Two security professionals, Gary DeMercurio and Justin Wynn, who were employed by Coalfire Labs, were arrested in 2019 during an authorized security assessment of the Dallas County Courthouse in Adel, Iowa. They held formal authorization from the Iowa Judicial Branch to conduct red-team exercises designed to mimic real-world attacks.
Their engagement followed rules of engagement permitting physical tests, including lockpicking, as long as no significant damage was caused. They gained entry by reopening a side door and using a makeshift tool to trip the door’s locking mechanism; alarms were triggered and deputies arrested them on felony third-degree burglary charges, later reduced to trespassing, with bail posted.
Last week, Dallas County officials agreed to pay $600,000 to settle a lawsuit alleging wrongful arrest and defamation. The settlement comes after years of litigation and was reached five days before a trial was set to begin. The plaintiffs contended their work was authorized and served a public safety purpose.
“This incident didn’t make anyone safer,” Wynn said in a statement, describing the message to the security community as a warning against performing authorized security work. DeMercurio later started Kaiju Security, reflecting a continued career in the field.
The case underscores the tension between authorities and security testers, highlighting the need for clear authorization, careful communication, and awareness of potential reputational harm when conducting authorized assessments in sensitive facilities.
