Outside IR35 Application Security Contract Jobs
Cyber Security Architect - Data Engineering, Analytics & AI - Telecoms
Posted 1 day ago by MWEK Solutions DMCC
The Cyber Security Architect will lead the design and governance of security architectures for enterprise-level Data Eng...
- Rate £375 per day
- Category Outside
- Work type Undetermined
- Location Reading, UK
Stay Updated on Contract Jobs
Never miss another opportunity with our email alerts.
Save your searches to be notified as soon as new jobs are added.
SC Cleared CIS Engineer/Infrastructure Engineer
Posted 1 day ago by Conventus Recruitment
The role is for an experienced CIS Engineer/Infrastructure Engineer to support a Defence technology programme. The posit...
- Rate Negotiable
- Category Outside
- Work type Hybrid
- Location Blandford Forum, Dorset, UK
Senior Combined ADHD Assessor & Prescriber for Children - Redruth, Cornwall
Posted 1 day ago by Paloma Health
The role of Senior Combined ADHD Assessor & Prescriber for Children at Paloma involves delivering high-quality ADHD neur...
- Rate £67,000 per year
- Category Outside
- Work type Remote
- Location Redruth, Cornwall
Create a free account to access remote working contract opportunities outside the UK
Sign UpSort By
Saved Searches
No saved searches yet
Filters
IR35 Status
Working Arrangements
Industry
Sector
Posted By
Country
Seniority Level
Date Posted
Contract Rate
About Our Outside IR35 Application Security Contract Roles
What does a application security contractor do?
Application Security contractors are engaged to identify, assess, and help remediate security vulnerabilities within software applications across the development lifecycle. The work spans a range of activities including secure code review, penetration testing of web and mobile applications, threat modelling, security architecture review, and the integration of security practices into DevSecOps pipelines. Application Security contractors are brought in when organisations need specialist security expertise that their development teams do not hold, when a specific application requires a security assessment ahead of launch, or when a security remediation programme requires dedicated resource.
Technical skills in Application Security contracting are deep and specialised. Contractors need strong knowledge of the OWASP Top 10 and broader application vulnerability classes, hands-on experience with penetration testing tools such as Burp Suite, and the ability to conduct both manual and automated security assessments of web applications, APIs, and mobile applications. Experience reviewing code for security issues across languages such as Java, Python, JavaScript, or .NET is a common requirement. For DevSecOps-focused roles, knowledge of integrating security tooling into CI/CD pipelines using tools such as SonarQube, Snyk, or Checkmarx is increasingly required. Relevant certifications including OSCP, CEH, or GWAPT are well regarded and frequently listed as requirements.
What is the market like for application security contractors?
Application Security contracting is a high-demand specialist market, driven by the increasing pace of software delivery and the growing recognition that security must be embedded in development processes rather than applied retrospectively. The shift towards DevSecOps across technology organisations is creating sustained demand for contractors who can work within agile engineering teams as well as conducting standalone assessments. Financial services, fintech, and e-commerce organisations are among the most active buyers, though demand is growing across all sectors that handle sensitive data or operate regulated digital services. Supply of experienced Application Security contractors remains limited relative to demand, supporting strong rate levels.
What does Outside IR35 mean?
IR35 is UK tax legislation that determines whether a contractor is genuinely self-employed or working in a manner that resembles employment. When a contract is classified as outside IR35, the engagement is treated as a business-to-business arrangement. The contractor operates through their own limited company, invoices for services, and manages their own tax affairs including corporation tax, self-assessment, and VAT where applicable.
Outside IR35 engagements are assessed against three key factors: the degree of control the client exercises over how the work is delivered, whether the contractor has a genuine right to provide a substitute, and whether there is a mutuality of obligation between the parties. Contracts that demonstrate contractor autonomy, project-based delivery, and the absence of ongoing employment obligations are more likely to sit outside IR35. Since April 2021, responsibility for making this determination sits with the end client for medium and large private sector organisations.
On QualityContracts.co.uk, approximately 28% of roles with a stated IR35 status are classified as outside IR35. The proportion varies by sector and role type, with some disciplines seeing a significantly higher or lower share of outside IR35 opportunities. Each listing on this page displays its IR35 status where provided by the hiring organisation.
What application security roles are usually Outside IR35?
Around 20% of application security contracts with a stated IR35 status sit outside. Penetration testing, security code review, and vulnerability assessment engagements with defined scope and deliverables are the most likely to carry outside IR35 status. Specialist security consultancies and organisations commissioning periodic security assessments offer the clearest outside IR35 route. Contractors offering CREST or CHECK-accredited testing services are particularly well positioned for project-based outside IR35 application security work.
How much do application security contractors usually earn when working Outside IR35?
Contract rates for application security roles typically range from £550 to £950 per day, depending on the scope of the role, required expertise, and the delivery expectations of the engagement. Rates shown are for outside IR35 engagements and reflect the gross day rate paid to the contractor's limited company before any personal tax obligations.
How many Outside IR35 application security vacancies are there on Quality Contracts?
Over the past twelve months, we have tracked over 150 application security contract roles across the site. Of the roles currently listed on our site, around one in four are Outside IR35. Data reviewed up to June 2026.