A Chilling Precedent for Cybersecurity Professionals
The recent $600,000 settlement between Dallas County, Iowa and two penetration testers highlights a troubling reality for the cybersecurity industry. What should have been a routine, authorized red-team engagement instead became a years-long legal ordeal, underscoring how fragile legal protections can be for security professionals operating in the physical world.
In 2019, Gary DeMercurio and Justin Wynn of Coalfire Labs were contracted to conduct a security assessment of the Dallas County Courthouse, including physical security testing. They carried a signed contract, clear rules of engagement, and a formal authorization letter from the Iowa Judicial Branch—documents that are generally considered sufficient legal clearance for such work.
During after-hours testing, their entry triggered a security alarm. Despite immediately presenting their authorization, they were detained overnight and charged with burglary and possession of burglary tools. The local sheriff rejected their documentation outright, treating the activity as a criminal act rather than sanctioned security testing.
Although the charges were eventually reduced and later dismissed, the case dragged on for nearly seven years. The financial, professional, and personal toll of such prolonged uncertainty cannot be overstated, even for individuals who ultimately prevail.
This incident goes far beyond a single dispute. It exposes a systemic gap between how security testing is designed, authorized, and understood—and how it is interpreted by law enforcement on the ground. Physical penetration testing, in particular, sits in a legal gray zone where good intent and proper paperwork do not always translate into protection.
The implications for the industry are serious. Security testing is a cornerstone of proactive defense, authorization documents are meant to safeguard testers, and yet cases like this signal that even fully sanctioned work can be misread, criminalized, and punished. That uncertainty discourages rigorous testing and puts independent security firms at disproportionate risk.
My perspective
This settlement confirms a hard truth many practitioners already know: authorization alone is not always enough. Until laws, law enforcement training, and judicial understanding catch up with modern security practices, penetration testers—especially those working in physical or hybrid environments—remain exposed. As an industry, we need clearer legal frameworks, stronger coordination with local authorities, and standardized recognition of authorization documents. Otherwise, the very people trying to make systems safer will continue to bear unacceptable personal and legal risk for doing their jobs right.
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security
At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.
- The ISO Trifecta: Integrating Security, Privacy, and AI Governance
- Understanding the Real Difference Between ISO 42001 and the EU AI Act
- The Coalfire Case: A Wake-Up Call for the Cybersecurity Industry
- A Practical Guide to Security Risk Assessments That Actually Matter
- From Risk to Resilience: The Role of ISO Standards in Cyber Security
