Google does not differentiate those roles (like just about every company). Most companies have a “faux title” and a real title. The real title for security engineers is usually the same title as software engineers. I’m not saying that no company exists with security engineers in a separate pay ladder (because who knows), but I’ve personally never heard of one.
It’s about as difficult to answer that as it is to answer what the market rate is for SDEs. They vary wildly. Like hundreds of thousands in variation. And even the same role at the same level varies wildly depending on negotiated initial offer and performance bonuses/discretionary equity grants. Facebook in particular gave out $1M in DE to their top performing SDEs, even at lower pay grades.
Also, appsec tends to be distinct from IT security (who tend to be classified as IT/SRE/Ops or similar), and often outside of the CISO/CSO scope, but not always.
It’s about as difficult to answer that as it is to answer what the market rate is for SDEs. They vary wildly. Like hundreds of thousands in variation. And even the same role at the same level varies wildly depending on negotiated initial offer and performance bonuses/discretionary equity grants. Facebook in particular gave out $1M in DE to their top performing SDEs, even at lower pay grades.
Also, appsec tends to be distinct from IT security (who tend to be classified as IT/SRE/Ops or similar), and often outside of the CISO/CSO scope, but not always.