Outside IR35 Cloud Security Contract Jobs

Cloud Security contractors are engaged to protect the infrastructure, data, and workloads that organisations run across public cloud platforms including AWS, Azure, and GCP. The work spans a wide range of activities: assessing the security posture of existing cloud environments, designing and implementing security architectures for new cloud deployments, configuring identity and access management controls, implementing threat detection and monitoring capabilities, remediating misconfigurations, and ensuring cloud environments meet regulatory and compliance requirements. Cloud Security contractors are brought in when organisations are migrating to the cloud and need security designed in from the outset, when a security assessment has identified material gaps, or when a dedicated security capability is needed within a platform team.

The core competencies for Cloud Security contracting include are platform-specific and deep. Strong working knowledge of the shared responsibility model and the native security tooling on the relevant platform is expected as a baseline: for AWS this includes AWS Security Hub, GuardDuty, IAM, and AWS Config; for Azure it includes Microsoft Defender for Cloud, Sentinel, Entra ID, and Azure Policy. Experience with infrastructure-as-code security, including scanning Terraform or CloudFormation templates for misconfigurations using tools such as Checkov or tfsec, is increasingly expected. Familiarity with cloud security frameworks including CIS Benchmarks, the Cloud Security Alliance CCM, and regulatory requirements such as PCI DSS or ISO 27001 as they apply to cloud environments is widely valued. Certifications such as AWS Security Specialty, CCSP, or CISSP are well regarded and frequently listed as requirements at senior level.

Cloud Security contracting is one of the fastest-growing segments within the broader cybersecurity contractor market. Demand is being driven by the pace of cloud adoption across UK organisations, combined with the increasingly sophisticated threat landscape targeting cloud-hosted workloads. Regulatory pressure from the FCA, the ICO, and sector-specific bodies is also compelling organisations to invest in cloud security capability they do not hold permanently. Supply of experienced Cloud Security contractors who combine deep platform knowledge with genuine security expertise remains limited relative to demand, supporting rate levels at the top of the cybersecurity contracting market.

IR35 is UK tax legislation that determines whether a contractor is genuinely self-employed or working in a manner that resembles employment. When a contract is classified as outside IR35, the engagement is treated as a business-to-business arrangement. The contractor operates through their own limited company, invoices for services, and manages their own tax affairs including corporation tax, self-assessment, and VAT where applicable.

Outside IR35 engagements are assessed against three key factors: the degree of control the client exercises over how the work is delivered, whether the contractor has a genuine right to provide a substitute, and whether there is a mutuality of obligation between the parties. Contracts that demonstrate contractor autonomy, project-based delivery, and the absence of ongoing employment obligations are more likely to sit outside IR35. Since April 2021, responsibility for making this determination sits with the end client for medium and large private sector organisations.

On QualityContracts.co.uk, approximately 28% of roles with a stated IR35 status are classified as outside IR35. The proportion varies by sector and role type, with some disciplines seeing a significantly higher or lower share of outside IR35 opportunities. Each listing on this page displays its IR35 status where provided by the hiring organisation.

Outside IR35 cloud security contracts tend to involve specific assessment or implementation projects: evaluating an organisation's cloud security posture, designing a zero-trust architecture for a cloud migration, or implementing CSPM tooling across a multi-cloud estate. The defined, deliverable-led nature of these engagements works in favour of an outside IR35 determination. Security consultancies and organisations at critical points in their cloud journey, such as pre-migration or post-incident, commission this type of work.

Contract rates for cloud security roles typically range from £600 to £1000 per day, depending on the scope of the role, required expertise, and the delivery expectations of the engagement. Rates shown are for outside IR35 engagements and reflect the gross day rate paid to the contractor's limited company before any personal tax obligations.

Over the past twelve months, we have tracked over 150 cloud security contract roles across the site. Of the roles currently listed on our site, around one in four are Outside IR35. Data reviewed up to March 2026.