Table of Contents
TLDR
Two security testers spent nearly 20 hours in jail in 2019. They had proper penetration testing authorisation from the Iowa Judicial Branch.
Dallas County arrested them anyway. The sheriff ignored their paperwork and charged them with burglary.
Seven years later, the county settled for $600,000. The case shows why pen test contracts need clear communication at every level.
What Went Wrong with Penetration Testing Authorisation in Iowa
Gary DeMercurio and Justin Wynn worked for Coalfire, a well-known security firm. The Iowa Judicial Branch hired them in 2019 to test courthouse security across the state.
Their contract was clear. It allowed physical security testing, including lock picking and after-hours entry attempts.
On 11 September 2019, the pair arrived at Dallas County Courthouse after midnight. They found an unlocked door, entered, and triggered the alarm on purpose. This was exactly what their contract required.
When deputies arrived, the testers showed their authorisation letter. Officers called the contacts listed and confirmed everything was legitimate.
Then something bizarre happened.
The Sheriff Who Ignored the Paperwork
Dallas County Sheriff Chad Leonard arrived at the scene. Body camera footage captured his response: “Well, yeah, they’re going to jail.”
The sheriff arrested both men despite verified penetration testing authorisation. They faced felony burglary charges and spent nearly 20 hours behind bars.
Here’s the thing that made it worse. State officials who ordered the test reportedly distanced themselves from the situation. DeMercurio later said these people “were willing to delete a contract and say they had never met us.”
The charges were eventually reduced to trespassing. It took a state legislative hearing in January 2020 to get them dropped entirely.
Why Physical Security Testing Needs Better Contracts
The core problem was simple. The state hired the testers but never told county officials.
This gap between contract and awareness happens more often than you might think. When you hire a firm for a red team assessment, everyone who might respond needs to know about it.
Take a moment to consider what went wrong. The Iowa Judicial Branch signed pen test contracts allowing physical entry. But they chose not to inform local law enforcement about timing or scope.
This created a situation where proper authorisation meant nothing at ground level.
Expert View
William Fieldhouse, Director of Aardwolf Security Ltd, commented: “This case highlights a recurring problem in physical pen testing. Having a contract from head office is not the same as having coordinated communication with everyone who could detain you. Before any physical assessment, we insist on documented acknowledgement from local security, facilities management, and relevant law enforcement contacts.”
The Real Cost of Poor Pen Test Contracts
The $600,000 settlement came in January 2026, just days before trial. Dallas County did not admit liability.
But the financial cost tells only part of the story. DeMercurio and Wynn faced years of personal and professional damage.
Wynn described how mugshots affected them: “People see somebody in a mugshot and immediately assume you’re guilty. That has lasted in our personal lives, professional opportunities, promotions, job offers.”
Both men left Coalfire and started their own company, Kaiju Security. The experience changed their approach to physical security testing permanently.
How to Protect Your Pen Testing Authorisation
The Coalfire incident changed how many firms handle physical assessments. But standards remain inconsistent across the industry.
When selecting the best penetration testing company for your organisation, ask how they handle authorisation for physical tests. Good firms will have specific protocols.
A solid approach includes written authorisation with emergency contacts available around the clock. The contract should specify exactly which buildings, floors, and times are in scope.
Crucially, all relevant parties must receive advance notice. This means building security, local police, and anyone who might respond to an alarm.
Some organisations now require testers to carry physical ID cards issued specifically for the engagement. Others demand a dedicated phone line that law enforcement can call to verify instantly.
Penetration Testing Authorisation: What This Case Means for You
The settlement validates what DeMercurio and Wynn said from the start. Their work was authorised and done in the public interest.
Still, it sets no legal precedent. The case settled before trial, leaving no court ruling to guide future situations.
Worryingly, Dallas County’s current prosecutor stated that if this happens again, they will “still prosecute to the fullest extent of the law.” Proper penetration testing authorisation apparently offers no guaranteed protection in that jurisdiction.
For IT security professionals planning physical assessments, the lesson is clear. Your paperwork might be perfect, but if the wrong person shows up, you could still end up in handcuffs.
Before your next engagement, request a penetration test quote from a firm that takes physical security testing coordination seriously. Your freedom might depend on it.
Final Thoughts
Seven years of legal battles ended with a payout that DeMercurio called “bittersweet.” The money helps, but it cannot undo the damage.
The Coalfire case stands as a warning for everyone involved in penetration testing authorisation. A contract from head office is not enough. Communication must reach every person who could respond.
Until the industry develops proper standards for physical pen test contracts, testers and clients alike must take extra precautions. The alternative, as Iowa showed us, can cost years of your life and hundreds of thousands in settlements.
