Skip to content
SecRoles

← Back to blog

State of Cloud Security Hiring - May 2026

I pulled 234 cloud security job postings from May 2026 and dug into the data. Here's what companies are actually asking for right now.

The short version

  • AWS leads, but multi-cloud is the baseline expectation.
  • Terraform and Kubernetes matter as much as the cloud platforms themselves.
  • AI companies pay 2x market rate for cloud security engineers.
  • Onsite is back - 41% onsite, 35% remote, 25% hybrid.
  • Entry-level roles barely exist. 1% of postings.

Platforms

AWS leads by about 40%. Azure and GCP trail close behind at nearly identical numbers, which makes sense given that most postings ask for experience across two or three clouds. Knowing only one won't cut it anymore.

Skills

Ignore the 30-bullet requirements lists. Here's what shows up consistently across hundreds of postings:

Terraform appears in 130 job descriptions - close to Azure's 137 - with CloudFormation at 50. If you can't write infrastructure as code, you won't get past the screen.

Kubernetes shows up 113 times, Docker 29, and EKS specifically 34. Cloud security now means securing workloads - not just configuring IAM consoles.

Python leads languages at 108 mentions, followed by Go at 65, Bash at 38, and PowerShell at 29 in Azure-heavy shops. The expectation is that you can automate your way through problems, not just click through dashboards.

AWS-native security tooling is heavily demanded: GuardDuty (38), EKS (34), Security Hub (28), CloudTrail (27), S3 (17).

CSPM tools

Wiz leads the third-party CSPM market, with Prisma Cloud and Orca tied and fading behind it. Defender for Cloud stays strong in Azure shops because it ships built-in. If you're picking one third-party tool to learn, pick Wiz.

Compensation

The highest-paying roles are at AI companies, and the gap is stark:

Staff Cloud Security Engineers at PlayStation ($197-296K) and Peloton ($231-266K) are well-compensated by any normal standard. But AI companies play in a different league entirely, with ceilings above $400K for the same work.

Experience levels

Almost nobody hires juniors into cloud security directly. The path in is through a broader security or DevOps role first, then pivoting once you have real cloud hours under your belt.

159 of the 234 postings specify years of experience. The numbers tell the story:

Postings by minimum years required

5 years is the magic number. 39 postings ask for "5+" with no cap, and it's the floor for almost every senior role. Mid-level starts at 2-3 years, but some "mid" roles ask for 4-5. Staff expects 7-10 years minimum. Only 1 posting in all of May asks for 0 years of experience.

Work mode

Onsite leads at 41%. But the remote number needs context: of the 81 remote postings, 67 are locked to the US. Only 11 are truly remote-anywhere with no country requirement. The rest are country-locked to the UK (12), Portugal (10), Canada (7), or Spain (6). "Remote" in cloud security mostly means "work from home, but you need to live in the US."

Geography

The US holds 45% of all postings, with India a strong second at 28. Portugal sits at #5 with 9 postings, ahead of Spain, Brazil, and Australia.

Certifications

CISSP dominates at 51 mentions, with AWS Security Specialty at 34 behind it. If I were planning a cert path for cloud security today, I'd get the AWS Security Specialty first because it's the most practical and hands-on, then CCSP or CISSP depending on whether you want to stay technical or move into leadership.

CKS only shows up 6 times, but Kubernetes itself appears in 113 postings. That gap will close as more employers realize they should be asking for it explicitly.

Detection and identity

EDR: Microsoft Defender leads at 25, CrowdStrike follows at 12, and SentinelOne trails at 4. The Microsoft stack dominates this category.

SIEM: Microsoft Sentinel (18) leads Splunk (11), with Chronicle (4) as the GCP-native option. Splunk is losing ground steadily.

Identity: Active Directory (21) still edges out Entra ID (19), but the gap is closing fast and will probably flip by next quarter. Okta sits at 7 as the non-Microsoft option.

CI/CD: GitHub Actions (17) and Jenkins (13) lead, with ArgoCD (6) growing as GitOps takes hold. Securing the pipeline is becoming core cloud security work, not something you hand off to DevOps.

What I'd do with this data

Learn Terraform and Kubernetes security deeply, pick AWS as your primary cloud and get comfortable with a second, write Python for automation, and know GuardDuty, Security Hub, and CloudTrail inside out. Get the AWS Security Specialty cert. If you want top-tier comp, target AI companies - they're paying double for the same skillset.

Browse all open cloud security roles on SecRoles.

· Chandrapal Badshah