About Our Inside IR35 Threat Intelligence Contract Roles
What does a threat intelligence contractor do?
As a contract Threat Intelligence, you are hired to research, analyse, and operationalise intelligence about the threat actors, campaigns, and techniques that pose risks to an organisation's security, enabling the security team to be proactive in its defences rather than purely reactive to incidents. The work involves collecting and processing threat data from open source, commercial, and closed intelligence feeds, producing finished intelligence reports that contextualise threats for technical and executive audiences, supporting incident response teams with relevant threat context, mapping adversary behaviours to the MITRE ATT&CK framework, and integrating threat intelligence into security tooling including SIEM detection rules, threat hunting workflows, and vulnerability prioritisation processes.
Threat Intelligence contractors are expected to have deep knowledge of the threat landscape relevant to the client's industry and the analytical skills to derive actionable intelligence from large and diverse data sources. Experience using threat intelligence platforms such as Recorded Future, Mandiant Advantage, ThreatConnect, or MISP for managing intelligence collections and producing intelligence products is widely expected. Proficiency in applying MITRE ATT&CK to describe and detect adversary behaviour, and knowledge of the intelligence collection requirements and production processes that underpin a mature threat intelligence programme, is expected at senior level. The ability to research and profile specific threat actor groups, including tracking their tooling, infrastructure, and targeting patterns over time, is a key analytical skill. For roles focused on operational threat intelligence, experience integrating intelligence feeds into SIEM rules, vulnerability management prioritisation, and incident response playbooks is expected alongside the research and analytical capabilities.
What is the market like for threat intelligence contractors?
Threat Intelligence contracting is a specialist and high-value segment within the cybersecurity contractor market, driven by the growing recognition that proactive, intelligence-led security is more effective and commercially efficient than purely reactive incident response. Financial services, critical national infrastructure, defence, and large enterprise organisations are the most consistent buyers of Threat Intelligence contractor expertise, reflecting both the sophistication of the threats they face and their capacity to invest in intelligence-driven security capabilities. The supply of experienced Threat Intelligence analysts with the combination of research capability, analytical depth, and technical integration skills is limited relative to demand, supporting strong rates. Former government intelligence and signals intelligence professionals are a distinctive talent source within the Threat Intelligence contractor market.
What does Inside IR35 mean?
IR35 is UK tax legislation that determines whether a contractor is genuinely self-employed or working in a manner that resembles employment. When a contract is classified as inside IR35, income tax and National Insurance are deducted at source, typically via an umbrella company or agency PAYE. Headline day rates on inside IR35 engagements are generally higher than equivalent outside IR35 roles to account for the tax and employment cost structure.
Inside IR35 determinations are made where the working arrangements are considered to resemble employment, based on factors including the level of client control, the absence of a genuine right of substitution, and the presence of mutuality of obligation. Since April 2021, the end client is responsible for making this determination for medium and large private sector organisations. Many employers in financial services, government, and professional services assess the majority of their contractor engagements as inside IR35.
On QualityContracts.co.uk, approximately 49% of roles with a stated IR35 status are classified as inside IR35, making it the most common arrangement across the contract market. The proportion varies by sector and role type. Each listing on this page displays its IR35 status where provided by the hiring organisation.
What threat intelligence roles are usually Inside IR35?
Inside IR35 threat intelligence work is found in organisations with dedicated CTI functions. The contractor monitors threat feeds, produces intelligence reports, supports incident response with threat context, and briefs the security team on emerging threats. Financial services firms, government agencies, and large enterprises with mature security operations embed threat intelligence analysts in their security teams. CREST CRTIA certification and experience with threat intelligence platforms such as MISP or ThreatConnect are common requirements.
How much do threat intelligence contractors usually earn when working Inside IR35?
Contract rates for threat intelligence roles typically range from £500 to £900 per day, depending on the scope of the role, required expertise, and the delivery expectations of the engagement. Inside IR35 rates are typically 15% to 30% higher than equivalent outside IR35 roles to account for tax and national insurance deducted at source by the fee-payer.
How many Inside IR35 threat intelligence vacancies are there on Quality Contracts?
Over the past twelve months, we have tracked over 100 threat intelligence contract roles across the site. Around one third of the roles currently listed on the site fall Inside IR35. Data reviewed up to June 2026.