Outside IR35 Threat Intelligence Contract Jobs

As a contract Threat Intelligence, you are hired to research, analyse, and operationalise intelligence about the threat actors, campaigns, and techniques that pose risks to an organisation's security, enabling the security team to be proactive in its defences rather than purely reactive to incidents. The work involves collecting and processing threat data from open source, commercial, and closed intelligence feeds, producing finished intelligence reports that contextualise threats for technical and executive audiences, supporting incident response teams with relevant threat context, mapping adversary behaviours to the MITRE ATT&CK framework, and integrating threat intelligence into security tooling including SIEM detection rules, threat hunting workflows, and vulnerability prioritisation processes.

Threat Intelligence contractors are expected to have deep knowledge of the threat landscape relevant to the client's industry and the analytical skills to derive actionable intelligence from large and diverse data sources. Experience using threat intelligence platforms such as Recorded Future, Mandiant Advantage, ThreatConnect, or MISP for managing intelligence collections and producing intelligence products is widely expected. Proficiency in applying MITRE ATT&CK to describe and detect adversary behaviour, and knowledge of the intelligence collection requirements and production processes that underpin a mature threat intelligence programme, is expected at senior level. The ability to research and profile specific threat actor groups, including tracking their tooling, infrastructure, and targeting patterns over time, is a key analytical skill. For roles focused on operational threat intelligence, experience integrating intelligence feeds into SIEM rules, vulnerability management prioritisation, and incident response playbooks is expected alongside the research and analytical capabilities.

Threat Intelligence contracting is a specialist and high-value segment within the cybersecurity contractor market, driven by the growing recognition that proactive, intelligence-led security is more effective and commercially efficient than purely reactive incident response. Financial services, critical national infrastructure, defence, and large enterprise organisations are the most consistent buyers of Threat Intelligence contractor expertise, reflecting both the sophistication of the threats they face and their capacity to invest in intelligence-driven security capabilities. The supply of experienced Threat Intelligence analysts with the combination of research capability, analytical depth, and technical integration skills is limited relative to demand, supporting strong rates. Former government intelligence and signals intelligence professionals are a distinctive talent source within the Threat Intelligence contractor market.

IR35 is UK tax legislation that determines whether a contractor is genuinely self-employed or working in a manner that resembles employment. When a contract is classified as outside IR35, the engagement is treated as a business-to-business arrangement. The contractor operates through their own limited company, invoices for services, and manages their own tax affairs including corporation tax, self-assessment, and VAT where applicable.

Outside IR35 engagements are assessed against three key factors: the degree of control the client exercises over how the work is delivered, whether the contractor has a genuine right to provide a substitute, and whether there is a mutuality of obligation between the parties. Contracts that demonstrate contractor autonomy, project-based delivery, and the absence of ongoing employment obligations are more likely to sit outside IR35. Since April 2021, responsibility for making this determination sits with the end client for medium and large private sector organisations.

On QualityContracts.co.uk, approximately 28% of roles with a stated IR35 status are classified as outside IR35. The proportion varies by sector and role type, with some disciplines seeing a significantly higher or lower share of outside IR35 opportunities. Each listing on this page displays its IR35 status where provided by the hiring organisation.

Threat intelligence contracts can sit outside IR35 when structured around specific assessment or research projects: producing a threat landscape report, conducting a targeted threat assessment, or developing threat intelligence requirements for a new SIEM deployment. The analytical, research-driven nature of these engagements is consistent with outside IR35 status. Security consultancies and organisations responding to specific threat scenarios commission this type of work.

Contract rates for threat intelligence roles typically range from £500 to £900 per day, depending on the scope of the role, required expertise, and the delivery expectations of the engagement. Rates shown are for outside IR35 engagements and reflect the gross day rate paid to the contractor's limited company before any personal tax obligations.

Over the past twelve months, we have tracked over 100 threat intelligence contract roles across the site. Of the roles currently listed on our site, around one in four are Outside IR35. Data reviewed up to March 2026.