If you’re conducting a penetration test (which you should do regularly), make sure you sort out the terms of engagement BEFORE the test starts…:
When State court administration (SCA) asked a cybersecurity firm to conduct an assessment of the safety of electronic records kept in Dallas County, the discovery of men in the building in the middle of the night was not what court officials had in mind.
Nevertheless, when law enforcement responded to an alarm on September 11 at 12.30am, two employees of the contracted company, Colorado-based Coalfire, were found in the Dallas County Courthouse equipped with burglary tools.
The men were arrested, despite their protestations that they had been contracted to conduct a security test on SCA’s behalf, and the late-night walkabout around the building was part of the deal.
As reported by the Des Moines Register, the 29 and 43-year-old told law enforcement they were contracted to test the courthouse alarm system and the response time of the police, but Dallas County officials had not been informed of the experiment.
On September 11, SCA confirmed the men worked for the contracted cybersecurity company, which was “asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities.”
However, “SCA did not intend, or anticipate, those efforts to include the forced entry into a building.”