The $600,000 Dallas County settlement confirms what every pentester already feared β even authorized security work can land you in handcuffs.
The news that Dallas County, Iowa has agreed to a $600,000 settlement with two penetration testers who were arrested in 2019 β despite being contracted and authorized to assess courthouse security β should be a wake-up call for our entire industry.
Gary DeMercurio and Justin Wynn, employees of Colorado-based Coalfire Labs, were conducting a red-team security assessment of the Dallas County Courthouse as part of a statewide engagement with the Iowa Judicial Branch. They had a signed contract specifying rules of engagement. They had a formal authorization letter β what we in the business call a βget out of jail free card.β They had done everything right. And they still spent 20 hours in a jail cell, faced felony burglary charges, and endured nearly seven years of legal battles that upended their careers, their reputations, and their lives.
The settlement, reached on January 23, 2026 β just five days before a trial was set to begin β closes what became the cybersecurity industryβs most notorious cautionary tale about the risks of physical penetration testing. But it doesnβt close the conversation. If anything, it raises the stakes.
What Happened That Night
On September 11, 2019, DeMercurio and Wynn arrived at the Dallas County Courthouse in Adel, Iowa, shortly after midnight. This was not their first rodeo β they had already successfully tested two other Iowa courthouses without incident in the days prior. The Iowa Judicial Branch had contracted Coalfire to evaluate both cyber and physical security across the stateβs court system. The contract explicitly authorized physical attacks including lockpicking, tailgating, impersonating staff, and accessing restricted areas.
When the pair arrived, they found a side door to the courthouse propped open. Rather than simply walking in through an unsecured door, they closed it to activate the lock, then used a makeshift tool β a plastic cutting board with a custom notch β to slip through the crack and trip the latch. The technique demonstrated a real-world vulnerability. Once inside, they intentionally triggered the alarm to test law enforcement response times and procedures.
Deputies from the Adel Police Department and Dallas County Sheriffβs Office responded within minutes. DeMercurio and Wynn did exactly what protocol dictates: they exited the facility, identified themselves, presented their authorization letter, and waited calmly while officers verified their credentials. Body camera footage from that night shows the interaction was professional and even friendly. Deputies called the contacts listed on the authorization letter, confirmed the engagement was legitimate, and told the pentesters they were satisfied. DeMercurio and Wynn spent the next 10 to 20 minutes swapping what their attorney later described as βwar storiesβ with curious deputies who had questions about the work.
Then Dallas County Sheriff Chad Leonard arrived.
According to court records, when Leonard showed up, one deputy on scene said, βThis ought to be good,β and then reportedly stated, βI better shut my video tape off,β before turning off his body camera. Leonard, reportedly βpissed offβ that a state entity had authorized activity in what he considered his jurisdiction, refused to recognize the Iowa Judicial Branchβs authority. He ordered his deputies to arrest both men on the spot.
DeMercurio and Wynn were booked into the Dallas County Jail on charges of felony third-degree burglary and possession of burglary tools. They were held for nearly 20 hours before being released on a combined $100,000 bail.
The Fallout
What should have been resolved with a phone call turned into a years-long ordeal that exposed deep fractures in how physical security testing is understood by law enforcement, local government, and even the entities that commission it.
In the weeks following the arrest, Sheriff Leonard made repeated public statements alleging the men had acted illegally, telling reporters they were βcrouched down like turkeys peeking over the balconyβ when deputies responded. The charges were eventually reduced from felony burglary to misdemeanor trespassing, but even that was too much for an engagement that had been contractually authorized.
Perhaps most damaging, state officials who had ordered the test began distancing themselves from their own contractors. DeMercurio later recalled that βthe people working for this state entity were so worried about their jobs that they were willing to delete a contract, and say that they had never met us in their lives, even though all the evidence pointed to the contrary.β The Iowa Judicial Branch publicly stated they hadnβt intended to authorize physical break-ins or after-hours entry β claims that directly contradicted the written contract.
State lawmakers held hearings questioning how the Judicial Branch could have βcontracted with a company to commit crimes.β Iowa Supreme Court Chief Justice Mark Cady issued a public apology, saying the incident had diminished βpublic trust and confidence in the court system.β The political fallout was severe β and it was all directed at the wrong people.
The criminal charges were finally dismissed in early 2020, following a state legislative hearing that forced Dallas Countyβs hand. But by then, the damage was done. DeMercurio and Wynnβs mugshots had circulated nationally. As Wynn put it: βPeople see somebody in a mugshot and, despite the great lighting in jail, immediately assume that youβre a criminal. That has definitely lasted with us in our personal lives, professional opportunities, promotions, job ops.β
DeMercurio found that his arrest record made him essentially unemployable in the field heβd spent his career building. βNobody will hire me anymore because of my arrest record,β he said. βSo I had to start my own company.β That company is Kaiju Security, where Wynn now serves as president β a firm born not out of ambition but out of necessity.
The Civil Case
In 2021, DeMercurio and Wynn filed a civil lawsuit against Dallas County and Sheriff Leonard alleging false arrest, abuse of process, defamation, intentional infliction of emotional distress, and malicious prosecution. The case bounced between state and federal courts for years β from Dallas County District Court to Polk County District Court to the U.S. District Court for the Southern District of Iowa.
Dallas Countyβs defense rested on the argument that the Iowa State Court Administrator had no βauthority to grant permission to enter a county-owned courthouse,β and therefore the arrest was justified. It was a jurisdictional technicality that ignored the fundamental reality: two professionals with signed contracts and verified authorization letters had been arrested, jailed, and publicly smeared for doing exactly what they were hired to do.
The settlement came on January 23, 2026, just days before jury selection. Dallas County did not admit liability. The $600,000 payout comes from the county β meaning taxpayers foot the bill for a sheriffβs ego-driven decision.
βI think itβs bittersweet,β DeMercurio told Dark Reading. βIt feels nice to be somewhat vindicated, but it doesnβt by any means make us whole. The amount of money thatβs been lost to us in our careers, in the last six years, far exceeds that number.β
A Threat, Not a Lesson
Hereβs where it gets worse. Following the settlement, Dallas County Attorney Matt Schultz issued a public statement that should alarm every security professional in the country:
βI want to be clear that the decision to dismiss the criminal charges that resulted in this civil case against Dallas County was made by a previous County Attorney. I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law.β
Let that sink in. A county that just paid $600,000 to settle claims of wrongful arrest is now publicly threatening to do the same thing again. This isnβt accountability. This isnβt reform. Itβs defiance.
The Iowa Supreme Court has since prohibited break-in-style physical security testing at its facilities β a decision that doesnβt reduce risk but rather ensures that vulnerabilities will go undiscovered until a real adversary exploits them. As Wynn noted, this policy βleaves them completely hamstrung, and hackers across the nation said, you know, we donβt want to work with Iowa.β
Why This Matters to Every Security Professional
Iβve spent over 15 years in this industry and completed more than 400 security assessments. Iβve been in buildings I was authorized to be in, doing work I was contracted to do, carrying paperwork that should have protected me. Every physical pentester knows the feeling β that moment when an alarm trips or a guard rounds the corner, and you reach for your authorization letter hoping the person on the other end of that interaction understands what penetration testing is and why it matters.
The Coalfire case exposed several systemic failures that remain largely unresolved:
The authorization gap. The Iowa Judicial Branch hired Coalfire but never notified local law enforcement. This is a communication breakdown, not a criminal act. Yet the consequences fell entirely on the testers, not on the officials who failed to coordinate.
Jurisdictional confusion. County-owned buildings, state-authorized testing. Nobody sorted out who had authority to authorize what. This is a common scenario across government contracting, and the industry still lacks standardized protocols for resolving these conflicts.
No industry standard for physical pentesting contracts. As multiple analysts have noted since this case, there is no universal standard for how physical red team engagements should be scoped, authorized, and communicated. Every firm does it differently. Every client handles notifications differently. And when something goes wrong, itβs always the testers who bear the risk.
Law enforcement illiteracy about security testing. When deputies on scene verified the authorization and were prepared to let the testers go, that was the system working. When the sheriff overrode their judgment and ordered arrests, that was ego overriding protocol. Until law enforcement receives training on what authorized security testing looks like, incidents like this will continue.
Reputational damage that outlasts legal resolution. Charges were dismissed in 2020. The civil case wasnβt settled until 2026. Thatβs nearly seven years during which DeMercurio and Wynn carried felony arrest records, had their mugshots circulating online, and faced professional stigma for doing their jobs. A settlement doesnβt erase Google results.
Lessons for the Industry
The Coalfire case changed how many firms approach physical security testing, but standards remain inconsistent. If youβre a pentester conducting physical assessments, or a CISO contracting for them, there are critical takeaways:
Multi-level notification is non-negotiable. Authorization from a hiring entity is necessary but not sufficient. Every law enforcement agency, security team, and administrative authority with jurisdiction over a target facility must be notified β in writing, with documented acknowledgment.
Know your jurisdictional landscape. Especially in government engagements, ownership and authority often donβt align. A state agency may commission the test, but the county owns the building, and the city police respond to alarms. Map every stakeholder before the first night of testing.
Record everything. Body camera footage from the responding deputies was one of the strongest pieces of evidence supporting DeMercurio and Wynnβs case. Pentesters should consider their own documentation β timestamped photos, recorded communications, GPS logs β as both operational records and legal insurance.
Escalation procedures must be written into the contract. What happens when local law enforcement doesnβt recognize the authorization? Who do they call? Whatβs the after-hours emergency contact? These arenβt afterthoughts β theyβre the difference between a brief delay and a felony arrest.
Assess the political environment. This case had political dimensions from the start β a sheriff protecting his turf, state officials covering their decisions, and lawmakers looking for someone to blame. If youβre testing in environments where political dynamics could complicate the engagement, factor that into your risk assessment.
The Bigger Picture
This isnβt just about two pentesters in Iowa. Itβs about whether our industry can perform the work that organizations and governments need without fear of criminal prosecution.
Security testing exists because real adversaries donβt announce themselves. They donβt schedule appointments. They donβt test locks during business hours. Physical penetration testing that only operates within comfortable boundaries isnβt testing β itβs theater.
The $600,000 settlement confirms what DeMercurio and Wynn have said from the beginning: their work was authorized, professional, and done in the public interest. But it sets no legal precedent. The case settled before trial, leaving no court ruling to guide future situations. Sheriff Leonard faced no personal accountability. And the current county attorney has explicitly promised to do it all over again.
As DeMercurio said: βWhat happened to us never should have happened. Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years building.β
As Wynn put it: βThis incident didnβt make anyone safer. It sent a chilling message to security professionals nationwide that helping government identify real vulnerabilities can lead to arrest, prosecution, and public disgrace. That undermines public safety, not enhances it.β
Theyβre both right. And until the gap between security testing authorization and law enforcement understanding is closed β through standardized protocols, legal frameworks, and mandatory training β every physical pentester in this country is one uninformed sheriff away from spending a night in jail for doing their job.
DeMercurio and Wynn have extended an offer to the state of Iowa to help reform its policies around security testing. Whether Iowa takes them up on it will say a lot about whether the state learned anything from a seven-year, $600,000 lesson.
The rest of us should be watching β and preparing.
