In early 2024, Palo Alto Networks and a handful of other large security vendors started significantly expanding their cloud security teams, while simultaneously running layoffs in legacy product lines. The signal was pretty clear: certain skills were becoming more valuable, others less so. That trend didn’t reverse in 2025, and it’s more pronounced heading into 2026.
This post is about the skills that are actually moving salaries upward right now, and which ones are becoming table stakes (still necessary, but no longer differentiating). I’ll be honest about where my data is solid and where I’m interpolating from hiring patterns and job post analysis.
The salary reality: what the numbers actually say
The Bureau of Labor Statistics puts the median annual wage for information security analysts at $120,360 as of their most recent data, with the top 10% earning over $186,000. Those numbers understate what’s happening at the high end in cloud security and red team roles, where total compensation (base plus equity at public companies) regularly reaches $200,000 to $300,000 in major tech hubs.
The variance matters as much as the median. A Security+ holder working helpdesk-to-SOC-analyst transition might start at $62,000 in a mid-tier market. A Cloud Security Architect with five years of AWS experience and a security specialty certification at a Series C startup in San Francisco might be at $210,000 plus equity. These are the same field but effectively different career tracks. Treating them as a single salary range produces a number that’s accurate for nobody.
Geographic premiums are real. Add roughly 35 to 50 percent for San Francisco, New York, or Seattle. Subtract 20 to 30 percent for secondary markets. Remote work has compressed this somewhat , many companies now hire remote for security roles and pay a regionally adjusted rate, though what “regional adjustment” means varies enormously by employer.
Skills that command $150K and above
Cloud security is at the top. Specifically: the ability to secure AWS, GCP, or Azure environments at scale , IAM policy design, security group architecture, CloudTrail and GuardDuty configuration, automated remediation workflows. Cloud Security Architects who can do this at enterprise scale are consistently well-compensated, and the demand shows no sign of contracting.
The Stack Overflow 2024 Developer Survey showed AWS as the most commonly used cloud platform among professional developers by a wide margin. That adoption level translates directly into demand for people who can secure it. AWS Security Specialty certification holders are consistently among the most in-demand candidates in job postings I’ve reviewed.
Security automation also sits in this tier. If you can write detection logic, build automated response playbooks, or integrate security tooling into CI/CD pipelines, you’re moving beyond the reactive analyst track into something companies pay significantly more for. Python is the language that comes up most, along with Terraform for infrastructure-as-code security controls.
DevSecOps as a discipline spans both of these. The core value proposition is catching security issues before code ships rather than after. Shift-left security, SAST/DAST tooling, dependency scanning, container vulnerability management , these are skills that engineering-led companies are building into hiring pipelines for senior security engineers.
Skills in solid demand at $100K to $150K
Penetration testing and red team skills sit here for most mid-career practitioners. OSCP-certified pentesters at consulting firms tend to earn in this range. The ceiling is higher for specialists with deep expertise in specific attack surfaces (hardware, automotive, OT/ICS systems), but generalist web application penetration testing has become more commoditized as tooling has matured.
Threat intelligence and threat hunting are growing faster than the raw job volume suggests. Companies building serious security programs want analysts who can proactively look for adversary activity rather than just responding to alerts. MITRE ATT&CK proficiency, Splunk or Elastic search query writing, and experience with structured analysis methodologies (like ACH , Analysis of Competing Hypotheses) distinguish candidates in this space.
Incident response at the senior level also lands in this range, particularly at companies with mature security programs. The combination of technical response skills and the ability to communicate clearly during a crisis is rarer than it sounds.
Entry-level skills: necessary but not differentiating
SOC analyst skills (SIEM triage, basic alert investigation, documentation), Security+ knowledge, and general network monitoring competencies are the entry point to the field. They produce $55,000 to $95,000 roles in most markets. These skills are not going to stop being valuable , the demand for people who can work an alert queue is real , but they’re also not going to produce large salary jumps on their own.
The path upward from here typically involves picking a specialization (cloud security, offensive security, identity, threat intelligence) and building depth in that area alongside the general operational skills. Generalism is fine and often necessary at smaller organizations, but it rarely produces top-of-market compensation.
The skills roadmap question: where do you actually start?
I get asked some version of this constantly, and I’m going to be upfront: the “best” path depends a lot on where you’re starting from and what kind of work you actually want to do. Someone transitioning from network engineering should take a different path than someone coming from software development.
That said, here’s a rough sequence that works for most people targeting the mid-market ($90K to $130K range) within 18 to 24 months from a standing start:
- Foundational networking: TCP/IP, DNS, HTTP, basic routing. CompTIA Network+ or equivalent self-study. Without this, everything else is rote memorization with no underlying model.
- Security fundamentals: CompTIA Security+ for credential purposes. Supplement with TryHackMe or HackTheBox for hands-on practice that textbooks don’t provide.
- A real job in security, even a junior one. SOC analyst, security operations associate, or IT generalist with security responsibilities. The operational experience is irreplaceable.
- Cloud basics: AWS Cloud Practitioner or equivalent. Then, if you’re targeting cloud security specifically, AWS Solutions Architect Associate before the Security Specialty.
- Specialization cert: OSCP, CySA+, AWS Security Specialty, or GCIH depending on your target track.
The 12-month timelines I see in blog posts promising to take someone from zero to $150K are, in my view, mostly aspirational. 24 to 36 months from standing start to mid-market is more realistic for most people, and that’s still faster than many other technical fields.
What the interview process looks like for high-paying roles
Roles above $130K in cybersecurity tend to have more rounds and more behavioral questions than entry-level roles. Technical assessment is usually present , a take-home scenario, a lab exercise, or a case study involving a real incident type , but behavioral interviews carry significant weight. “Tell me about a time you identified a threat that wasn’t in your runbook” is a genuine question at this level.
The ability to explain technical risk in business terms comes up in almost every senior interview. If you can’t explain to a CFO why an unpatched system represents a material risk to the business, you’ll hit a ceiling regardless of your technical depth.
Craqly’s AI interview assistant can help with the behavioral and scenario-based practice that most candidates underinvest in. Technical prep gets most of the attention; communication under pressure gets comparatively little. Given how heavily the high-paying roles weight it, that’s a real gap worth addressing before your next interview cycle.
The demand is real. The question is which segment of it you’re building toward.