Credit: Georgijevic / E+ / Getty Images
Vulnerability assessors apply advanced knowledge of cyberthreats and hacking techniques to help clients and employers protect valuable information. Observers often quote the saying "it takes a thief to catch a thief" when describing their job duties.
Vulnerability assessment specialists draw on the same tactics cybercriminals use to breach systems. However, they use those skills to protect rather than attack.
As of June 2022, Cyberseek estimated the U.S. cybersecurity workforce at over one million people. The organization also reported nearly 600,000 unfilled cybersecurity jobs across the country. These statistics align with broader trends, which point to a global shortage of qualified cybersecurity professionals.
This is good news for aspiring vulnerability assessors. The U.S. and international labor markets are hungry for capable professionals and job prospects look bright.
What Does a Vulnerability Assessor Do?
Vulnerability assessors occupy important roles in cybersecurity teams. Their main duties focus on testing networks and systems for security flaws. Vulnerability assessors also perform security audits and track their findings in detailed reports.
Most vulnerability assessors work in a branch of cybersecurity known as security information and event management (SIEM). Other SIEM roles include penetration testers, threat intelligence specialists, and cybersecurity engineers. Together, SIEM teams build and maintain the cybersecurity systems businesses use to safeguard sensitive data.
Vulnerability assessors often work for cybersecurity consulting firms and technology services companies. Some hold full-time positions with organizations that have ongoing cybersecurity needs. Examples include government agencies and financial institutions. Assessors can also work on a freelance basis.
Top Online Programs
Explore programs of your interests with the high-quality standards and flexibility you need to take your career to the next level.
How Much Does a Vulnerability Assessor Make?
The U.S. Bureau of Labor Statistics (BLS) includes vulnerability assessors within the broader category of information security analysts. BLS data from May 2021 suggests these professionals earn the most in areas with well-established tech sectors. Examples of these regions include California's Silicon Valley, New York's Tech Valley, and Virginia's Dulles Technology Corridor.
Payscale specifically tracks nationwide salary data for vulnerability assessors and other cybersecurity specializations. The site regularly updates vulnerability assessor salary information to reflect changing pay rates.
Average Salary for Vulnerability Assessors by Experience
As in most professional roles, vulnerability assessors usually see their salaries rise over the course of their careers. Earnings tend to keep pace with experience: the more experience, the higher the salary.
Some vulnerability assessors advance to higher-level roles in cybersecurity management as they develop skills over time. For instance, technical knowledge, professional certifications, and/or advanced degrees can help assessors move into security architect positions. Such a shift can increase a vulnerability assessor's salary.
Average Salary for Vulnerability Assessors by Education
Aspiring vulnerability assessors do not always need a college degree. As with many technical professions, employers often value proven skills over formal credentials.
Even so, educational programs can help develop the critical skills employers need. College degrees are a popular option. Shorter than many college programs, cybersecurity bootcamps may offer a time-saving alternative route.
The following table summarizes vulnerability assessor average salary data by education level. It uses salary information associated with common degrees for vulnerability assessors and other cybersecurity professionals.
As in most professions, vulnerability assessor career earnings tend to rise with further education. Upgrading an associate degree to a bachelor's or a bachelor's to a master's requires time and expense. However, career-long earning potential increases can generate a positive long-term return.
Discover Which Education Path Is Right for You
Associate in Cybersecurity Programs Bachelor’s in Cybersecurity Programs Bachelor's in Computer Forensics Programs Master's in Cybersecurity Programs Master's in Computer Forensics Programs Computer Engineering Degree Programs Computer Science Degree Programs Cybersecurity Bootcamps
Match me with a bootcamp.
Find programs with your skills, schedule, and goals in mind.
Average Salary for Vulnerability Assessors by Location
Location has a major impact on a vulnerability assessor's salary potential. Areas with higher living costs usually pay higher salaries. Competition is another important factor. The harder employers must compete to recruit candidates, the more lucrative their offers tend to be.
Prestige also plays a role. Companies in high-profile areas like Silicon Valley and the Dulles Technology Corridor look for elite talent. Thus, they may offer attractive salaries even after correcting for high local living costs.
The following tables present BLS local salary data for information security analysts. The BLS includes vulnerability assessors in this category. You can use this data to inform your research into top-paying destinations for cybersecurity professionals. Vulnerability assessors may earn more or less than these figures. Actual earnings depend on factors like experience, education, and local labor market conditions.
| City and State | Average Annual Salary | Percent Above the National Average |
|---|---|---|
|
San Jose, CA |
$150,820 |
47% |
|
San Francisco, CA |
$149,250 |
45% |
|
Des Moines, IA |
$135,080 |
32% |
|
New York, NY |
$134,930 |
31% |
In general, the top-paying cities for infosec professionals host high-profile technology industries. Des Moines is a notable exception. It has recently emerged as a hotbed of tech startup activity.
| Metropolitan Area | Number of Information Security Analysts Employed | Average Annual Salary |
|---|---|---|
|
San Jose-Sunnyvale-Santa Clara, CA |
N/A |
$150,820 |
|
San Francisco-Oakland-Hayward, CA |
N/A |
$149,250 |
|
Des Moines-West Des Moines, IA |
890 |
$135,080 |
|
New York-Newark-Jersey City, NY/NJ/PA |
10,250 |
$134,930 |
|
Idaho Falls, ID |
230 |
$134,100 |
Idaho Falls employs relatively few vulnerability assessors or information security professionals. However, those that do work in the area tend to enjoy excellent pay. Idaho hosts a surprising density of companies that handle sensitive data and thus need advanced cybersecurity. For instance, the credit reporting bureau Equifax maintains a regional office in Idaho.
| State | Number of Information Security Analysts Employed | Average Annual Salary |
|---|---|---|
|
N/A |
$135,200 |
|
|
7,500 |
$133,210 |
|
|
7,330 |
$126,110 |
|
|
1,280 |
$125,650 |
|
|
2,130 |
$124,980 |
Top Online Programs
Explore programs of your interests with the high-quality standards and flexibility you need to take your career to the next level.
Vulnerability Assessors' Job Outlook and Career Prospects
Many cybersecurity careers have explosive growth projections. Vulnerability assessors are no exception. Labor market analysts expect demand for cybersecurity professionals to rise as technology increasingly penetrates everyday life. At the same time, the cybersecurity industry continues to suffer from a major skills gap. These factors combine to create a positive outlook for job-seekers.
The BLS projects job growth of 33% for information security analysts from 2020-2030, much higher than the 8% average for all occupations. Meanwhile, a vulnerability assessor career profile published by the Department of Homeland Security (DHS) cites a projected 20% growth rate.
Unlike BLS projections, the DHS figure specifically targets vulnerability assessors. However, it is undated and does not indicate a time range over which that 20% growth is expected to occur.
Change in Projected Employment for Information Security Analysts, Including Vulnerability Assessors:
+33% from 2020-2030
Source: BLS
Best Locations for Vulnerability Assessors
As in many other careers, job opportunities for infosec professionals often cluster in larger urban areas. Employment also tends to rise in places with big, fast-growing technology industries.
Vulnerability assessors work in many different settings. The subsections below consider the role from a traditional on-site perspective. However, professionals can sometimes work remotely. Some employers may offer hybrid and off-site options.
Top States for Vulnerability Assessors
Many factors affect a state's appeal as a place to build a career. These factors often depend on a job-seeker's personal goals, priorities, and preferences.
With this in mind, the Infosec Institute issued its picks for the top five states for cybersecurity professionals. The list, published in 2020, included the following locations:
- Virginia: Best for public-sector work
- Texas: Best for growth potential
- Colorado: Best for employment growth
- New York: Best for high salaries
- California: Best overall due to the strength of its technology industry
The following table cites BLS data for states that employ the most information security analysts. Vulnerability assessor jobs fall within this broader umbrella category.
| Top-Employing States | Number of Information Security Analysts Employed | Average Annual Salary |
|---|---|---|
|
16,930 |
$121,940 |
|
|
13,530 |
$101,800 |
|
|
9,360 |
$102,850 |
|
|
7,500 |
$133,210 |
|
|
7,330 |
$126,110 |
| State | Percent Projected Change, 2018-28 | Average Annual Openings |
|---|---|---|
|
Greatest Projected Percentage Increase |
||
|
Utah |
59.3% |
80 |
|
District of Columbia |
52.6% |
220 |
|
Colorado |
50.3% |
510 |
|
Virginia |
45.4% |
1,930 |
|
Nevada |
44.2% |
70 |
|
Most Projected Average Annual Openings |
||
|
Virginia |
45.4% |
1,930 |
|
Texas |
38.2% |
1,040 |
|
New York |
34.3% |
830 |
|
Florida |
44% |
750 |
|
California |
32.7% |
630 |
Top Online Programs
Explore programs of your interests with the high-quality standards and flexibility you need to take your career to the next level.
Top Metropolitan Areas for Vulnerability Assessors
As with states, infosec professionals may prefer certain metro areas for different reasons. Some cities provide a favorable balance between salary potential and living costs. Others offer an appealing quality of life or local culture.
Local labor market conditions, hiring trends, career opportunities, and earning potential can also drive city preferences. These subjective preferences depend on individual factors.
The following table summarizes the U.S. metropolitan areas that employ the most information security analysts. It uses BLS data that covers the broad category of information security analysts. Vulnerability assessors are a specialization within this field. The actual number of vulnerability assessors working in each location will be lower than the cited BLS data.
| Metropolitan Area | Number of Information Security Analysts Employed | Average Annual Salary |
|---|---|---|
|
Washington-Arlington-Alexandria, DC/VA/MD/WV |
15,690 |
$129,110 |
|
New York-Newark-Jersey City, NY/NJ/PA |
10,250 |
$134,390 |
|
Dallas-Fort Worth-Arlington, TX |
5,400 |
$108,550 |
|
Baltimore-Columbia-Towson, MD |
4,050 |
$130,580 |
|
Atlanta-Sandy Springs-Roswell, GA |
4,020 |
$110,450 |
Best Industries for Vulnerability Assessors
Jobs for vulnerability assessors generally cluster in sectors that process high volumes of sensitive information. These industries often employ infosec analysts in significant numbers and offer above-average pay. Industries that manage critical infrastructure also tend to pay infosec professionals well.
BLS data for information security analysts yields valuable industry insights, as shown in the tables below.
| Top-Paying Industries | Number of Information Security Analysts Employed | Average Annual Salary |
|---|---|---|
|
Remediation and Waste Management Services |
40 |
$173,250 |
|
Information Services |
10,130 |
$149,540 |
|
Computer and Peripheral Equipment Manufacturing |
400 |
$144,040 |
|
Securities, Commodity Contracts, and Other Financial Services |
3,140 |
$142,070 |
|
Motion Picture and Video Industries |
60 |
$141,070 |
| Industries With Highest Employment | Number of Vulnerability Assessors Employed | Average Annual Salary |
|---|---|---|
|
Computer Systems Design and Related Services |
42,590 |
$110,450 |
|
Enterprise Management |
14,790 |
$108,000 |
|
Credit Intermediation |
10,170 |
$112,660 |
|
Information Services |
10,130 |
$149,540 |
|
Technical Consulting |
8,660 |
$110,780 |
The BLS focuses on quantitative factors when compiling its data. However, qualitative factors also play a role in choosing industries for job-seekers to target. The Infosec Institute identified these four industries as the leaders for cybersecurity professionals in 2020:
- Healthcare
- Technology
- Financial services
- Government
Healthcare providers are an attractive target for cybercriminals, which explains the industry's inclusion. Government agencies have ongoing, high levels of demand for capable infosec professionals.
Top Online Programs
Explore programs of your interests with the high-quality standards and flexibility you need to take your career to the next level.
Upward Mobility for Vulnerability Assessors
Vulnerability assessors occupy entry-level to mid-level roles on cybersecurity teams. Candidates usually need 2-3 years of related experience. People can qualify for vulnerability assessor positions through a combination of education, technical skills, and professional certifications.
Professionals who build deeper knowledge and experience over time can step into higher-ranking positions. Examples include cybersecurity engineers, security architects, and chief information security officers (CISO).
Payscale data from May 2022 shows that these senior roles pay more than the typical vulnerability assessor salary of $84,000. According to Payscale, the average U.S. cybersecurity engineer earns about $97,770 per year. Security architects typically earn even more, collecting an average annual salary of about $128,410.
For many professionals, the CISO role represents the top of the cybersecurity career ladder. Professionals typically reach this high-profile, high-responsibility position after a long and successful pattern of career advancement.
Learn More About Vulnerability Assessors
What Is a Vulnerability Assessor?
How to Become a Vulnerability Assessor
Day in the Life of a Vulnerability Assessor
Certifications for Vulnerability Assessors
FAQ About Vulnerability Assessor Careers
What is the highest salary a vulnerability assessor can make?
According to Payscale, experienced vulnerability assessors earned an average annual salary of about $120,460 as of May 2022. Performance bonuses and profit sharing can push that figure even higher.
Where is the best state to live and work as a vulnerability assessor?
The best state for vulnerability assessors depends on each person's priorities and career goals. In 2020, the Infosec Institute listed Virginia, Texas, New York, Colorado, and California as its top five destinations for cybersecurity professionals.
What is the best industry to work in as a vulnerability assessor?
According to BLS data from May 2021, the computer systems design and related services industry employed the most infosec analysts. The technology, IT services, financial services, and healthcare industries also rank as top sectors.
What degree do I need to have a good salary as a vulnerability assessor?
Vulnerability assessors do not always need a college degree to earn a good salary. However, earnings usually rise along with education level. Professionals with master's degrees tend to out-earn those with bachelor's degrees. The same is true when comparing four-year bachelor's and two-year associate degrees.
Recommended Reading
Take the next step toward your future.
Discover programs you’re interested in and take charge of your education.