By ByteBot
Dallas County, Iowa settled a lawsuit last week for $600,000 with two penetration testers who were arrested and jailed in 2019 while conducting an authorized courthouse security assessment. Justin Wynn and Gary DeMercurio, employees of cybersecurity firm Coalfire, spent nearly 24 hours behind bars and faced felony burglary charges—despite carrying written authorization from the Iowa Judicial Branch. The settlement, reached January 23, 2026, closes a 7-year legal saga that became the security industry’s most notorious cautionary tale about the risks of physical penetration testing.
When Authorization Isn’t Enough
On September 11, 2019, Wynn and DeMercurio arrived at the Dallas County Courthouse shortly after midnight to test its physical security. They found an unlocked door, entered the building, and intentionally triggered the alarm—exactly as their contract specified. When sheriff’s deputies responded, the pentesters presented their authorization letter and contact information for the Iowa State Court Administration.
The deputies reviewed the documentation, made verification calls, and told the pentesters they were free to leave. However, Sheriff Chad Leonard arrived and overruled his own deputies, ordering both men arrested. They were charged with third-degree felony burglary and possession of burglary tools, held on $100,000 bail each, and spent the night in jail.
The authorization breakdown was systemic. The Iowa Judicial Branch had contracted Coalfire to assess courthouse security statewide, but the State Court Administration failed to properly notify local law enforcement in each county. Wynn and DeMercurio had already successfully tested two other Iowa courthouses without incident. At Dallas County, proper coordination never happened—and the “get out of jail free” letter failed to get them out of jail.
Seven Years to Vindication
The charges were eventually reduced to misdemeanor trespassing, but it took a state legislative hearing in January 2020 to force Dallas County officials to drop them entirely. By then, the damage was done. Moreover, both pentesters had felony arrest records, faced national media scrutiny, and endured months of legal uncertainty.
Wynn and DeMercurio filed a civil lawsuit against Dallas County and Sheriff Leonard in 2020. The case bounced between federal and state courts for six years before finally heading to trial. Days before jury selection was set to begin on January 26, 2026, the county settled for $600,000. Consequently, the pentesters describe it as “bittersweet closure”—vindication after seven years, but at a steep personal cost.
How One Arrest Changed an Industry
The Coalfire incident fundamentally changed how physical penetration testing is conducted. Security firms now insist on explicit law enforcement notification, multi-level authorization documentation, and legal counsel review before accepting physical security work. In fact, TrustedSec released public legal templates specifically to help firms avoid the Coalfire scenario.
Best practices that emerged include requiring 24/7 client contact information (tested before engagement begins), getting authorization from executives with actual legal authority rather than just IT managers, and insisting on written confirmation that local law enforcement has been notified. Furthermore, some firms now refuse physical security assessments for government facilities unless police departments provide explicit written acknowledgment.
Yet standardization remains elusive. “There’s no standard in the industry,” one security analysis noted. “When it comes to these sorts of issues in red teaming—the legal challenges and the contracts—there’s really nothing out there.” Seven years after Coalfire, pentesters are still navigating a legal gray area where proper authorization doesn’t guarantee protection from arrest.
What $600,000 Doesn’t Fix
The settlement validates that Dallas County’s actions were inappropriate and that proper authorization should have been honored. However, it doesn’t establish legal precedent—the case settled before trial, leaving no court ruling to guide future situations. Sheriff Leonard faced no accountability. And for Wynn and DeMercurio, seven years of legal battles, stress, and career disruption can’t be fully compensated by a payout, however large.
The Hacker News community had mixed reactions. Some celebrated the vindication: “glad there was at least a somewhat positive outcome.” Others questioned adequacy: “$600k for 6 years of legal battle and facing felony charges? no bueno.” The debate reflects an uncomfortable truth—even when pentesters do everything right, the legal risk remains real.
Wynn and DeMercurio started their own physical penetration testing firm after the incident and became industry figures, speaking about proper authorization protocols. Nevertheless, their experience serves as a warning: physical security assessments carry risks that documentation alone can’t eliminate. When coordination fails between agencies, even the most thorough authorization may not protect security professionals from arrest, prosecution, and years of legal consequences.
