Inside IR35 Application Security Contract Jobs
Stay Updated on Contract Jobs
Never miss another opportunity with our email alerts.
Save your searches to be notified as soon as new jobs are added.
Systems Engineer (All Levels) – Integration, Verification & Validation
Posted 1 day ago by Leonardo UK Ltd
Leonardo is seeking Systems Engineers at various levels to support the ECRS Mk0 programme, focusing on Integration, Veri...
- Rate £75,000 per year
- Category Inside
- Work type Hybrid
- Location Scotland; Glasgow; Edinburgh; Aberdeen; Perth; Dundee; Paisley; Inverness; Falkirk; Fife; Stirling
Sort By
Saved Searches
No saved searches yet
Filters
IR35 Status
Working Arrangements
Industry
Sector
Posted By
Country
Seniority Level
Date Posted
Contract Rate
About Our Inside IR35 Application Security Contract Roles
What does a application security contractor do?
Application Security contractors are engaged to identify, assess, and help remediate security vulnerabilities within software applications across the development lifecycle. The work spans a range of activities including secure code review, penetration testing of web and mobile applications, threat modelling, security architecture review, and the integration of security practices into DevSecOps pipelines. Application Security contractors are brought in when organisations need specialist security expertise that their development teams do not hold, when a specific application requires a security assessment ahead of launch, or when a security remediation programme requires dedicated resource.
Technical skills in Application Security contracting are deep and specialised. Contractors need strong knowledge of the OWASP Top 10 and broader application vulnerability classes, hands-on experience with penetration testing tools such as Burp Suite, and the ability to conduct both manual and automated security assessments of web applications, APIs, and mobile applications. Experience reviewing code for security issues across languages such as Java, Python, JavaScript, or .NET is a common requirement. For DevSecOps-focused roles, knowledge of integrating security tooling into CI/CD pipelines using tools such as SonarQube, Snyk, or Checkmarx is increasingly required. Relevant certifications including OSCP, CEH, or GWAPT are well regarded and frequently listed as requirements.
What is the market like for application security contractors?
Application Security contracting is a high-demand specialist market, driven by the increasing pace of software delivery and the growing recognition that security must be embedded in development processes rather than applied retrospectively. The shift towards DevSecOps across technology organisations is creating sustained demand for contractors who can work within agile engineering teams as well as conducting standalone assessments. Financial services, fintech, and e-commerce organisations are among the most active buyers, though demand is growing across all sectors that handle sensitive data or operate regulated digital services. Supply of experienced Application Security contractors remains limited relative to demand, supporting strong rate levels.
What does Inside IR35 mean?
IR35 is UK tax legislation that determines whether a contractor is genuinely self-employed or working in a manner that resembles employment. When a contract is classified as inside IR35, income tax and National Insurance are deducted at source, typically via an umbrella company or agency PAYE. Headline day rates on inside IR35 engagements are generally higher than equivalent outside IR35 roles to account for the tax and employment cost structure.
Inside IR35 determinations are made where the working arrangements are considered to resemble employment, based on factors including the level of client control, the absence of a genuine right of substitution, and the presence of mutuality of obligation. Since April 2021, the end client is responsible for making this determination for medium and large private sector organisations. Many employers in financial services, government, and professional services assess the majority of their contractor engagements as inside IR35.
On QualityContracts.co.uk, approximately 49% of roles with a stated IR35 status are classified as inside IR35, making it the most common arrangement across the contract market. The proportion varies by sector and role type. Each listing on this page displays its IR35 status where provided by the hiring organisation.
What application security roles are usually Inside IR35?
Around 80% of application security contracts with a stated status are inside IR35. The shift toward embedding security within development teams, DevSecOps models, threat modelling as part of the SDLC, and ongoing code review, means most application security contractors operate as permanent members of engineering functions. Financial services and government, where application security is driven by regulatory requirements, are the largest sources. Rates are strong, reflecting the shortage of contractors who combine development skills with security expertise.
How much do application security contractors usually earn when working Inside IR35?
Contract rates for application security roles typically range from £550 to £950 per day, depending on the scope of the role, required expertise, and the delivery expectations of the engagement. Inside IR35 rates are typically 15% to 30% higher than equivalent outside IR35 roles to account for tax and national insurance deducted at source by the fee-payer.
How many Inside IR35 application security vacancies are there on Quality Contracts?
Over the past twelve months, we have tracked over 150 application security contract roles across the site. Around one third of the roles currently listed on the site fall Inside IR35. Data reviewed up to June 2026.