About Our Outside IR35 DevSecOps Contract Roles
What does a devsecops contractor do?
DevSecOps contractors embed security practices into the software development and deployment pipeline rather than treating security as a separate, after-the-fact activity. The role bridges three disciplines: development, security, and operations. In practice, this means building automated security scanning into CI/CD pipelines, implementing infrastructure-as-code with security controls baked in, configuring container security policies, managing secrets and key vaults, conducting threat modelling on application architectures, and remediating vulnerabilities identified by SAST and DAST tools. Organisations hire DevSecOps contractors when they want to shift security left in their development lifecycle without slowing down delivery velocity. The role requires a genuine understanding of software engineering practices alongside security expertise, which is a relatively rare combination in the contractor market.
What is the market like for devsecops contractors?
DevSecOps contracting has grown rapidly in the UK as organisations recognise that bolting security onto the end of a development process creates bottlenecks and risk. Regulatory pressure in financial services and government has accelerated adoption, with both sectors now expecting security to be integrated into delivery pipelines rather than handled by a separate team after deployment. The market is supply-constrained: there are more DevSecOps roles than there are contractors with the right blend of development, infrastructure, and security skills. This scarcity keeps rates firm and gives experienced DevSecOps contractors significant choice over which engagements they take. The role is still relatively new as a distinct discipline, which means job titles and expectations vary. Some clients use DevSecOps to mean a DevOps engineer who runs security scans; others expect a security architect who can write pipeline code. Clarifying scope before accepting an engagement is important.
What does Outside IR35 mean?
IR35 is UK tax legislation that determines whether a contractor is genuinely self-employed or working in a manner that resembles employment. When a contract is classified as outside IR35, the engagement is treated as a business-to-business arrangement. The contractor operates through their own limited company, invoices for services, and manages their own tax affairs including corporation tax, self-assessment, and VAT where applicable.
Outside IR35 engagements are assessed against three key factors: the degree of control the client exercises over how the work is delivered, whether the contractor has a genuine right to provide a substitute, and whether there is a mutuality of obligation between the parties. Contracts that demonstrate contractor autonomy, project-based delivery, and the absence of ongoing employment obligations are more likely to sit outside IR35. Since April 2021, responsibility for making this determination sits with the end client for medium and large private sector organisations.
On QualityContracts.co.uk, approximately 28% of roles with a stated IR35 status are classified as outside IR35. The proportion varies by sector and role type, with some disciplines seeing a significantly higher or lower share of outside IR35 opportunities. Each listing on this page displays its IR35 status where provided by the hiring organisation.
What devsecops roles are usually Outside IR35?
DevSecOps contracts can sit outside IR35 when structured around implementing specific security capabilities within a development pipeline. Delivering an automated security scanning framework, building a secrets management solution, or hardening a container orchestration platform are all engagements with clear deliverables. The relatively specialist nature of the work means the contractor is often the only person in the organisation with this skill set, which naturally creates autonomy over how the work is delivered. Technology companies and scale-ups are more likely to offer outside IR35 DevSecOps work than banks or government departments.
How much do devsecops contractors usually earn when working Outside IR35?
Contract rates for devsecops roles typically range from £550 to £850 per day, depending on the scope of the role, required expertise, and the delivery expectations of the engagement. Rates shown are for outside IR35 engagements and reflect the gross day rate paid to the contractor's limited company before any personal tax obligations.
How many Outside IR35 devsecops vacancies are there on Quality Contracts?
Over the past twelve months, we have tracked over 150 devsecops contract roles across the site. Of the roles currently listed on our site, around one in four are Outside IR35. Data reviewed up to June 2026.