Nate Nelson, Contributing Writer February 2, 2026 5 Min Read Seven years after they were arrested for doing their jobs as penetration testers, two white hat hackers have earned a $600,000 settlement in Dallas County, Iowa. Just after midnight on Sep. 11, 2019, Gary De Mercurio and Justin Wynn — then employees at Coalfire, now CEO and president, respectively, of Kaiju Security — tested the alarm system at a Dallas County, Iowa, courthouse, as part of a contracted security evaluation . Despite legal clearance from the state and clearance from the police that initially showed up on the scene, they were arrested for burglary, then subjected to protracted legal battles. Only last week, six and a half years after the ridiculous night, did they finally win a $600,000 settlement payment. "I think it's bittersweet," De Mercurio says. "It feels nice to be somewhat vindicated, [but] it doesn't by any means make us whole. The amount of money that's been lost to us in our careers, in the last six years, far exceeds that number." Red Team Nightmare Wynn and De Mercurio intentionally triggered the alarm system at the Dallas County Courthouse that night. The front door was slightly ajar — anyone who was there to case the place could have just walked right in. But they'd been hired by the state of Iowa's Judicial Branch to test the building's security systems. And in the few days prior, when they'd tested other Iowa state facilities, they found that many building alarm systems didn't actually alert law enforcement to a break-in. So Wynn closed the door to the courthouse, locked it, and broke in again the old-fashioned way. Police eventually did show up, around 40 minutes past the hour. The two security professionals exited the facility and presented their contract with the state. The officers confirmed their identities, reviewed their documentation, and were generally understanding. Body camera footage shared with Dark Reading shows De Mercurio, Justin Wynn, and police on the scene having friendly conversations, and joking around. The whole night shifted, though, when a county sheriff arrived at the scene. He was, in his words, "pissed off" because Wynn and De Mercurio were working with the state, but the courthouse technically belonged to the county. His county. On those grounds he ordered them arrested, and they spent the night in jail. That was just Act I of Wynn and De Mercurio's Kafkaesque nightmare . They were dragged into the same courthouse hours later, as prisoners, and the judge set bail at $50,000 each. They were only saved serious prison time by their employer . For months thereafter, they remained stuck in the middle of an inter-governmental legal conflict. Their company was threatened, their work scrutinized, and their clients turned to enemies. "The people working for this state entity were so worried about their jobs that they were willing to delete a contract, and say that they had never met us in their lives, even though all the evidence pointed to the contrary, and let us rot in prison because they didn't want to get in trouble or because a sheriff was upset or angry," De Mercurio recalls. He adds that even after all these years, and after having paid out a mea culpa settlement, "the response coming out of the current county prosecutor's office is if this ever happens again, they're going to still prosecute to the fullest extent of the law." In spite of everything, Wynn says, "it's really a big relief to put this behind us. Once we got arrested, facing seven years in prison, the brain chemistry changes that I went through were upsetting. So now, to finally have this all wrapped up and behind us ... that is a very good feeling." Managing Risk in a Pen Test There is a conflict inherent in the act of red teaming . On one hand, simulations are most realistic when as few people as possible know what's going on ahead of time; that way, they'll react naturally. On the other hand, anyone who doesn't know what's going on might respond to a perceived attack in unexpected ways. This is especially risky in physical exercises, in the middle of the night, when representatives from the hiring organization aren't on-site. As one police officer on the scene in 2019 put it: "It seems kind of dangerous that they didn't let us know, because in about another 10 seconds, you were going to have about five cops with guns blazing." Even after everything he's been through, though, Wynn argues that the risk is necessary. "In those engagements where everyone is notified, we come on site and the facility is just the most secure place that it has ever been in its history because the security forces know we're responding," he says. "I'm not saying it's a terrible idea to notify law enforcement, to have some safeguards in place, but [if you're] changing the testing environment then you're not going to have meaningful security improvements." The only thing pen testers can do, then, is dot every 'i' and cross every 't', even when a client seems perfectly trustworthy. "When we saw the clients that we're working with were [email protected] and we're testing courthouses, it just never, never registered that anything could be out of line," Wynn admits. In retrospect, he says, "If we had been recording those kickoff calls with the client asking, 'Please break in after hours,' that would have been completely vindicating, because then they wouldn't have been able to delete contracts and say that they never hired us." Even the most diligent preparation won't eliminate risk, though. In another test they performed after the Iowa fiasco, Wynn and De Mercurio notified law enforcement before performing their break-in. Just as they had in Iowa, they triggered the building alarm system, waited for law enforcement , and when it came, Wynn recalls, "The officer was shaking. I mean, hand on his gun, ready to go. Had no idea that there was authorized testing in place. So even when you do take all the security measures in the world, stuff's still going to happen in a real-life scenario." Dark Reading reached out to both the Iowa Judicial Branch and Dallas County Sheriff's Office for comment on this story. Neither agency responded. About the Author Nate Nelson, Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. See more from Nate Nelson, Contributing Writer