Cleared threat hunters with Top Secret / Sensitive Compartmented Information (TS/SCI) access now command $145,000 to $210,000 in base pay at mid-career and senior tiers, a 30 to 45 percent premium over commercial peers chasing the same MITRE ATT&CK skill stack. The gap is not a coincidence. In February 2024, CISA, the NSA, and the FBI publicly disclosed in joint cybersecurity advisory AA24-038A that PRC state-sponsored actors operating as Volt Typhoon had pre-positioned inside U.S. Critical infrastructure operational technology and information technology networks for years before detection. The defense industrial base reacted by paying market price for the small set of cleared practitioners who can hypothesis-hunt against that class of adversary inside compartmented environments , and the salary table below reflects what that market price actually is in 2026.
This piece breaks down the cleared-threat-hunter pay band by experience tier, the tools cleared employers expect a candidate to know cold, the MITRE ATT&CK depth that separates a $145,000 cleared analyst from a $185,000 cleared hunter, the workflow that justifies the senior premium, and the agencies and primes paying top of market in 2026. Salary references are anchored to the May 2024 BLS Occupational Employment and Wage Statistics release for Information Security Analysts, the OPM 2026 General Schedule pay tables for the DC locality, ZipRecruiter’s TS/SCI clearance salary aggregation, and CyberSecJobs.com’s own anonymized 2025 cleared-job-board data.
What does a cleared threat hunter actually do, and why is the pay band different?
Threat hunting is the inverse of alert-driven security operations. A SOC analyst waits for a SIEM rule to fire; a threat hunter starts from a hypothesis — say, “an adversary has staged credential dumping via LSASS access on a privileged jump host” , and goes looking for evidence the existing detection stack would miss. In a cleared environment, the hunter is doing this against telemetry tagged at the SECRET or TS/SCI level, often inside a Sensitive Compartmented Information Facility built to Intelligence Community Directive 705 standards with no internet egress, against threat actors who have already invested years in operational security.
The pay band reflects that asymmetry. Commercial threat hunters at Fortune 500 banks and tech firms typically land in the $115,000 to $155,000 range for mid-career roles, drawing from PayScale’s 2026 cybersecurity threat hunter data and Glassdoor cross-checks. Against that commercial baseline, the BLS May 2024 release for Information Security Analysts (SOC 15-1212) lists a national median wage of $124,910 and a 90th-percentile wage of $182,370. Cleared threat hunters supporting the National Security Agency’s Cybersecurity Directorate, U.S. Cyber Command, or the Defense Intelligence Agency clear $145,000 to $210,000 at the same experience tier — and that is the base. Layered on top is a clearance premium that ZipRecruiter’s TS/SCI dataset and CyberSecJobs.com’s own anonymized job-board data peg at $30,000 to $45,000 for TS/SCI work in the DC corridor, plus another $15,000 to $30,000 if the position requires a counterintelligence or full-scope polygraph per the 2024 ClearanceJobs Compensation Report.
“The pivot to threat-informed defense is no longer optional for federal mission owners,” John Hultquist, Chief Analyst at Google Threat Intelligence Group (formerly Mandiant) and one of the longest-tenured public voices on nation-state activity, has argued in recurring Mandiant blog commentary: defenders who can run hypotheses against unknown-unknowns are paid more because the adversaries they hunt are no longer waiting for a CVE to drop. Cleared employers compete for that profile against a fixed supply, and the salary table is what falls out of that auction.
The 2026 salary band for cleared threat hunters, by experience level
The numbers below combine ZipRecruiter’s TS/SCI DC dataset ($149,398 average for cleared cybersecurity roles), CyberSecJobs.com’s own anonymized user data, and reference checks against published Leidos, Booz Allen Hamilton, ManTech, and CrowdStrike Federal job postings during Q1 2026. Junior cleared hunter roles are rare , the role is intrinsically senior because hypothesis-driven hunting assumes the practitioner has already lived through a few hundred alerts and knows what “normal” looks like on Windows, Linux, and cloud control planes.
| Experience tier (2026) | Commercial base | TS/SCI cleared base | + Full-scope poly |
|---|---|---|---|
| Junior hunter (2-4 yrs) | $95,000-$120,000 | $125,000-$155,000 | $140,000-$170,000 |
| Mid-career hunter (4-7 yrs) | $115,000-$155,000 | $145,000-$185,000 | $165,000-$205,000 |
| Senior / lead hunter (7-12 yrs) | $150,000-$195,000 | $180,000-$210,000 | $200,000-$235,000 |
| Principal / technical fellow | $185,000-$240,000 | $210,000-$260,000 | $230,000-$285,000 |
Two caveats. First, principal-tier ranges include sign-on and retention bonuses but exclude long-term equity; primes like Leidos and Booz Allen Hamilton structure equity differently than CrowdStrike Federal, which still grants RSUs against the public ticker. Second, these are W-2 base figures — 1099 contract rates for the same skill stack typically run 25 to 40 percent higher and have shown up at $130 to $165 per hour for senior hunters on prime subcontracts during the past four quarters. For federal civilian comparison, the OPM 2026 DC locality table places a GS-13 Step 5 at $138,024, a GS-14 Step 5 at $163,104, and a GS-15 Step 5 at $191,850 , meaning a TS/SCI cleared hunter on a GS-14 federal billet sits roughly at the bottom of the cleared private-sector mid-career band.
MITRE ATT&CK fluency: the non-negotiable skill that anchors the pay band
Every cleared threat hunter job posting we tracked in Q1 2026 either named MITRE ATT&CK explicitly or used phrasing derived from it (“hypothesis-driven hunts mapped to TTPs,” “coverage gap analysis,” “purple-team detection engineering”). ATT&CK is the lingua franca because it forces hunters and detection engineers to talk about adversary behavior at the same level of abstraction. A hunter who can map a hypothesis to specific techniques — T1003.001 OS Credential Dumping: LSASS Memory, T1059.001 PowerShell, T1021.002 SMB/Windows Admin Shares , and then explain which data sources cover each technique is the one who clears $180,000 on a TS/SCI billet. A hunter who only knows that “lateral movement is bad” tops out around $130,000 even with the clearance.
The depth requirement matters. Senior cleared hunters are routinely expected to operationalize all 14 tactic categories of the MITRE ATT&CK Enterprise Matrix — Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact , and to know which data sources (process telemetry, authentication events, DNS, EDR file events, network flow) light up each technique. Reading-and-recognizing ATT&CK is a junior skill; building hunt content that closes specific coverage gaps is the senior bar. This is the dividing line that separates the $145,000 cleared SOC analyst from the $185,000 cleared threat hunter at the same agency.
| ATT&CK technique (2026) | Adversary action | Primary telemetry to hunt | Senior cleared hunter expected to… |
|---|---|---|---|
| T1003.001 LSASS Memory | Credential dumping from LSASS process | Process telemetry, EDR memory access events, Sysmon EID 10 | Write Sigma rule + custom IOA blocking lsass.exe access except by allowlisted processes |
| T1059.001 PowerShell | Malicious PowerShell execution | Script-block logging (EID 4104), AMSI, module logging | Detect base64-encoded payloads, suspicious cmdlets, unsigned scripts in user contexts |
| T1021.002 SMB Admin Shares | Lateral movement over admin shares | Windows EID 5145, NetFlow, Zeek SMB logs | Baseline normal admin-share traffic; alert on first-time-seen source/destination pairs |
| T1071.001 Web Protocols | C2 over HTTP/HTTPS, often proxy-chained | DNS, proxy logs, JA3/JA4 fingerprints, Suricata/Zeek | Hunt on rare JA3 hashes against known-good baseline; correlate with destination reputation |
| T1078.004 Cloud Accounts | Compromised cloud identity in IL5/Azure Gov | Microsoft Sentinel SigninLogs, AADUserRiskEvents | Hunt for impossible-travel correlated with risky sign-in across federation boundary |
The table reads like the test the hiring manager will ask in the interview. It is also the working day in the SCIF. A senior cleared hunter who can walk through five techniques with this much specificity — naming the data source, naming the detection logic, naming the gap their hunt is supposed to close , is the candidate who lands the senior offer.
EDR and SIEM stack: which tools cleared employers expect you to know cold
The cleared market has converged on a tight tool stack. On the endpoint side, CrowdStrike Falcon for Government dominates among federal civilian agencies and a growing share of DoD; SentinelOne for Federal has taken meaningful ground in the intelligence community and DoD enclaves where on-premises or air-gapped deployment is required; and VMware Carbon Black is still entrenched at several defense primes despite the broader market shift. Hunters who can read raw EDR telemetry — not just click through the console , are the ones who get the senior offers.
SIEM is more fragmented. Splunk Enterprise Security remains the default at most cleared sites and powers the bulk of the federal contracts at Leidos, Booz Allen Hamilton, and ManTech, with hunters expected to write fluent Splunk Search Processing Language against months of indexed telemetry. IBM QRadar holds ground at older intelligence community programs and within the Defense Information Systems Agency ecosystem. Microsoft Sentinel has grown rapidly inside the cleared cloud — Azure Government and IL5/IL6 environments per Microsoft’s DoD compliance documentation , and hunters there write queries in Kusto Query Language rather than SPL. Elastic SIEM shows up wherever cost-conscious programs need to scale beyond Splunk’s licensing curve. OpenText ArcSight (formerly Micro Focus) is in maintenance mode at most agencies but is still present.
| Tool category (2026) | Cleared market leader | Where it shows up |
|---|---|---|
| EDR (primary) | CrowdStrike Falcon for Government | Civilian agencies, growing DoD share, prime-contractor enterprise |
| EDR (air-gap / on-prem) | SentinelOne, VMware Carbon Black | IC enclaves, classified networks, legacy defense programs |
| SIEM (default) | Splunk Enterprise Security | Most cleared SOCs and threat hunting teams |
| SIEM (cloud) | Microsoft Sentinel | Azure Government, IL5/IL6 cloud enclaves |
| SIEM (legacy IC) | IBM QRadar, ArcSight | Older intelligence community programs, DISA-aligned customers |
| Asset / vulnerability context | Tanium, Tenable Nessus, Rapid7 InsightVM, Qualys VMDR | Hunt-prioritization input; expected fluency, not primary hunting tool |
Hypothesis-driven hunting: the workflow that justifies the salary delta
The senior-tier compensation maps to a specific workflow, not to “more years of experience.” A cleared threat hunter operating at the $180,000+ band typically owns the end-to-end loop: pick an ATT&CK technique relevant to the threat model of the program being defended, write the hypothesis in plain English (“a privileged service account is being used for interactive RDP outside business hours”), translate the hypothesis into queries against the available telemetry (Splunk SPL, Microsoft Sentinel KQL, or CrowdStrike Falcon LogScale), execute the hunt over a defined time window, triage the false positives, and — critically , convert any true positive or detection gap into a permanent SIEM rule or EDR custom IOA so the next iteration is automated.
That last step is what separates a hunter from an analyst. Cleared employers will not pay the senior premium for someone who runs queries; they pay for someone who ratchets the detection stack forward each sprint. Hultquist’s Mandiant Threat Intelligence Group commentary has consistently framed the discipline this way: dwell time falls when defenders close the gap between threat-intel inputs and detection output. The Mandiant M-Trends annual reports have tracked global median dwell time falling from 416 days in 2011 to 10 days in 2023 — and the cleared hunters who own the detection-engineering loop are the reason the federal subset of that curve is steeper than the commercial one.
Which employers are paying the top of the cleared band right now?
Four buckets currently set the ceiling. Defense primes , Leidos, Booz Allen Hamilton, ManTech, Northrop Grumman, and General Dynamics IT — pay the largest absolute numbers on TS/SCI billets with poly because their contract structures let them pass through the clearance premium plus a profit margin. CrowdStrike Federal, Mandiant (now Google Threat Intelligence Group), and Palo Alto Networks Federal are the product-vendor employers that pay top-of-band for hunters who can build detection content against their own platforms while holding TS/SCI. The intelligence community direct-hire route through the NSA Cybersecurity Directorate, CIA, and the National Reconnaissance Office caps at the GS-15 schedule ($191,850 in DC per OPM) but layers on bonuses and a clearance environment that is unmatched. Boutique cleared MSSPs , RedTrace, Sealing Technologies, Two Six Technologies — pay competitively for niche hunters who can move quickly.
The cleared-cyber pipeline shapes which of these wins on a given resume. “The cleared cyber pipeline is the constraint, not the demand,” Rob Joyce said in his tenure as NSA Director of Cybersecurity at a public Aspen Cyber Summit panel , a framing he has repeated across RSA Conference appearances and Federal News Network coverage. Inside that constraint, the principal-tier cleared threat hunter is one of the highest-use seats a contracting officer can fill, because a single hunter at that level closes detection gaps across an entire program office’s mission system. That is the pricing logic behind the senior band.
Jen Easterly, in her tenure as CISA Director, framed the same labor-market dynamic in Senate Homeland Security testimony: a significant cybersecurity workforce shortage exists across both public and private sectors, and federal hiring managers cannot resolve it on the same recruiting timelines the contracting cycle demands. The cleared threat hunter market is the sharpest edge of that shortage, which is why the cleared premium has expanded every cycle rather than compressed.
Certifications that move the needle for cleared threat hunting roles
The certifications cleared employers actually pay for, in rough order of impact for hunters: GIAC Certified Incident Handler (GCIH) and GIAC Certified Intrusion Analyst (GCIA) — the SANS path is the closest direct match to threat hunting workflow, with each GIAC exam priced at $2,499 standalone (2026 list); the Offensive Security Certified Professional (OSCP) is increasingly expected because hunters who understand offensive tradecraft build better hunt content; CompTIA Cybersecurity Analyst (CySA+), $404 (2026), covers the DoD 8140 / 8570 IAT level requirements that govern most cleared contracts under the October 2023 DoDM 8140.03; and Certified Information Systems Security Professional (CISSP), $749 (2026), is the management-ladder certification that becomes mandatory once you cross into lead-hunter or threat hunting program lead roles.
For the hands-on hunter, GCIA and the GIAC Certified Forensic Analyst (GCFA) typically deliver more interview value than CISSP. For the lead hunter or threat hunting team manager, the inverse holds. Most cleared resumes that land senior offers carry one technical SANS cert (GCIH, GCIA, or GCFA) paired with CISSP for the management filter , and add OSCP if the hunter has any aspiration of moving to a red-team-adjacent role inside the prime. The DoD Cyber Workforce Framework maps these credentials directly to qualifying baselines for the Cyber Defense Analyst and Threat Analyst work roles, which is the contractual lever program offices pull when they require a credential on a billet.
Frequently asked questions
Do I need TS/SCI to start a threat hunting career, or can I get there from a commercial role?
Most cleared threat hunters arrive from one of two paths: a commercial SOC or detection-engineering role where they built strong MITRE ATT&CK fluency and then took a sponsored cleared role; or direct military / intelligence community service that already produced the clearance. The sponsored route is the most common — the clearance is sponsored by the hiring employer, not paid for personally , and processing now runs roughly 12 to 24 months for an initial TS/SCI per ODNI Statistical Transparency Reports.
How much does a full-scope polygraph actually add to a TS/SCI threat hunter salary?
Survey data and posted ranges put the full-scope poly premium at $15,000 to $30,000 on top of an existing TS/SCI base in 2026, with the highest premiums attached to billets at NSA, the National Reconnaissance Office, and CIA contractor support roles per the 2024 ClearanceJobs Compensation Report. Counterintelligence-only polygraph adds roughly $8,000 to $15,000.
Is a commercial threat hunter role a step back if I already have TS/SCI?
Financially, almost always yes — losing the clearance premium typically costs $30,000 to $45,000 at the mid-career band, anchored to the ZipRecruiter TS/SCI aggregation against the BLS commercial baseline. Strategically, some hunters move commercial to gain breadth on cloud and SaaS attack surfaces, then return to cleared work at a senior level. Letting a clearance lapse for more than 24 months is the risk to manage.
Which is more valuable for a cleared hunter , Splunk or CrowdStrike depth?
Splunk depth wins by a small margin in 2026 because most cleared SOCs still build their primary hunt content in Splunk Enterprise Security using SPL, but the gap closes every quarter. Hunters who can write strong Falcon LogScale queries and custom IOAs are increasingly the ones promoted to lead roles, especially at agencies migrating EDR. Microsoft Sentinel / KQL fluency is the third leg of the stool inside Azure Government and IL5/IL6 enclaves.
Are remote cleared threat hunter roles realistic in 2026?
Fully remote cleared hunting is still rare because most TS/SCI work requires a Sensitive Compartmented Information Facility built and operated to Intelligence Community Directive 705 standards. Hybrid arrangements — three days in SCIF, two days remote on unclassified hunt-prep work , have become more common at the prime contractors and are routinely advertised as such.
Which certification should I sit first if I’m aiming for a cleared threat hunter seat?
If you already meet DoD 8140 baseline (Security+ or equivalent), the highest-use next cert is GIAC GCIH for IR depth, then GCIA for network/IDS depth. CISSP is the management-track filter rather than the hunting-skill credential — sit it once you are 12 to 18 months from a lead or program-lead role, not before.
Where to look next
- TS/SCI Cyber Jobs in 2026: The Cleared Cybersecurity Career Guide
- SOC Analyst Salary 2026: Cleared vs Commercial Pay
- DoD 8140 Framework Explained: Cyber Workforce Requirements
- CISSP for Cleared Cyber Analysts: Cost, ROI, and Hiring Impact
- CrowdStrike for Cleared Endpoint Security Skills Guide
- SentinelOne for Cleared Endpoint Security Skills Guide
- Splunk for Cleared SOC Analysts Skills Guide
- Microsoft Sentinel for Cleared Cloud Security Skills Guide