The Penetration Tester Lawsuit That Every Security Firm Should Read

What happens when you have written authorization to test, you follow the rules of engagement, and you still end up in handcuffs? This penetration tester lawsuit shows how a routine, authorized security engagement can collide with real-world confusion, broken coordination, and legal fallout, and why the paperwork you think protects you sometimes doesn’t.

TL;DR

Two authorized security testers ran a physical courthouse assessment, triggered an alarm, waited for law enforcement, and still got arrested. The penetration tester lawsuit and settlement that followed show a brutal reality: written permission alone does not control what happens on the ground. If you buy or deliver pentests, you need airtight scope language, real-time coordination with dispatch and local law enforcement, and a verification plan that works at 2 a.m., or you may end up with a public, expensive legal mess.

How did an authorized penetration test turn into arrests?

Because “authorized” on paper did not translate to “recognized” in the moment by the people who showed up with cuffs.

Here’s the clean version of what the public record supports. Two Coalfire penetration testers were conducting a security testing exercise at the Dallas County Courthouse in Iowa in September 2019. Iowa’s State Court Administration publicly acknowledged the engagement and the arrests shortly after.

During the physical penetration test, the courthouse alarm was triggered and law enforcement responded. The testers say they identified themselves and had written authorization, but they were still arrested and booked. Krebs’ reporting, which tracked the case closely from the beginning, notes they were arrested on September 11, 2019, charged (initially as burglary), and held on significant bail before the case evolved.

The core failure mode was coordination, not capability. County-level responders and prosecutors treated what they saw as a break-in, and at least part of the dispute centered on whether the county had been properly informed and whether state-level authorization cleanly covered a county courthouse in practice. That mismatch between the contracting entity, the facility, and the responding law enforcement chain is exactly how you end up with “you had permission” and “you’re under arrest” being true at the same time.

If your engagement relies on a document living in someone’s inbox, and the people who respond at midnight cannot instantly verify it with the right authority, the ground truth becomes whatever the responding officer and the local prosecutor believe in that moment.

One key fact makes the outcome easier to understand. According to the plaintiffs’ Statement of Facts filed in the civil case, the Iowa Judicial Branch specifically did not want local law enforcement or security personnel notified in advance about the physical testing. In other words, the engagement design intentionally allowed responders to encounter the activity as if it were a real intrusion, and the testers relied on post-contact verification such as the authorization letter and named contacts.

That approach can be valid for realism, but it increases the probability that a local sheriff or prosecutor treats the event as a crime before anyone in the authorization chain can slow it down.

Why the Coalfire pentesters did the right thing

When looking at penetration tester lawsuit and the case details, the easiest way to judge it is to ask a simple question: did the testers behave like criminals trying to get away, or like professionals trying to measure security and be accountable?

Multiple sources describe behavior that fits the second category.

They were hired for a security testing exercise, and Iowa’s court system publicly acknowledged that the arrests happened during that exercise. That matters because it anchors the story in authorized work, not a random break-in.

They also triggered the alarm intentionally as part of testing and then waited for law enforcement rather than fleeing. A security industry write-up summarizing the incident describes them intentionally setting off the alarm to test response time and waiting for police to arrive. Dark Reading’s reporting similarly notes that once the alarm sounded, they remained on site while waiting to see whether authorities would respond, consistent with an assessment mindset rather than an escape mindset.

Finally, the broader reporting around the penetration tester lawsuit makes clear the central conflict was not “they were sneaking in for fun,” but that state-level authorization and county-level response did not align in practice. Wired’s deep dive frames the incident as a breakdown between stakeholders and law enforcement expectations, not testers behaving recklessly.

They did what you want ethical testers to do in the real world: operate under authorization, validate whether alarms and response work, and stay put for accountability, even though that choice exposed them to the worst-case outcome.

What did the contract and scope actually authorize?

Public filings in the civil penetration tester lawsuit describe a formal engagement between Coalfire and the Iowa Judicial Branch that included a Service Order and Rules of Engagement, plus a “Letter of Authorization” intended to prevent wrongful arrest for activities that could be mistaken for crimes.

Critically, the same filing says the Rules of Engagement covered physical security “physical attacks” (including lockpicking) at specific facilities, including the Dallas County Courthouse, during defined evening hours.

And here’s the detail you flagged, which matters a lot: the filing states the Iowa Judicial Branch “specifically did not want local law enforcement or security persons to be notified” in advance about the testing.

So, in plain English, the scope authorized real physical intrusion attempts at the courthouse, and the engagement design intentionally allowed the activity to look like an actual break-in to anyone not already in the loop. The plan relied on the Letter of Authorization as the “deconfliction” mechanism after contact with law enforcement, not beforehand.

Why do “rules of engagement” fail in the real world?

Rules of engagement live in a contract folder. Arrest decisions happen in the field, under stress, with imperfect information, and often with a completely different chain of authority.

The Coalfire courthouse penetration tester lawsuit case is a clean example because the state court system publicly acknowledged the testers were arrested “during a security testing exercise.” That should have ended the story. It didn’t. Local law enforcement still treated what they saw as a burglary, charges were filed, and the testers had to fight it out until prosecutors dropped the criminal case months later.

Here’s the core failure mode: ROE can define what the tester may do, but ROE cannot guarantee that every stakeholder who matters will recognize, accept, and operationalize that authorization in real time. Wired’s long-form reporting shows how the situation spiraled because of breakdowns between the state-level engagement and county-level decision-makers, even after the testers presented paperwork intended to prove authorization.

And the most important detail is the one you flagged: per the plaintiffs’ filed statement of facts, the engagement design specifically avoided notifying local law enforcement in advance. That choice makes the test more “real,” but it also increases the probability that responders encounter the activity as a crime first and sort it out later, which is exactly when ROE becomes less powerful than a deputy’s discretion and a prosecutor’s charging decision.

So when people ask “why didn’t the ROE protect them,” the answer is simple and uncomfortable: ROE is necessary, but it’s not a force field. If dispatch cannot instantly verify authorization, if the facility is county-owned and the county contests the state’s authority, or if the local chain decides to “make an example,” the ROE becomes evidence for later, not protection in the moment. You can even see that “authority” argument show up explicitly in Dallas County’s position as the civil case moved toward trial.

What could have been done differently to reduce legal risk?

You can’t make arrest risk zero in a physical engagement, but you can stop pretending that a letter in your pocket is enough.

The single biggest “different” in this case is structural: the plaintiffs’ filed Statement of Facts says the customer specifically did not want local law enforcement or security notified in advance. That choice makes the test more realistic, but it also makes a law enforcement collision more likely, because responders meet the activity as an apparent crime first and sort it out later. Wired’s reporting shows how quickly that gap between state-level authorization and county-level decision-making became the whole story.

If your goal is realism and reduced legal risk, here are the practical moves that actually change the odds.

Use “dispatch deconfliction,” not “officer briefing.”

You do not need to tell every deputy “there’s a pentest tonight.” You need dispatch, an on-call supervisor, and one verification number to be able to confirm authorization instantly. That gives responding officers a fast off-ramp from escalation while keeping tactical details compartmentalized. This case shows what happens when responders can’t quickly rely on a system-level verification path.

Make the verification path survivable at midnight.

The authorization packet should be designed for the reality of an on-scene stop: one page, plain language, specific location, date/time window, and a 24/7 number that always answers. If verification depends on the “right person” picking up, you’re gambling. The Iowa courts’ own public statement confirms the testers were arrested during a testing exercise, which tells you the problem wasn’t “no authorization existed,” it was operationalization.

Add a hard stop condition tied to coordination failures.

If the client selects “do not notify law enforcement,” the engagement should have a built-in pause rule: if police are dispatched and verification does not occur within X minutes through the named escalation contacts, the test aborts and the testers disengage. The fact that the criminal charges were later dropped shows how expensive it is to “let it play out” if the on-scene dynamic turns adversarial.

Treat “no notification” as a documented risk acceptance, not a checkbox.

If you let a client choose “no sheriff notification,” then write it up like a high-risk exception: what can happen, who bears what risk, and what the contingency plan is if the exception triggers an arrest scenario. The public timeline makes clear this incident did not end at the curbside explanation. It turned into months of criminal exposure and later civil litigation.

Use a narrow middle path if the client wants maximum realism.

A workable compromise is: notify dispatch and a command contact only, provide a verification code phrase, and still keep line officers uninformed unless dispatched. That preserves “realism” while giving the system a pressure-release valve when the alarm trips.

What should buyers require before approving physical testing?

Buyers need to stop treating physical testing like “just another line item” under a pentest. It carries arrest risk, reputation risk, and operational risk. If you approve it, you own part of that risk whether you admit it or not.

Start with the central lesson from the penetration tester lawsuit discussed: the Iowa court system publicly acknowledged the arrests happened during a security testing exercise, and yet local law enforcement still arrested the testers anyway. That tells you the paper trail alone is not the control. Coordination is the control.

So, if you’re the buyer, require these things before you greenlight any physical work.

1) A deconfliction plan that works at 2 a.m.

Not “we have an authorization letter.” A real plan. It should name dispatch or the responding agency, list exactly who gets notified (or not), and define how verification happens fast when the alarm trips. The Coalfire case exists because the authorization chain and the real-world chain collided.

2) An explicit decision on law enforcement notification, documented as risk acceptance.

In the filed Statement of Facts, the plaintiffs allege the customer specifically did not want local law enforcement or security notified in advance. That may be a valid choice for realism, but it is absolutely a risk acceptance decision, and the contract should say so in plain language, including what happens if responders escalate anyway.

3) A “verification packet” that is designed for responders, not lawyers.

One page, plain English, facility names, date/time window, and a single 24/7 verification number that always answers. If the only way to verify authorization is “call someone who might be asleep,” you are not buying risk reduction, you are buying a gamble. The fact pattern here shows how quickly events can move from “show the paperwork” to jail.

4) Abort criteria and stop-work authority.

Your scope should include hard stop conditions: if law enforcement responds and verification is not confirmed through the agreed channel within X minutes, the team disengages. Charges in the Coalfire case were ultimately dropped, but not before serious criminal exposure and months of fallout.

5) Clear facility ownership and authority mapping.

If the engagement is state-sponsored but the target is county property, spell out who has authority to authorize after-hours physical attempts, and who the sheriff answers to. This “who has authority here” question shows up repeatedly in reporting and filings around the case.

6) Insurance, indemnity, and legal support spelled out.

If you’re approving physical testing, require the vendor to state what legal support exists if things go sideways (counsel contact, who pays for what, and what gets covered). A lot of buyers assume “the vendor will handle it,” until they realize the vendor can’t un-arrest someone.

What should pentesters do to protect themselves during physical engagements?

Assume the paperwork might only help you after you get booked. That’s the ugly lesson of this case: the Iowa courts publicly acknowledged the arrests occurred during a security testing exercise, yet the testers were still arrested and charged anyway.

So protection is less about “having a letter” and more about designing the engagement so verification works under real-world pressure.

Build verification like it’s a safety system, not a formality.

If your deconfliction plan depends on a single person answering a phone at midnight, it’s fragile. In this incident, the dispute turned on coordination and authority, not on whether the testers believed they were authorized. WIRED’s deep dive makes the state versus county breakdown painfully clear.

Treat “no law enforcement notification” as a red-flag risk decision, not a checkbox.

You pointed out the checkbox, and the plaintiffs’ filed Statement of Facts backs up the idea that the customer did not want local law enforcement or security notified in advance.
If a client insists on that, you need explicit written risk acceptance, abort criteria, and a clear plan for what you do when the first deputy says “I don’t care what your letter says.”

Use a two-tier deconfliction model if realism matters.

You can keep line officers blind and still reduce arrest risk by briefing dispatch and an on-call supervisor with minimal details: tester names, date/time window, target address, a verification number that always answers, and a challenge phrase. The goal is not to “get a free pass.” The goal is to prevent escalation when responders can’t verify quickly.

Define hard stop conditions that protect the team.

If law enforcement arrives and verification doesn’t occur through the agreed channel within a short window, the test ends. Full stop. The Coalfire case shows what happens when “we’ll sort it out” turns into handcuffs and criminal charges that linger for months before being dropped.

Scope authority like you’re mapping a blast radius.

Physical targets often sit inside overlapping jurisdictions. This case involved state-level engagement objectives but a county courthouse and county law enforcement. If you don’t map who actually has authority over the building after hours, you can end up authorized by one stakeholder and arrested by another.

Plan for the “arrest path” anyway.

Have counsel on standby for physical work. Have a script for interacting with police (calm, minimal, “call this number to verify”). Log everything. Even if you do everything right, the only thing that saves you later is the factual record.

Want to run a physical test without legal chaos?

If you’re planning a physical penetration test, the technical part is only half the work. The other half is scope language, deconfliction, and real-time verification that holds up when an alarm trips at night. If you want help structuring a physical engagement so it tests real security without turning into a legal incident, contact Artifice Security to scope it correctly.

Book a Meeting with Us Here –> https://artifice-security.youcanbook.me/

FAQ

Below are the sources / references used in the article:

References and Sources

Iowa Judicial Branch, State Court Administration Statement (Sept 2019)
https://www.iowacourts.gov/announcements/state-court-administration-statement/

Iowa Judicial Branch, Coalfire Investigation Report (PDF, Oct 9, 2019)
https://www.iowacourts.gov/collections/445/files/919/embedDocument

KrebsOnSecurity, “Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security” (Jan 31, 2020)
https://krebsonsecurity.com/2020/01/iowa-prosecutors-drop-charges-against-men-hired-to-test-their-security/

WIRED, “Inside the Courthouse Break-In Spree That Landed Two White-Hat Hackers in Jail” (Aug 5, 2020)
https://www.wired.com/story/inside-courthouse-break-in-spree-that-landed-two-white-hat-hackers-in-jail/

Ars Technica, “County pays $600,000 to pentesters it arrested for assessing courthouse security” (Jan 29, 2026)
https://arstechnica.com/security/2026/01/county-pays-600000-to-pentesters-it-arrested-for-assessing-courthouse-security/

The Civil Rights Lawyer, “Statement of Facts in Resistance to Motion for Summary Judgment” (PDF, Feb 7, 2026)
https://thecivilrightslawyer.com/wp-content/uploads/2026/02/DW-Statement-of-Facts-Final.pdf

The Civil Rights Lawyer, “DeMercurio and Wynn Statement on Settlement” (PDF, Jan 28, 2026)
https://thecivilrightslawyer.com/wp-content/uploads/2026/02/De-Mercurio-and-Wynn-Statement-on-Settlement-FINAL.pdf

Dark Reading, “County Pays $600K to Wrongfully Jailed Pen Testers” (Feb 2, 2026)
https://www.darkreading.com/cybersecurity-operations/county-pays-600k-wrongfully-jailed-pen-testers

Iowa Capital Dispatch, “Penetration Tester Lawsuit over courthouse security ‘break-in’ is headed toward trial” (Jan 21, 2026)
https://iowacapitaldispatch.com/2026/01/21/lawsuit-over-courthouse-security-break-in-is-headed-toward-trial/

KCRG-TV9, “Cybersecurity testers reach $600,000 settlement after wrongful arrest” (Jan 2026)
https://www.kcrg.com/2026/01/30/cybersecurity-testers-reach-600000-settlement-after-wrongful-arrest/

Security Today, “Men Arrested For Breaking Into Iowa Courthouse Were Hired to Conduct Security Testing” (Sep 19, 2019)
https://securitytoday.com/articles/2019/09/19/men-arrested-for-breaking-into-iowa-courthouse-were-hired-to-conduct-security-testing.aspx

TrustedSec, “A Message of Support: Coalfire Consultants Charged” (Oct 30, 2019)
https://trustedsec.com/blog/a-message-of-support-coalfire-consultants-charged