Iowa Courthouse Settlement - Public Release
Public Release - Gary DeMercurio (CEO) & Justin Wynn (President)
After years of litigation, Dallas County has agreed to a settlement that resolves the case surrounding our wrongful arrest during an authorized security assessment at the Dallas County Courthouse.
The settlement confirms what has been true from day one: our work was authorized, professional, and performed in the public interest. What happened to us never should have happened and shouldn’t happen to anyone again – especially professionals working to make government institutions safer.
Penetration testing exists to identify real-world vulnerabilities before bad actors exploit them. The most effective way to test defenses is from an adversarial perspective — which is exactly what red team operations are designed to do. And yet, despite clear authorization and the verification of our identities and purpose at the scene, we were arrested, jailed, and publicly portrayed as criminals.
That arrest changed our lives. It created lasting reputational harm and professional damage in an industry where trust and discretion are essential. This was never about money — it was about restoring the truth and clearing our names.
What really happened?
In 2019, we were retained by the Judicial Branch (Iowacourts.gov), to conduct a red team assessment across both virtual and physical assets.
Physical testing was authorized at five locations, including a specific request to focus on after-hours covert entry testing under defined safeguards and restrictions.
We performed the engagement successfully, gaining access to every facility - often by trivial means - and delivered a comprehensive report detailing critical vulnerabilities and practical remediation steps.
At multiple facilities, our authorization was verified without incident. During testing at the Judicial Branch Building, for example, a state trooper encountered us, verified our authorization, and the assessment continued. Our point of contact emailed us in the morning saying congratulations, after he found our business card on his desk.
At the Dallas County Courthouse, we encountered an unlocked door late at night. After closing it and bypassing it to document two vulnerabilities, the alarm finally triggered. We remained on-site and continued testing while waiting for responders.
Six deputies and officers arrived, unable to gain access, and we safely made contact and met them outside. They were able to quickly verify us, confirm our contract with our point of contacts, and told us we were free to go. We stayed voluntarily, welcoming the opportunity to share remediation guidance and collaborate with law enforcement.
When the Sheriff arrived, some body cameras were turned off and the situation escalated abruptly. The Sheriff belittled us and said we were going to be arrested - he just didn’t know what for yet. He shouted expletives, saying the State “can’t do this”.
We were taken to jail in cuffs (despite the recommendation of one of the deputies that it was not necessary) and when we were arraigned in the morning it was clear the Sheriff withheld material information from the magistrate, including that we were hired by the State. We were then charged with felony offenses carrying up to seven years of prison time, and our bond was raised ten times the normal amount.
Then, the State deleted their contract from our company portal and tried to save face by disavowing us. Politicians inexperienced in security took the opportunity to grandstand and escalated the situation. The State investigated and, in attempts to soothe political pressure, imposed crippling restrictions that prohibit this type of testing - the only testing capable of identifying such egregious vulnerabilities.
In the meantime, the Sheriff’s story continuously changed to try to justify our arrest. While he never bothered to look at our paperwork before the arrest, he later made statements around arresting us for not being within the rules of engagement, or the State not having authorization to provide security services for courthouses (both of which are false, and neither of which should have been “resolved” by the criminal process we were subjected to).
We were advised to keep quiet while the Sheriff and the media spun stories defaming us. A month after felony charges continued to be pressed, our CEO made public statements vindicating us - which were met with a threat from another Sheriff that he would also press charges against us if our CEO kept making statements.
Ultimately, charges were reduced to trespassing, which we continued to fight, and were finally dropped within days of our trial.
Why this should concern every Iowan
This incident did not improve public safety. It undermined it.
It demonstrated how fragile security becomes when professional process is replaced by ego, politics, and gut reaction — and it sent a chilling message to security professionals nationwide: that helping government identify vulnerabilities can result in arrest, prosecution, and reputational destruction.
Taxpayers deserve accountability, because this case cost the public far more than money. It damaged trust — and discouraged the exact kind of proactive testing that prevents real harm.
An unprecedented arrest
We recognize that law enforcement officers operate in difficult conditions and often make decisions quickly. But this case was not about a split-second decision made in the fog of uncertainty. Officers on-scene had already addressed the situation in a rational and professional manner - and told us we were free to go. What happened next was a deliberate escalation—one that we firmly believe was motivated by personal pride and politics rather than public safety.
In short, this wasn’t leadership. It was misuse of power.
This settlement brings resolution, but it does not restore the years we lost or the damage that was done.
Iowa’s opportunity: lead, don’t react
In the wake of this incident, Iowa enacted restrictions that dramatically limit proactive security testing — the very type of testing that revealed serious vulnerabilities across every facility.
We understand the pressure to respond to public controversy. But laws written from fear and misunderstanding do not create safety — they create blind spots.
We are formally offering our time and expertise to help Iowa modernize its framework for authorized security testing, so that:
- Security professionals can operate under clear, enforceable authorization
- Courthouses and government agencies can test vulnerabilities responsibly
- Taxpayers can have confidence that their institutions are genuinely secure
Our hope is that the settlement marks not only the end of litigation, but the beginning of overdue reforms.
Looking forward
Despite everything, we remain committed to this work. In the years since the wrongful arrest, we built Kaiju Security – a security company with elite talent focused on adversarial simulation and real-world testing, because these vulnerabilities still exist and someone must find them before criminals do.
We appreciate the countless individuals who supported us, stood up for the truth, and understood what was at stake—not just for two individuals, but for the integrity of security testing and public safety across the country. The outpour of support from the hacker community was reminiscent of great historical moments when the community rallied around those wrongly persecuted for performing security research to keep us all safer. We were truly awed to see everyone rally around us and defend us and this work. We hope this resolution becomes a turning point — not just for us, but for the future of proactive public safety security testing in Iowa and beyond.
— Gary DeMercurio & Justin Wynn
Public Release - Martin A. Diaz
FOR IMMEDIATE RELEASE
SETTLEMENT IN DEMERCURIO AND WYNN V. DALLAS COUNTY AND CHAD LEONARD
On January 21, 2026, Gary DeMercurio and Justin Wynn entered into a settlement agreement with the Defendants in their lawsuit. The terms of the settlement are simple. In return for a Release and Dismissal of their lawsuit, the Defendants will pay Gary and Justin $600,000. Since this settlement involves a governmental entity, there is no confidentiality. In addition, there are no restrictions on Gary and Justin commenting on the events, the lawsuit, or the terms of settlement.
For Gary and Justin, this 6 year plus odyssey began immediately after they were told by six (6) law enforcement officials that they were free to go, those six law enforcement officials having confirmed that they were simply doing a job tasked by the Iowa Judicial Branch, a task that was to be kept from law enforcement in order to assure the validity and value of the security assessment. The investigation by the six law enforcement officials from two agencies was professional, practical, and surprisingly jovial. Gary and Justin shared their experiences, tips, and talent with these officers, and the video cameras caught all of it. By every account, Gary and Justin were professional, cooperative, and willing to share their vast knowledge of security. The fact that law enforcement had difficulty using their key cards to enter the closed Dallas County Courthouse was an ironic twist to this encounter. But this calm, cooperative environment changed the minute that Sheriff Leonard showed up. No one had asked him to come.
Gary and Justin are two of the finest security and cybersecurity experts in the country. When Sheriff Leonard arrived and the atmosphere changed, Gary and Justin remained calm, cooperative, and professional. Sheriff Leonard spent less than a minute with Gary and Justin before deciding that they were going to jail. And the rest is history.
This lawsuit was important to Gary and Justin for several reasons. First, and foremost, their reputations, well earned over many years, had been trashed in the media, their mugshots plastered for all to see, and they were silenced by the arrest and pending criminal charges. This was one opportunity to tell their world, the security industry, that they had acted professionally and were bound and determined to take back their reputations. Secondly, their industry needed them to fight back, to remind people that “security” in this world does not belong only to those that want to find ways to breach it. Rather, it belongs to those prepared to protect our lives, livelihoods, and truths.
Finally, Gary and Justin wanted to hold people accountable for what had happened to them. In a world that seems to shrug at the undermining of our principles, institutions, and values, we need people like Gary and Justin. They are the best of us, and efforts to undermine what they do make us all less secure.
One other thing needs to be mentioned. When all hell broke loose for Gary and Justin, the Iowa Judicial Branch lawyered up and did its best to distance itself from them, adding to the wrongful perception that they were guilty. It was not the institution’s best moment. Ironically enough, accountability for the Judicial Branch cannot be found in the Courtrooms it furnishes—the product of immunity granted by the Legislature. But that does not mean that it is not responsible. This was ultimately a “turf war” between the County Sheriff and the State’s Judicial Branch, and Gary and Justin were the toys of that feud. As one of my friends tells me about my golf game, “play better.”
I am thankful for the work done by Judge Amy Moore and appreciate the cooperation of Counsel for the Defendants. I wish all of them well.
I was honored to represent Gary and Justin and hope and trust that the people who once revered them now realize that there was never a valid reason to believe the allegations and charges that brought them on this 6-year odyssey. I wish them well and hope they regain their standing in their industry; we need them to be successful.
–Martin A. Diaz