive. 500,000+ unfilled positions, 33% projected growth, and $80+ billion in annual security spending make the US the undisputed global leader.
Entry-level salaries are solid. SOC Analyst Tier 1 roles pay $55,000–$75,000 USD, with rapid progression to six figures within 2–3 years.
Geography shapes your career. DC/NoVA (government/defence), NYC (finance), SF/Bay Area (tech), Austin (growing), Dallas (broad demand), Remote (expanding).
Security clearance is a career accelerator. US citizenship plus TS/SCI clearance opens the highest-paying and most mission-critical roles in the DC corridor.
NIST CSF is essential knowledge. Learn it thoroughly — it is the most widely adopted cybersecurity framework in the US.
CompTIA Security+ is the entry ticket. It satisfies DoD 8570 requirements and is the most requested certification in entry-level job postings.
The community is enormous and welcoming. DEF CON, Black Hat, BSides (30+ cities), ISSA, ISC2, OWASP — the US security community is the most active and accessible in the world.

The US cybersecurity market rewards ambition, continuous learning, and genuine engagement with the community — and it does not care where you started. Career changers who invest in certifications, hands-on skills, and networking find real opportunities waiting.

Career Change Roadmap for the full phase-by-phase plan applicable to any market
Career Landscape for the complete role map from entry to CISO
Degree vs Self-Taught vs Bootcamp for education path decisions
Budget & Cost Planning for detailed cost breakdowns including USD figures
Job Search Strategy for job search tactics that work in the US market
Australia Cybersecurity Careers for comparison with the Australian market

Frequently Asked Questions

What is the average cybersecurity salary in the US?

According to CyberSeek, the median salary for cybersecurity roles in the US is approximately $120,000 USD. Entry-level SOC Analyst roles pay $55,000–$75,000 USD, mid-level Security Engineers earn $90,000–$130,000 USD, and CISOs at large organisations earn $180,000–$350,000+ USD. Big Tech total compensation (base + stock + bonus) can push senior security engineers well above $200,000 USD. Salary data sourced from BLS, CyberSeek, Glassdoor, and Robert Half 2025–2026 reports.

Do I need US citizenship for cybersecurity jobs in the US?

Not for private-sector roles. Most MSSPs, technology companies, banks, and consulting firms hire permanent residents, green card holders, and H-1B visa holders. However, federal government roles and defence contractor positions requiring security clearance (Secret and above) require US citizenship. If federal cybersecurity or defence contracting is your goal, citizenship is a prerequisite for clearance.

What is DoD 8570 and why does it matter?

DoD Directive 8570 (being transitioned to DoD 8140) establishes mandatory baseline certifications for anyone performing cybersecurity functions within or for the Department of Defense. The most common requirement is IAT Level II, which is satisfied by CompTIA Security+. This directive effectively guarantees demand for Security+ holders across the entire defence workforce — hundreds of thousands of positions. It is the single most impactful certification policy in global cybersecurity.

Which US city is best for starting a cybersecurity career?

Washington DC/Northern Virginia has the highest volume of cybersecurity roles, but most require or strongly prefer security clearance. For private-sector entry without clearance, NYC (finance), the Bay Area (tech), and Austin (growing tech hub) offer strong entry-level markets. Remote work has expanded options significantly — many entry-level SOC and GRC roles are now available remotely regardless of location.

How do I get a security clearance in the US?

You cannot apply for security clearance independently — it must be sponsored by an employer (federal agency or defence contractor). The employer initiates the investigation through DCSA (Defense Counterintelligence and Security Agency). You complete the SF-86 form, undergo background investigation, financial checks, and for TS/SCI, potentially a polygraph. Processing takes 3–18 months depending on level. US citizenship is required for Secret and above.

Is DEF CON worth attending?

Yes — DEF CON is the world's largest hacker conference, held annually in Las Vegas. It features hands-on villages (lockpicking, social engineering, IoT hacking, car hacking), CTF competitions, talks from leading researchers, and unparalleled networking. The badge costs approximately $440 USD (cash only). For career changers, the community experience and learning are invaluable. BSides Las Vegas runs concurrently and is free, providing additional value.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology. CSF 2.0 (released 2024) organises cybersecurity activities into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. It is the most widely adopted cybersecurity framework in the US, used by organisations of all sizes across all sectors. Understanding CSF at an implementation level demonstrates immediate relevance to US employers.

Are cybersecurity bootcamps worth it in the US?

It depends. US bootcamps range from $10,000–$20,000+ USD and vary widely in quality. Well-regarded programs include SANS undergraduate programs, Fullstack Cyber Bootcamp, and some university-affiliated programs. However, self-study with certifications (Security+, CySA+, hands-on labs) remains the most cost-effective path. The key differentiator is hands-on experience and certifications, not the bootcamp credential itself. Research carefully, check reviews, and consider whether the cost is justified by the career services and network access.

More resources

CyberSeek — Interactive Cybersecurity Career Map

NICE/CompTIA/Lightcast interactive heat map of US cybersecurity supply and demand by metro area, role, and certification.

Visit NIST Cybersecurity Framework 2.0

The most widely adopted cybersecurity framework in the US — essential reading for anyone entering the market.

Visit CISA Cybersecurity Career Pathways

CISA's workforce development resources including career pathways, training, and hiring information.

Visit USAJobs — Federal Cybersecurity Positions

The official federal government job board. Search IT Specialist (2210 series) for cybersecurity roles.

Visit ClearanceJobs — Cleared Cybersecurity Positions

The leading job board for security-cleared positions — essential for defence contractor and intelligence community roles.

Visit

Salary data from Bureau of Labor Statistics, CyberSeek, Glassdoor, Levels.fyi, and Robert Half as of 2025–2026. Individual results vary based on location, experience, market conditions, and effort invested.