Hacker News new | past | comments | ask | show | jobs | submit login
How much do hackers at the CIA/NSA/FBI make?
83 points by mcbobbington on July 6, 2017 | hide | past | web | favorite | 57 comments
These guys seem to be pretty good hackers. Anyone know how much they make? Or is that classified? If so, anybody have any idea?

For the NSA, they list salary ranges on the job postings.


   Cryptographic Vuln. Analyst - Entry: $68,586 - $85,464
   Cryptographic Vuln. Analyst - Mid-Level: $79,334 - $105,663
   Computer Network Analyst  - Entry/Mid: Same
   Systems Vulnerability Analyst - Entry/Mid: Same 
   Capabilities Development Specialist - Entry/Mid: Same
The range for Senior positions is $94,796 - $145,629

There's also signing bonuses available, and language bonuses if you know foreign languages that are in demand. They also adjust the pay for living in Hawaii, since it's more expensive.

The CIA pays a little better, but it's more expensive to live near there.

Of course if you work as an infiltration plant at a 3rd party I would assume you can add a second salary on top of that.

Or a third salary if you're a triple agent :)

damn thats terrible

It's not a job you go into for the money. They're making like twice the median income for the US, that's more than enough to live comfortably. Frankly, you don't get involved in that line of work without some serious patriotism.

Or a different "ism".

Not in the DC area.

I live in the DC area and I live very comfortably on a similar salary

If you're single 105k in DC is amazing. If you have a family, you will have everything you NEED, but you won't be living by most peoples' definitions of "very comfortably".

A lot of those positions aren't in high cost areas, especially if you don't have kids. The area near Fort Meade, MD isn't too bad. San Antonio, TX is reasonable. Aurora, CO (just outside of Denver) isn't bad either, neither is Augusta, Georgia. A starting salary of $70-$80k for a recent college grad goes a long ways in those areas.

Fort Meade, Maryland? Are you kidding me, I'm in the DC area you're looking at close to a 1/2 million dollars for a reasonable house in a decent neighborhood in that area, not to mention Maryland's taxes are some of the highest in the country. On top of all of that, you have neighboring PG County, Maryland where corruption and crime are out of control, as well as terrible traffic around the entire DC metro area. Of all places you mentioned, Fort Meade does not belong in the same lot.

Living in coastal California, I wish I could buy a reasonable house in a decent neighborhood for close to 1/2 million dollars. In the neighborhood where i'm currently renting it's strictly 800k+, and I'm in one of the least desired elementary-school districts in town.

Where are you looking? There are some bad areas for sure, but there are certainly good areas with decent pricing (Talking about ~30min drive to NSA or defense contractor in the area, if you are speaking about closer then disregard).

Living near Fort Meade is the most expensive of that group, but it's still a lot, lot less than DC or SV.

I've priced stuff out in that area. It's not as bad as you're making it out to be. There's a number of decent areas with reasonable housing, it only gets more expensive if you're concerned about also having a shorter drive into DC.

Cost of living should be less than SV, and don't discount the stability of government employment and stuff like pensions and good healthcare plans.

Not when you factor in good work life balance.


For those of us who don't know what any of that means, can you add $ figures to those terms?

Based on this Wikipedia article, it looks like between $52-96k


Looking it up (they're very public figures), the high end of that scale is 96k; the low end 52. (G11 base is $52,329.00, G13 base is $74,584.00)

These numbers seem incredibly low. Like, "why doesn't Google just hire them all away and put them in a box somewhere" numbers. The economic damage done by repeated spying allegations and the vulnerabilities the NSA has stockpiled (and then leaked) seems like it's far outweighed the cost even to individual companies to just filibuster the whole thing. Then again, I'm not going to dig into the pathology of people who'd accept government jobs in the first place.

[1] https://www.federalpay.org/gs/2017/GS-13

Base doesn't include locality pay: https://www.federalpay.org/gs/locality

So for Los Angeles, for example, total annual salary would be $74,584.00 * 1.2965 = $96,698.00 for G13 base. G13 max would be $96,958.00 * 1.2965 = $125,706.00.

Also doesn’t include pay scale for EE or other bandings if applicable. Which can be another 10-20k.


How far into your career was that?

If you mean GS-11 and GS-13, that's $52329.00-$68025.00 and $74584.00-$96958.00 [1]

[1]. https://www.federal pay.org/GS/2017

North of 100k, south of 200k. Assuming some level of seniority or subject matter expertise.

After that, there is a ceiling, so most will work for private firms or consult, making 2x, 3x, or much more.

USG employees vs. contractor is an important distinction. Your ranges imply your friends are contractors. See techjuice's post for USG ranges.

GS12 w/ DC metro COLA and no engineering band bonus gets just across the line into 6 figures (103K).

Most senior technical folks (not just out of school/military, and not supervisor/team lead level) are going to be GS12-13.

Still, (almost) no one is making 200K as a federal employee.

source: Friends in the industry. One friend moved to UAE for a private-sector job, making tons, doing less actual security work.

The ole’ move to UAE we pay for everything gig. Money wouldn’t cover that for me, it’s a huge adjustment in lifestyle.

Speaking from personal experience (dating an employee) I can tell you it is not necessarily north of 100K. Most I have spoken with from NSA make less thank 100k and that's with 5+ years at the agency, non-management.

Also, this link may help give you some background. You also have to consider that salary is adjusted based on location. https://www.federalpay.org/employees

Yikes, hope those bennies are pretty sweet.

I think it depends on how long you stick around. From what I understand the federal pensions are decent but not enough to live off of, you still need to save some money for retirement. People who have been at the NSA a really long time accrue vacation at almost European rates (around 1 month per year)

I don't know if they are(if military benefits are any example)... beyond the look you get from a traffic cop after they run your info and reality dawns on them.

Can you explain this to the unenlightened? Is employment at a national security organization somehow indicated in the DMV database or whatever it is that cops look you up in?

It’s not. The only thing you may get is a official / displomatic passport for certain overseas work, otherwise it’s not going to matter anymore than flashing a teachers union card.

I'm assuming it is, even if it's not, you have a great answer to the traffic stop boilerplate question..."where are you going in such a hurry?"

Hopefully the following helps, it is from research I have done comparing the public sector to the private sector pay and compensation over time, specifically comparing intelligence community pay to regular government agency pay and compensation for the independent agencies (FCC, SEC, CIA, CFTC, FTC, GSA, USPS, SSA, etc.) - https://en.wikipedia.org/wiki/Independent_agencies_of_the_Un...

If they are government employees they are normally paid on the regular government GS Pay scale (title 5) - https://www.opm.gov/policy-data-oversight/pay-leave/salaries... so the really good ones get paid up to $161,900 if they can make it past the GS-14 pay grade.

Though, that is considered generally OK pay for a regular government job that is not extremely high stress, quick turn around and high demand. Though to the private sector's top hackers as many far exceed this as a senior cyber security engineer or CISOs making up to $380,000/year + stock options + other perks. In those cases the government also has Title 10 which limits pay to under the president's salary (section 102 of title 3) $400,000 - https://www.law.cornell.edu/uscode/text/3/102. This allows the federal government secretaries or heads of agency to be able to pay individuals of extraordinary talent and ability the same rate as they may pay a physician or other medical professional if that individuals salary requirements fall outside of the regular GS pay scale and they really want that person on board and want to pay them a competitive salary.

There is also the Senior Executive Service and other equivalents for the many agencies that puts the individual into a senior level(SL), scientific or professional (ST) positions. These positions may come with cash rewards up to $25,000 with approval from OPM/White House, eligibility to be nominated for the Presidential Rank Awards (Distinguished Rank (35% of annual basic pay) or Meritorious rank (20% of annual basic pay) - https://www.opm.gov/policy-data-oversight/senior-executive-s....

Though these positions for hackers would normally be reserved for those with at least 10 to 20+ years in the game with extreme in depth knowledge of the multiple operating systems, hardware and software, SCADA, Satellite, and other embedded/private/public/military communications systems out there. This normally means they are not just specialized in a few things, but have deep knowledge of many systems through practical experience working with them hands on over the years and hacking them to pieces during security audits, product evaluations, quality assurance, security validation and testing through reverse engineering to insure the products do what they say they do, etc.

There are also some agencies that use a pay band system 1 to 5, etc. and normally cap out at around $157,000/year then bump up to around $120,000 to $167,000 for their senior level positions and $120,000 to around $180,000 for their senior executive service compensation.

So in general the best of the best in terms of government employees could be paid up to $400,000/year under title 10 which is more of a government contractor type position that has to be renewed regularly, highly unlikely unless those in top positions see someone they want working for them and really want them badly to work on the inside of government. Normally the title 10 pay is around $160,000-$300,000, so in general the bulk of hackers would fall under the GS pay scale ranging from GS-9 to GS-14 Step 6. Anything higher would have to be negotiated and justified during the hiring process or worked into a promotion for those already working for the government.

Just to improve that answer: SES is usually reserved for management. It is designed to produce a general "gov't manager" able to be swapped into any agency and manage people. It is extremely rare for any SES to do research work directly. They usually manage a lab or similar larger organization.

The same goes for GS-14 and higher. Those ranks usually translate to management, or it is expected that they would have some management tasks (like team leader, etc.). Same with bands in that band 5 is usually reserved for managers or exceptional non-managers.

In non-DoD/Intel community, the normal model for IT is having one FTE (GS-13/14) managing a bunch of contractors, or a mix of FTEs doing specialized work (running key systems, networks, "DevOps") and contractors doing customer facing stuff like desktop support, etc. Can't speak for the intel community or DoD, who do their own thing.

to add a little bit of extra inside baseball (my experience only, YMMV) -

bands (short for pay bands) in FEDERAL (not contractor) competitive service vs. excepted service are slightly different.

Competitive service works as Band 1-4, followed by SES (senior executive service). With excepted service (which I expect most hacker type folks to be hired under) you don't have SES. You have Band 1-5, with Band 5 roughly = to an SES pay grade. Excepted services essentially means you are hired in for a special skill set, and you don't compete on the normal gov HR point system (which includes vet preference, disability, etc.). Excepted service tends to be used for hiring a specific person. Downside is that without competitive status, excepted service personnel can not move laterally in government.

in both cases, band 1-4 cover the same ground as GS 1-15, but with less stratification.

GS Grades go from 1-15, but each grade has 10 steps. GS 9 (average masters degree education starting point) will run 42K-56K base + whatever COLA (cost of living adjustment) you get for location. For Wash DC area COLA is +24.78%, bumping GS 9 to 53k (step 1)-69K (step 10). Each department/team is a little different, but most places I'm familiar with have a clear career path from GS7-GS13. GS14 and GS15 are more slot based, and generally are management positions.

Bands are tougher to move around in after your initial hire. It works out better for you if you just scrap into the next highest band, it works out worse if you land in the middle or the top of your band. Instead of step or grade based pay bumps, the band system is an "experiment" to incorporate pay for performance. Everyone gets their base pay (determined by band, and then further separated into high, medium, and low), and then there is an extra pool of money at the office level that is distributed by performance reviews. High performers get 1.5%-3% * (base pay + COLA), with low performers getting nothing. Without getting deeper into the weeds, most people can expect to get a ~1%-1.5% "bonus" annually. Theoretically, the bonus system is supposed to make up for the additional stratification of the Grade/Step system, but because of office politics the curve is pretty flat, and the high performers don't really see that much of a pay bump.

edited to add this is for FEDERAL employees. Contracting has a whole different set of issues and rules. In general, I'd recommend going Federal to get experience and a clearance, then transition to contractor status later in your career. Whereas most Fed salaries will top out at 160K-ish, contractor salaries w/ bonus can be much higher (2x-4x). Downside is stability and employment risk, and working for a client rather then being the client.

Assuming by "pretty good hackers" OP means the developers actually doing the work, they are typically GS-12 or GS-13 - so $80k to $120k. GS-14 slots and above are reserved for management and spend much less time doing the real work.

A lot of the teams employ contractors alongside the USG employees, with higher pay ranges.

> GS-14 slots and above are reserved for management and spend much less time doing the real work.

This is normally true but there are organizations that have technical roles up to GS-15.

Superb and comprehensive response, thank you.

What is the educational path to becoming a CISO? Would you go into IT or CS?

Either. Then get an MBA.

From the sounds of other posts you're making similar money to what you would at the big 4 (5?).

I think another question to ask is what other reasons would you want to work at these companies? The possibility to learn from other smart people? The opportunity to work on problems you couldn't get elsewhere?

Not a direct answer but maybe read this [1], then follow it up with chapter 48 of The Cuckoo's Egg [2].

[1] https://www.bell-labs.com/usr/dmr/www/crypt.html [2] https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg

After doing a bit of sleuthing on OP's account where did you see any information that would suggest he is working at the big 4/5?

I think by "you're" he was referring to a general person working for government hacking agencies, not me.

ah! you are right. Thanks for the clarification!

Gs scale, +engineering pay band and locality pay(if applicable). The exceptions are military, they’re paid at comparable ranks. Most civilians start around GS9, then get fed up and go contractor for better pay.

Yes. I worked in the intel space and never knew a SES who wasn't a project manager or had several direct reports. Software staff aren't SES unless they run a group. I'd be surprised if high GS numbers (i.e. 12-14) applied to software staff unless they had 10+ years of experience or direct reports.

Some of the ranges I’m seeing here are “best case too” much like “google pays 200k+”. It all boils down to negotiation and open billets / funding. SES is extremely rare even in “TAO”.

Whatever amount they pay you isn't worth it. Private sector pays more, has less bureaucracy, and will help you sleep better at night.

I have seen well north of $200k.

Where did you "see" this? Any source?

Hey everyone ,i have just concluded a deal with a real hacker and i mean real hacker after searching for a while , i am

so exicted thats why i am posting this to inform you guys , i hired him to help me hack my boy friends facebook and he

gave prove before i paid him , he made a complete video of him login into the facebook account as prove ,he said he can

also hack emails , twitter , whatsapp accounts , and phones , i am going to hire him again to hack an email dont hire any

of this fake hackers here just visit http://www.cyphersecurityteam.ga or email him cypher_hacking_services@hotmail.com

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact