Comment by 827a

This is not an "obvious in hindsight" thing, and its also something that was discussed in the physical penetration testing community long before 2019 when this happened. Everyone makes mistakes, and they were legally in the right, but most in physical pentesting know: You're probably going to make someone look like a fool during your work, and your CYA needs to be rock solid to not just absolve the illegality of what you're doing, but the immediate consequences of that newly minted fool also having an ego and authority. A piece of paper will not save your life against a trigger-happy rookie cop in a dark hallway at 2am, even if it might ruin his after you're already dead.

And, by the way: The Sheriff was in the wrong and some of what happened to these pentesters should never have happened. But, this case is not nearly as clear-cut as some one-sided storytelling suggests it is. When the Sheriff called the contact numbers at the State of Iowa, one person didn't answer, and a second person said that they "did not believe the men had permission to conduct physical intrusion." One of the pentesters also blew lightly positive for alcohol. One of the men was from Florida, and the second from Seattle, working for a security firm out of Colorado. That's suspicion enough to end up in jail overnight.

The fact that it went on longer than that more-so gets at the real story. The State was exercising an authority they had, maybe for the first time, against a security force that not only didn't know they were exercising it, but didn't realize they even had the authority in the first place. These guys got caught in the middle. The distribution of blame is pretty significant: The State should have informed the local security, but didn't. The State should have had contacts on-call during the intrusion, but didn't. Coalfire should have confirmed all of this in the interest of protecting their employees, but didn't. The testers shouldn't have been drinking beforehand, but did. The Sheriff should have dropped the matter the next day, but didn't. Sure, some of this is 20-20 hindsight, but taken in its entirety there were a lot of balls dropped, and it paints a picture of a state government that has some box to check for compliance, doesn't care how it gets checked or what gets found, and a security firm that isn't conducting their penetration tests responsibly.