$600,000 for Breaking In: How Legal Hacking Turned into a Lawsuit Against the State

Sometimes the best reward for excellent work is not a bonus, but the absence of a prison sentence. For Gary DeMercurio and Justin Winn, this irony became reality, stretching across six long years. The story began in September 2019, when cybersecurity company Coalfire received a perfectly legal contract from Iowa's judicial system. The task was crystal clear: test how easily an outsider could penetrate government buildings. This is standard practice for Red Teaming, where specialists simulate the actions of attackers to find vulnerabilities before real criminals can exploit them. Gary and Justin approached the job responsibly, but they didn't account for one factor that no technical specification could prepare them for — the wounded pride of local authorities.

On that fateful night, the pentesters successfully penetrated the Dallas County courthouse building. They didn't break down doors with a sledgehammer but used their professional skills. When the alarm went off, they didn't run away but waited for the police so they could present their "get out of jail card" — an official letter from the state confirming their authority.

In a normal world, it would have ended with a brief conversation and a vulnerability report. But Dallas County Sheriff Chad Leonard decided otherwise. For him, this wasn't a security test but a personal insult.

Despite having a contract, the specialists were arrested and charged with third-degree burglary. The sheriff publicly stated that no one has the right to enter "his" building after hours, even with an order from the state capital.

This incident caused a tectonic shift in the cybersecurity community. Suddenly it turned out that even working under an official contract, you could end up behind bars because of a conflict of interests between the state and the county. Gary and Justin didn't spend much time in jail, but the charges hung over them for months, destroying their reputation and careers. Although the charges were later reduced, and then dropped under public pressure and common sense, the damage was done. The specialists sued Dallas County, accusing authorities of unlawful arrest and defamation. They argued that they were used as pawns in a political struggle between local officials and the state's judicial administration.

The legal battle lasted years, becoming an exhausting marathon. County authorities kept trying to justify the sheriff's actions, insisting that the pentesters had allegedly exceeded the scope of their work. However, the facts spoke otherwise: the contract was signed, the objectives defined, and the methods complied with professional standards. Ultimately, Dallas County preferred not to proceed to full trial with a jury and agreed to a settlement. The sum of 600 thousand dollars is not just compensation for moral damage and legal expenses. It is the price that taxpayers paid for the incompetence and stubbornness of one particular sheriff.

This story matters not just because of the money. It creates a critically important precedent for the entire physical penetration testing industry. Now companies hiring specialists to check security will triple-check whether local law enforcement is informed and won't get the urge to play action movie heroes. For the "white hat hackers" themselves, this is a reminder that legal clarity in a contract is not a luxury but the only way to survive in a world where bureaucracy is sometimes more dangerous than any exploit. Gary and Justin can finally put this nightmare behind them, but the scar on the industry will last a long time.

The bottom line: legal protection for pentesters must be as reliable as their software, otherwise you'll have to pay for breaking into security systems with your freedom.