A Chilling Precedent for Cybersecurity Professionals: The Coalfire Settlement and What It Means for Penetration Testers

The $600,000 Dallas County settlement confirms what every pentester already feared — even authorized security work can land you in handcuffs.

The news that Dallas County, Iowa has agreed to a $600,000 settlement with two penetration testers who were arrested in 2019 — despite being contracted and authorized to assess courthouse security — should be a wake-up call for our entire industry.

Gary DeMercurio and Justin Wynn, employees of Colorado-based Coalfire Labs, were conducting a red-team security assessment of the Dallas County Courthouse as part of a statewide engagement with the Iowa Judicial Branch. They had a signed contract specifying rules of engagement. They had a formal authorization letter — what we in the business call a "get out of jail free card." They had done everything right. And they still spent 20 hours in a jail cell, faced felony burglary charges, and endured nearly seven years of legal battles that upended their careers, their reputations, and their lives.

The settlement, reached on January 23, 2026 — just five days before a trial was set to begin — closes what became the cybersecurity industry's most notorious cautionary tale about the risks of physical penetration testing. But it doesn't close the conversation. If anything, it raises the stakes.

What Happened That Night

On September 11, 2019, DeMercurio and Wynn arrived at the Dallas County Courthouse in Adel, Iowa, shortly after midnight. This was not their first rodeo — they had already successfully tested two other Iowa courthouses without incident in the days prior. The Iowa Judicial Branch had contracted Coalfire to evaluate both cyber and physical security across the state's court system. The contract explicitly authorized physical attacks including lockpicking, tailgating, impersonating staff, and accessing restricted areas.

When the pair arrived, they found a side door to the courthouse propped open. Rather than simply walking in through an unsecured door, they closed it to activate the lock, then used a makeshift tool — a plastic cutting board with a custom notch — to slip through the crack and trip the latch. The technique demonstrated a real-world vulnerability. Once inside, they intentionally triggered the alarm to test law enforcement response times and procedures.

Deputies from the Adel Police Department and Dallas County Sheriff's Office responded within minutes. DeMercurio and Wynn did exactly what protocol dictates: they exited the facility, identified themselves, presented their authorization letter, and waited calmly while officers verified their credentials. Body camera footage from that night shows the interaction was professional and even friendly. Deputies called the contacts listed on the authorization letter, confirmed the engagement was legitimate, and told the pentesters they were satisfied. DeMercurio and Wynn spent the next 10 to 20 minutes swapping what their attorney later described as "war stories" with curious deputies who had questions about the work.

Then Dallas County Sheriff Chad Leonard arrived.

According to court records, when Leonard showed up, one deputy on scene said, "This ought to be good," and then reportedly stated, "I better shut my video tape off," before turning off his body camera. Leonard, reportedly "pissed off" that a state entity had authorized activity in what he considered his jurisdiction, refused to recognize the Iowa Judicial Branch's authority. He ordered his deputies to arrest both men on the spot.

DeMercurio and Wynn were booked into the Dallas County Jail on charges of felony third-degree burglary and possession of burglary tools. They were held for nearly 20 hours before being released on a combined $100,000 bail.

The Fallout

What should have been resolved with a phone call turned into a years-long ordeal that exposed deep fractures in how physical security testing is understood by law enforcement, local government, and even the entities that commission it.

In the weeks following the arrest, Sheriff Leonard made repeated public statements alleging the men had acted illegally, telling reporters they were "crouched down like turkeys peeking over the balcony" when deputies responded. The charges were eventually reduced from felony burglary to misdemeanor trespassing, but even that was too much for an engagement that had been contractually authorized.

Perhaps most damaging, state officials who had ordered the test began distancing themselves from their own contractors. DeMercurio later recalled that "the people working for this state entity were so worried about their jobs that they were willing to delete a contract, and say that they had never met us in their lives, even though all the evidence pointed to the contrary." The Iowa Judicial Branch publicly stated they hadn't intended to authorize physical break-ins or after-hours entry — claims that directly contradicted the written contract.

State lawmakers held hearings questioning how the Judicial Branch could have "contracted with a company to commit crimes." Iowa Supreme Court Chief Justice Mark Cady issued a public apology, saying the incident had diminished "public trust and confidence in the court system." The political fallout was severe — and it was all directed at the wrong people.

The criminal charges were finally dismissed in early 2020, following a state legislative hearing that forced Dallas County's hand. But by then, the damage was done. DeMercurio and Wynn's mugshots had circulated nationally. As Wynn put it: "People see somebody in a mugshot and, despite the great lighting in jail, immediately assume that you're a criminal. That has definitely lasted with us in our personal lives, professional opportunities, promotions, job ops."

DeMercurio found that his arrest record made him essentially unemployable in the field he'd spent his career building. "Nobody will hire me anymore because of my arrest record," he said. "So I had to start my own company." That company is Kaiju Security, where Wynn now serves as president — a firm born not out of ambition but out of necessity.

The Civil Case

In 2021, DeMercurio and Wynn filed a civil lawsuit against Dallas County and Sheriff Leonard alleging false arrest, abuse of process, defamation, intentional infliction of emotional distress, and malicious prosecution. The case bounced between state and federal courts for years — from Dallas County District Court to Polk County District Court to the U.S. District Court for the Southern District of Iowa.

Dallas County's defense rested on the argument that the Iowa State Court Administrator had no "authority to grant permission to enter a county-owned courthouse," and therefore the arrest was justified. It was a jurisdictional technicality that ignored the fundamental reality: two professionals with signed contracts and verified authorization letters had been arrested, jailed, and publicly smeared for doing exactly what they were hired to do.

The settlement came on January 23, 2026, just days before jury selection. Dallas County did not admit liability. The $600,000 payout comes from the county — meaning taxpayers foot the bill for a sheriff's ego-driven decision.

"I think it's bittersweet," DeMercurio told Dark Reading. "It feels nice to be somewhat vindicated, but it doesn't by any means make us whole. The amount of money that's been lost to us in our careers, in the last six years, far exceeds that number."

A Threat, Not a Lesson

Here's where it gets worse. Following the settlement, Dallas County Attorney Matt Schultz issued a public statement that should alarm every security professional in the country:

"I want to be clear that the decision to dismiss the criminal charges that resulted in this civil case against Dallas County was made by a previous County Attorney. I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law."

Let that sink in. A county that just paid $600,000 to settle claims of wrongful arrest is now publicly threatening to do the same thing again. This isn't accountability. This isn't reform. It's defiance.

The Iowa Supreme Court has since prohibited break-in-style physical security testing at its facilities — a decision that doesn't reduce risk but rather ensures that vulnerabilities will go undiscovered until a real adversary exploits them. As Wynn noted, this policy "leaves them completely hamstrung, and hackers across the nation said, you know, we don't want to work with Iowa."

Why This Matters to Every Security Professional

I've spent over 15 years in this industry and completed more than 400 security assessments. I've been in buildings I was authorized to be in, doing work I was contracted to do, carrying paperwork that should have protected me. Every physical pentester knows the feeling — that moment when an alarm trips or a guard rounds the corner, and you reach for your authorization letter hoping the person on the other end of that interaction understands what penetration testing is and why it matters.

The Coalfire case exposed several systemic failures that remain largely unresolved:

The authorization gap. The Iowa Judicial Branch hired Coalfire but never notified local law enforcement. This is a communication breakdown, not a criminal act. Yet the consequences fell entirely on the testers, not on the officials who failed to coordinate.

Jurisdictional confusion. County-owned buildings, state-authorized testing. Nobody sorted out who had authority to authorize what. This is a common scenario across government contracting, and the industry still lacks standardized protocols for resolving these conflicts.

No industry standard for physical pentesting contracts. As multiple analysts have noted since this case, there is no universal standard for how physical red team engagements should be scoped, authorized, and communicated. Every firm does it differently. Every client handles notifications differently. And when something goes wrong, it's always the testers who bear the risk.

Law enforcement illiteracy about security testing. When deputies on scene verified the authorization and were prepared to let the testers go, that was the system working. When the sheriff overrode their judgment and ordered arrests, that was ego overriding protocol. Until law enforcement receives training on what authorized security testing looks like, incidents like this will continue.

Reputational damage that outlasts legal resolution. Charges were dismissed in 2020. The civil case wasn't settled until 2026. That's nearly seven years during which DeMercurio and Wynn carried felony arrest records, had their mugshots circulating online, and faced professional stigma for doing their jobs. A settlement doesn't erase Google results.

Lessons for the Industry

The Coalfire case changed how many firms approach physical security testing, but standards remain inconsistent. If you're a pentester conducting physical assessments, or a CISO contracting for them, there are critical takeaways:

Multi-level notification is non-negotiable. Authorization from a hiring entity is necessary but not sufficient. Every law enforcement agency, security team, and administrative authority with jurisdiction over a target facility must be notified — in writing, with documented acknowledgment.

Know your jurisdictional landscape. Especially in government engagements, ownership and authority often don't align. A state agency may commission the test, but the county owns the building, and the city police respond to alarms. Map every stakeholder before the first night of testing.

Record everything. Body camera footage from the responding deputies was one of the strongest pieces of evidence supporting DeMercurio and Wynn's case. Pentesters should consider their own documentation — timestamped photos, recorded communications, GPS logs — as both operational records and legal insurance.

Escalation procedures must be written into the contract. What happens when local law enforcement doesn't recognize the authorization? Who do they call? What's the after-hours emergency contact? These aren't afterthoughts — they're the difference between a brief delay and a felony arrest.

Assess the political environment. This case had political dimensions from the start — a sheriff protecting his turf, state officials covering their decisions, and lawmakers looking for someone to blame. If you're testing in environments where political dynamics could complicate the engagement, factor that into your risk assessment.

The Bigger Picture

This isn't just about two pentesters in Iowa. It's about whether our industry can perform the work that organizations and governments need without fear of criminal prosecution.

Security testing exists because real adversaries don't announce themselves. They don't schedule appointments. They don't test locks during business hours. Physical penetration testing that only operates within comfortable boundaries isn't testing — it's theater.

The $600,000 settlement confirms what DeMercurio and Wynn have said from the beginning: their work was authorized, professional, and done in the public interest. But it sets no legal precedent. The case settled before trial, leaving no court ruling to guide future situations. Sheriff Leonard faced no personal accountability. And the current county attorney has explicitly promised to do it all over again.

As DeMercurio said: "What happened to us never should have happened. Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years building."

As Wynn put it: "This incident didn't make anyone safer. It sent a chilling message to security professionals nationwide that helping government identify real vulnerabilities can lead to arrest, prosecution, and public disgrace. That undermines public safety, not enhances it."

They're both right. And until the gap between security testing authorization and law enforcement understanding is closed — through standardized protocols, legal frameworks, and mandatory training — every physical pentester in this country is one uninformed sheriff away from spending a night in jail for doing their job.

DeMercurio and Wynn have extended an offer to the state of Iowa to help reform its policies around security testing. Whether Iowa takes them up on it will say a lot about whether the state learned anything from a seven-year, $600,000 lesson.

The rest of us should be watching — and preparing.