"Cybersecurity consultant" is one of the broadest titles in the tech industry. It covers a generalist IT security advisor billing $75/hour to a specialized cloud penetration tester billing $450/hour — and both descriptions are accurate. The gap isn't inflated; it tracks genuinely different work.
Getting the rate right matters in both directions. Overpaying for general advisory when you need a specialist is wasteful. Underpaying for a critical audit because you found someone cheap is genuinely dangerous. Here's how to calibrate.
Rate Ranges by Specialization (2026)
| Specialization | Typical Hourly Rate | Project Rate (typical) |
|---|---|---|
| General IT Security Advisory | $75–$150/hr | $3,000–$15,000 |
| Risk Assessment / GRC | $125–$225/hr | $8,000–$30,000 |
| Penetration Testing (network) | $175–$300/hr | $5,000–$25,000 |
| Penetration Testing (web app) | $200–$350/hr | $8,000–$40,000 |
| Cloud Security (AWS/Azure/GCP) | $200–$375/hr | $10,000–$50,000 |
| SOC 2 / ISO 27001 Readiness | $200–$350/hr | $15,000–$60,000 |
| Incident Response | $300–$500/hr | Emergency retainer |
| CISO-as-a-Service (vCISO) | $200–$400/hr | $3,000–$12,000/mo |
Rates also vary significantly by geography. A penetration tester based in San Francisco charges roughly 35–45% more than an equally credentialed consultant in Austin or Chicago. Remote engagements have narrowed this gap but not eliminated it.
Use live market data. The Rate Benchmark tool gives you a current rate range for your specific cybersecurity engagement type, location, and company size — pulled from verified market data, not a static survey.
Certifications That Move the Rate
Not all certifications carry equal weight in the market. The ones that command a measurable rate premium:
- CISSP (Certified Information Systems Security Professional) — broad authority, widely required for senior advisory roles. Adds 15–25% to market rate.
- OSCP (Offensive Security Certified Professional) — the gold standard for penetration testers. Non-negotiable for quality pen test engagements. Adds 20–35% for offensive security work.
- CISM (Certified Information Security Manager) — management/governance focus, valuable for GRC and vCISO roles.
- AWS/Azure Security Specialty — cloud platform-specific security, commands a premium for cloud-native engagements.
- CEH (Certified Ethical Hacker) — common but less respected than OSCP in the professional market. Doesn't move rates meaningfully.
Wondering whether a certification is worth paying for? The Credential ROI Calculator shows the expected rate impact for major security certifications based on current market data.
Project vs. Retainer vs. Hourly
How you structure the engagement matters as much as the rate:
- Fixed-price project — best for defined-scope work (penetration test, SOC 2 gap assessment). Protects your budget; ensures the consultant scopes well upfront.
- Hourly — best for ongoing advisory or undefined scope. Creates a risk of scope creep; require weekly time estimates.
- Monthly retainer — best for vCISO arrangements or ongoing security program management. Typically 10–25 hours/month with guaranteed availability.
- Incident response retainer — pay a standing fee for guaranteed response SLA. Typically $2,000–$5,000/month for SMBs. Non-negotiable if you're in healthcare, finance, or have material customer data.
What Drives Cost Beyond the Hourly Rate
The sticker rate is only part of the total cost. Watch for:
- Travel and expenses — on-site pen tests or audits often carry a travel premium. Clarify remote vs. on-site before scoping.
- Report quality — a professional pen test report with clear remediation guidance costs more than a CSV of findings. The report is often where the value actually lives.
- Retesting — most pen tests don't include retesting of remediated vulnerabilities. Budget separately or include it in the scope.
- Tooling costs — some consultants pass through costs for specialized tooling. Require itemization.
- Urgency premium — need results in 2 weeks instead of 6? Expect a 20–40% premium.
Red Flags That Signal You're Being Overcharged (or Underserved)
Overcharged signals:
- Premium pricing for a certification that doesn't match the engagement type (paying OSCP rates for a GRC advisory project)
- Hourly billing on a project that should be fixed-price (easy to scope, well-understood deliverable)
- Reports padded with generic NIST framework boilerplate that doesn't map to your actual environment
Underserved signals:
- No reference to specific tools or methodology when describing their pen test process
- Can't explain what false positives mean or how they validate findings manually
- SOC 2 readiness consultant who has never been through a SOC 2 audit as an auditee
- Incident response without documented escalation process or on-call SLA
Scoping Your Engagement
Before any cybersecurity engagement, get explicit scope in writing: what systems are in scope, what testing methodologies are authorized, what deliverables are included, and what the timeline is. An ambiguous scope is how a $15,000 pen test becomes a $40,000 engagement.
Use the Project Scope Estimator to build a structured brief for your cybersecurity engagement before your first vendor conversation. It forces clarity on scope, deliverables, and timeline upfront.
Get Our Expert Hiring Checklist
A concise checklist covering vetting, rate benchmarking, and contract essentials — free.
Send Me the Checklist →The Bottom Line
Cybersecurity consulting rates are wide because the work is genuinely wide. A $125/hour GRC advisor is not doing the same job as a $350/hour cloud penetration tester — and you shouldn't treat them as interchangeable.
Match the specialization to the engagement. Benchmark the rate before you negotiate. Scope the project explicitly. And always ask for references from clients in your industry — security work is highly context-dependent.