"This incident didn’t make anyone safer," Wynn stated in a release, noting the action sent a chilling message to security professionals nationwide. The settlement concludes a legal challenge alleging wrongful arrest and defamation following the highly publicized 2019 event, according to reports.
Gary DeMercurio and Justin Wynn, then employed by Coalfire Labs, possessed written authorization from the Iowa Judicial Branch to conduct exercises mimicking criminal intrusion techniques. The rules of engagement specifically permitted physical attacks, including lockpicking, provided significant damage was avoided during the testing of judicial branch facilities.
Despite the contractual legitimacy of their work, the penetration testers were arrested on felony third-degree burglary charges and held for twenty hours until posting $100,000 in bail. This galvanized the security community, highlighting the risk of legal repercussions for authorized security assessments.
The incident occurred on September 11, 2019, at the Dallas County Courthouse, where the testers reportedly gained access after finding a side door unlocked and subsequently tripping an alarm. Even after the charges were reduced to misdemeanor trespassing, the local sheriff publicly maintained the testers acted illegally.
Reputational damage resulting from such arrests presents a significant career hurdle for security professionals, underscoring the dangers inherent in testing government infrastructure. The settlement amount reflects the potential liability associated with detaining authorized contractors performing essential security validation.
This case serves as a critical data point regarding the friction that can arise when operational security requirements conflict with local law enforcement interpretations of criminal statutes. The outcome may prompt clearer protocols for authorizing and executing red-team exercises involving physical infrastructure nationwide.
